One thing I don't provide in my paperwork packet is a form that allows you to write the client's credit card number and save it in a file cabinet. How come? Because there are plenty of more secure ways to capture your client's credit card info.
I actually receive quite a few questions related to this so I was very happy to meet Emily from Ivy Pay. She is a therapist on the operations team for a company that provides convenient credit card processing for therapists who may not have other means, such as an EHR. Since IvyPay is specifically designed for counselors, I decided to ask her some of the common questions I receive and let the experts explain for us...
1. Is it okay to keep a client’s credit card number on file so I can bill them regularly?
It’s definitely okay to keep a client’s credit card number on file so that you can bill them regularly. How you maintain those records is what really needs to be kept in mind. Previously, many folks kept client credit card numbers on file by taking a photo copy of the client’s credit card, or jotting the credit card details down on a piece of paper and storing this in what many deemed a secure manner for the time, such as a lock box. However, with new technologies and updates in banking security this is no longer a secure method of securing financial information. Therapists who do continue to store their client’s financial information in a non-secure manner are at the highest risk to be exploited by hackers which as covered entities would result in a breach in HIPAA. And ultimately, therapists are taking on the liability risk of the credit card information getting leaked and client’s cards being used fraudulently, which is an avoidable burden.
2. What type of security is required for keeping a credit card number on file?
Anyone who keeps a credit card number on file has to comply with PCI DSS (Payment Card Industry Data Security Standard). PCI compliance involves a lot of nuances that are implemented to protect cardholder data (such as maintaining a secure network, protecting cardholder data, maintaining a vulnerability program, implementing control measure, testing security systems and security policies)… in other words a lot of jargon. To avoid dealing with all these security standards, it’s best to outsource to a third party company or service that takes care of PCI compliance for you.
3. Do I need to make sure my credit card processor is HIPAA compliant?
It depends on how you are using the credit card processor. While financial transactions in and of themselves are exempt from HIPAA, if you use additional features that are part of many payment processors such as text receipts, this is then no longer exempt. As a covered entity it’s important that the payment processor you use doesn’t violate HIPAA. There are a few guidelines that are helpful to keep in mind when selecting a payment processor.
1. Make sure your payment processor isn’t sending receipts via text. Text is not a secure technology, and since receipts contain PHI, they need to be sent via a secure method.
2. Sign a BAA with your processor. If you are storing any PHI through an online provider, to comply with HIPAA make sure you have a BAA signed.
3. Make sure any stored credit card numbers are secured in a PCI compliant manner.
Always remember that even if you have a BAA, if you are not using a service that’s designed to be HIPAA-compliant from the ground up that the provider might release a new feature that could violate HIPAA and you’d be responsible. In essence they are not guaranteeing you that their product roadmap will continue to stay HIPAA-compliant in every respect.
Also, even with a BAA, therapists are still held responsible to be using the service that better protects patient privacy and confidentiality if there’s minimal cost in changing to that service. So it’s important to be aware and keep in with the latest and most appropriate options.
4. I know plenty of therapists who still collect credit card numbers for paper files, are you saying they’re not being ethical?
When you store credit card information for a client it’s important to complete a risk analysis to take a look at how you are storing that information. The best way to store credit card data for recurring billing is through a third party processor that has a secure credit card vault and tokenization provider. When this is in place the card data is removed from your side and a token is returned so that you can continually bill your client for each session while the data is obscured. Storing credit card data on paper in a locked box does not provide the same precautions or level of security.
When you are storing a client’s credit card information it’s also important to tell the client in the informed consent how this information is being stored. It’s helpful if your processor already has this consent designed in, so that’s one less step for you. Ethically, a therapist can determine how their practice works - including if they are going to keep client credit cards on a paper file. However, therapists should be protecting all client information including financial information, in the utmost secure manner. With the ease of technology now, paper files in a lock box is no longer considered the most secure option available, and therefore maybe not the most ethical option either.
5. Why do I need to pay credit card processing fees?
Think about all the ins and outs of maintaining PCI compliance that has already been talked about. The payment processor is providing that service of mitigating those risks, so you don’t have to.
6. Do most clients really want me to keep their card on file?
Yes! It’s beneficial for not only you but it’s also beneficial for the client. The client doesn’t have to remember to bring a cash or check, and can instead use the form of payment that they most likely use in the rest of their life. In a world that’s full of many means of technology - the therapy room is one of the last few places where credit cards has not necessarily become common hold for clients to use. Both therapists and clients can welcome this change when a few guidelines are met.
7. Can I use a card on file to bill clients for no shows?
This is one of the big benefits of having a client card on file - but is also one that needs to be looked at from an ethical standpoint. What needs to be kept in mind is making sure the client is made aware of your payment and cancellation policies upfront so that the client isn’t surprised when you bill them for a no show. With that said, once informed consent and policies have been discussed, having a card on file is a convenient way to collect fees that may otherwise be lost.
There you have it! Some awesome answers that explain all that complicated credit card HIPAA stuff :)
As mentioned above, always be sure to review any payment expectations with your clients as part of the informed consent process. I also recommend having a statement in your Services Agreement that clients initial or sign, particularly if you plan to charge their credit card for no shows or cancellations.
Remember that if you use a payment processor through an EHR, you are likely covering all these bases, but it's always good to check. For those of you using paper forms and a separate payment processor, you may want to check out Ivy Pay. It's a convenient way to meet all these expectations without needing a card reader and without having the liability of collecting credit card info yourself.
Clients put their cards on file with you via the Ivy Pay app, so it’s just a push of a button to take payment. Ivy Pay works with debit, credit, HSA and FSA cards and is tailor-made just for therapists. So it’s HIPAA-compliant, designed for the unique clinical model and code of conduct of therapists. It’s even been uniquely designed to not reveal the therapeutic relationship all the way down to the bank or card statement. For a limited time, get started with $1000 of free charges. Learn more about Ivy Pay here.
Please note that I do not receive any commission or compensation from Ivy Pay for this post. I merely think it is a helpful resource :)
Another helpful resource related to credit card payments is a very affordable course through Person-Centered Tech. It's called Credit/Debit Cards and Electronic Payments in Mental Health Practice: Regulatory and Ethical Issues. You can click here to check it out.
Feel free to post any questions below!