Archived: Holding Client Credit Card Info On File: Why and How To Do It, How Not To Do It

This article has been archived due to outdated information. The current version can be found here: https://personcenteredtech.com/2014/01/holding-client-credit-card-info-on-file/

Originally Published: January 8th, 2014
Archived: August 16th, 2015


Credit CardIf you’re in private practice for long enough, you’ll have that experience where a client fails to pay something they owe you. It may be your no-show fee, wherein the client not only no-shows but doesn’t communicate with you again. It may be more innocent, where the client is willing to pay but has poor organization. In order to prevent losses from such situations – and sometimes to simplify the process for both clinician and client – some therapists ask clients to provide credit card information for the therapist to keep on file. Then when a charge comes up, often due to a no-show, the clinician can charge the card in the client’s absence and immediately collect payment.

There are advantages and drawbacks to this practice, and most clinicians are primarily concerned about these issues:

  • How can we keep the credit card information safe? Are there HIPAA issues in keeping card info on file?
  • Is it ethical to require clients to provide card information so that we can run charges in their absence?
  • What do we need to do to make the practice legal and effective?

How Do We Store and Use This Information?

The classic, and probably easiest, way to store credit card information would be to photocopy or scan each side of the card, get the necessary agreements from the client, and keep it all in the client’s file. If you keep paper records, this would mean putting it in your file cabinet. If you keep electronic records, perhaps you would store this info in that electronic file or in a locked cabinet where you keep other confidential paper files. When you need to make a charge, you use your own merchant service and type the credit card info in manually.

Another way to store information is to use a merchant service that allows you to store credit cards in their system, usually online. Such a system would hold the information on your behalf and allow you to charge the card when you need without having to store or remember the credit card numbers or other info.

Whatever method you use, it is important to remember that credit card information is at higher risk of confidentiality breach than general health information. We’ll discuss that more below.

Ethical Issues

In general, when professional ethics codes address the issue of payment, they state that the circumstances and requirements of payment need to be defined and agreed to up front. What’s more, in my opinion, informed consent would include informing the client of how you store the card information and how you go about charging it.

The most pressing question, in my mind, is whether or not it is ethical to require a client to provide credit card information to be kept on file, as some private practitioners do. Another way to phrase this is to ask whether it is ethical to predicate the provision of counseling services on the client providing payment info up front and agreeing to its storage and later use.

Private practitioners are not required by professional ethics to work with all comers, and are allowed to define the parameters of how their practice works within certain ethical and legal limitations. However, a given client may not trust the method you use to store their sensitive payment information or they may object to the circumstances under which you charge their card in absentia. In these situations, should a clinician insist that the credit card information be turned over before therapy can begin? Would it be ethical to do so?

Many clinicians who make a habit of getting up-front payment information from clients say that they do not push it when clients object. It seems to me that this policy is a wise one for not only ethical but also clinical and business reasons.

HIPAA Issues – Security

Since the payment information we’re using qualifies as protected health information, we have a responsibility to secure it regardless of HIPAA covered entity status. (Not sure what that is? See our article, Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?)

This is a point where it is important to consider that HIPAA Security compliance is not a simple matter of finding “HIPAA compliant” products, but rather a process of making our own practice HIPAA compliant by performing a risk analysis, identifying areas of increased risk, and taking measures to reduce those risks to reasonable and appropriate levels.

In your risk analysis, you’ll need to consider that any of your “assets” (e.g. your file cabinet, your computer, your online practice management system, etc.) in which you hold credit card information will now be of interest to more and new bad guys who would like those credit card numbers. This means those assets will be associated with higher risks, and you may need to be more vigilant about your risk management plan involving those assets.

For example, simply placing paper copies of credit card info in your file cabinet will make the cabinet of great interest to bad guys. Our industry standard of “double-locked file cabinets” is generally acceptable partly because there is low likelihood, in most cases, of a bad guy going out of his/her way to get into your office and break into your cabinet. This breach would require a proactive interest in getting into that cabinet by someone willing to take significant legal risks to do so. If the cabinet contains tens of credit card numbers, they may now have a real incentive to do that. One security measure you could put in place to mitigate this increased risk would be to put the cabinet behind more locked doors or behind stronger locked doors. The exact way you would go about reducing this risk depends on your own risk analysis.

Storing the info with an online company that is accustomed to storing and securing payment info may be a simpler method of reducing the risk. Some merchant service companies offer this. At least one practice management system (Therapy Partner) does as well. Of course, you’ll still need to perform a risk analysis even if you use this solution.

HIPAA Issues – Business Associate Relationships

You knew HIPAA wouldn’t make it quite so easy as simply finding a service that is willing to store payment information and going from there, right?

If we store the credit card information with an online provider, then they are storing protected health information on our behalf. Normally, this would cause a HIPAA Business Associate relationship between us and the service provider. If such a relationship exists, then we must get a Business Associate contract with that provider in order to remain HIPAA compliant. (Need more? See our article, What Is a HIPAA Business Associate Agreement?)

General merchant service providers such as ProPay, Authorize.net, and a host of others would allow us to store payment information with them but they wouldn’t provide us with a Business Associate contract. So it is possible that using those services to store payment info could be a HIPAA violation. Whether it is or not, however, depends on a number of factors:

  • Your HIPAA covered entity status: If you are not a HIPAA covered entity, you may decide that following the Business Associate rule is not necessary for you to live up to the standard of care that HIPAA sets. This decision is yours to make, however, as it is still a grey area.
  • Whether or not the feds would deem the relationship between you and the merchant service provider to be a Business Associate relationship: Even though we can say from a very technical perspective that a Business Associate relationship should exist, it’s ultimately up to an auditor or judge to decide. In the case of storing payment information with an online service provider, one could argue that no BA relationship exists because it is not clear that the payment data belongs to a client or “patient.” One could also argue, however, that it must qualify as PHI simply because it is personally-identifying information about a client, and therefore a Business Associate relationship would exist. We can’t know for sure, so a conservative approach would be to only store credit card info with a company that provides a Business Associate contract. Using a general merchant services company would be a risk-tolerant approach. Note that the exception to HIPAA that financial institutions usually enjoy does not apply in this case, because storing the credit card numbers is not a simple payment transaction but rather an “extra service” the company provides.

If you decide you need to heed the Business Associate rule and you want to store client payment information with another company, the simplest solution would be to use a cloud-based practice management system that offers such a service. These companies routinely provide the BA contracts we need for HIPAA compliance. I recommend starting with Rob Reinhardt’s reviews of practice management companies if you are in search of one.

Credit Card Company Issues

Lest we forget in our discussion of professional ethics and laws, the companies that provide our merchant service accounts have their own issues we need to be aware of.

Specifically, if we don’t get it in writing that a client agrees to all the charges we make, then they have a strong case for reversing any such charges. Think about when you use a credit card at a store. After payment, you generally need to sign the receipt and give it to the cashier (these days, many stores don’t require this on charges below $25.) On that receipt is some text that basically says you agree to pay the amount charged “according to the cardholder agreement.” If you decide later to contest the charge, claiming you never made that purchase, the merchant can produce your signed receipt as proof that you did, in fact, agree to the charge.

As you’ve probably already surmised, making charges in the client’s absence could get us in trouble here. Without a signed agreement from the client, provided ahead of time and defining when charges will happen and how much they will be, we are vulnerable to the client successfully doing a “chargeback,” wherein they contest the charge and have it refunded by the credit card company. Not only do chargebacks mean we don’t get paid, but they also are a black mark on one’s merchant record.

Advantages of Holding Credit Card Information

This article has discussed a lot of pitfalls and problems, so let’s make sure to talk about the benefits.

Making sure you can collect all your no-show fees, deductibles, and other money owed to you can be invaluable in private practice. Holding on to payment information is a kind of safety net that all but ensures that you can do this. If your policies and procedures are reasonable, well thought out, and well presented to clients, the majority of clients will not object to the practice and many may find it quite convenient.

You don’t have to limit the practice only to no-shows and unpaid bills. With this scheme, you can bill clients on your own time and skip the rigmarole of running a card or handing over checks or cash at session time. Companies that provide this service usually charge higher fees than are typical, so you may not wish to use it all the time, however.

v1.23.05

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss