Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. There are some interesting differences from other payment services. Be sure to read the notes.
# of Caveats: 0 view caveats→
# of Usage Notes: 4 view notes→

Relevant Product Characteristics

  • This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.

What Is This Product?

clearxchange logoClearXChange is like PayPal with a twist: instead of making payments through the ClearXChange website, you do so through your own online banking service. In other words, ClearXChange facilitates sending money from bank to bank through your online banking. Sounds neat!

You should know that financial institutions have certain limited exemptions from HIPAA, and those exemptions make it possible for us to use services like PayPal and ClearXChange.

The limitations on the exemption, however, are where we have to get picky. So the notes below will point out the ways in which we got picky about ClearXChange.

More Info

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at [email protected].

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Don’t send payment requests to clients through your member bank

ClearXChange tells us that some member banks give you the option to send payment requests to your clients. We believe that this feature is like invoicing, which is not exempted from HIPAA. So we recommend you do NOT use the service to send payment requests to your clients. As an alternative, you can use your own more secure communication method to send an invoice, along with a request that they initiate a payment to you through their bank. You will need to give them the email address you use with ClearXChange.

2) Collaborative risk analysis with clients around email is needed. Based on the result, you may need to rule out the use of ClearXChange.

ClearXChange tells us that they always send a receipt to your client after they pay you, and the receipt is always sent by email. They say that clients cannot turn these off.

We don’t know for sure if these email receipts trigger a Business Associate relationship with ClearXChange. Some attorneys have advised us that receipts for payment are exempted under HIPAA’s exemption for financial services. Others have said they don’t know if they are. You’ll need to decide if you’re willing to take the (possibly low) liability risk, given that ClearXChange does not execute Business Associate Agreements with their customers.

Regardless of that outcome, however, the emails are still sent by ordinary email methods. You need to determine if the client will receive ordinary emails in a secure manner (such as through the TLS email network discussed in note 4, below), and if it’s safe for the client to receive emails indicating they are in therapy. If the emails are not sent securely, you need to determine if it’s legal or ethical for you to allow them to be sent. And if it is legal and ethical, you need to work with clients on analyzing the safety/security risks of those emails or texts. Ultimately, if the assessed risks are too high or it’s not legal or ethical for your to take the risks, you will need to rule out the use of ClearXChange with that client.

Read our article on unsecured communications here for some guidance to help you decide what you need to do to around email to stay legal and ethical in your practice. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner in detail.

3) Give clients an email address for paying you, not a phone number. Ask them not to use your phone number for sending payment.

If clients pay you through your email address, the notification of payment will go to your email address. If they pay through your phone number, the notification of payment will come to you through SMS text message.

There is no way to ensure the SMS message is properly secured. It is possible for the email to be secured, however. See note 4, below.

4) Make sure the service provider for the email address you have registered with ClearXChange does a BAA with you, and that it engages in TLS email security

ClearXChange tells us that they send emails to you when you receive a payment, and that you cannot turn this off. Because of that, you need to be able to receive these emails securely.

To make this work, you need to use an email service that engages in the TLS email security network. See our review of Paubox for explanation of what that is.

We can see that when ClearXChange sends emails, they always use TLS security. Citation here.

If your email service also engages in TLS security, then ClearXChange’s emails to you will be transmitted over the Internet in a way that supports your HIPAA compliance. To discover if your email service engages in TLS security reliably, search for it in Google’s Transparency Report here.

Your email service also needs to provide a Business Associate Agreement.

More Info

v1.25.07

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss