HIPAA and Credit Cards

Note: this is a long post about untested legal issues. I may not know what I am talking about, so I welcome input!

Executive summary: if your financial services vendor does more for you than swipe your credit cards  – such as storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices – then you need a BAA or are exposing yourself to millions of dollars of fines.

Earlier this year, Brandon Betancourt and I did a popular mediacast about keeping credit cards on file. The goal is to reduce personal A/R and make it easier for your patients to pay their bills by having the ability to hit your patients’ credit cards easily and fairly. Some of the various payment vendors have also developed some clever patient budgeting tools, on-line bill delivery, and so forth.

All great ideas, imo. But there is an important caveat. If you are looking to implement any of these services and credit card processor is doing anything besides simply swiping the card, you need to get a Business Associates Agreement (BAA) signed right away. Using any financial service to do anything more than swipe the card falls outside the exemption created to avoid HIPAA mess.

Before I go through the details, here’s why I think this is important:

  • most of the vendors PCC (and our clients) work with don’t appear to take this issue seriously or agree with the obvious conclusion. No surprise, when you think about it: they don’t want to have to do more work or be on the hook for HIPAA violations. Remember, they protect themselves first, no you.
  • many of PCC’s clients don’t think this is a big deal because they misunderstand what Protected Health Information (PHI) is or how it can be exposed. “So what if the credit card company has a patient name? It’s low risk.” The problem is that if your financial service has any kind of breach, your practice faces massive HIPAA fines. This isn’t about the privacy of the patient in front of you but about a third-party and your HIPAA obligation.

Don’t think it can happen?  Play with this awesome site and see that breaches happen every day.

[Update: check out this informative site detailing the largest breaches YTD 2017!]

Don’t think there’s much to worry about if it does happen?  “Civil monetary penalties after HITECH now range anywhere from $50,000 to $1.5 million per violation per calendar year.”

What triggered this blog post? An email one of my clients shared with a very large, well known financial services company that made a couple of, well, crazy statements. First, our client asked:

We have additional privacy obligations by federal law as a medical practice. Do you have a HIPPA Business Associate contract we can sign?

Their reply:

You can remain HIPAA compliant however by not submitting to us any information that is covered by HIPAA, which is what many large and well-known medical companies who use XXXX do.

…and then went on to say:

Since XXXX only processes payments, we only receive payment information and don’t have access to protected health information (PHI) as defined in HIPAA and because financial processing by a financial institution (such as our partner YYYY) is excluded from definition of business associates. Since we don’t have access to PHI, our services don’t need to be HIPAA-compliant.

It is, by any measure, impossible to perform a credit card transaction without sharing PHI. You’ve got a patient name (or patient family name) and the name of the practice. That’s PHI, period. That some of these large vendors don’t understand this scares me. What scares me more is that this vendor may be right about not needing a BAA here, but for the wrong reasons!

“But, wait?! I need a BAA with my credit card company?” No, you don’t necessarily need a BAA at all. As long as the vendor is only processing your payments directly, you are all set. The reasoning is sensible and clear: the Feds knew that if they required BAAs between every practice and credit card company, things would grind to a halt.  So they created a specific EXEMPTION for the sole purpose of processing payments referred to as “Sec. 1179.” Here’s the Fed’s summary of their view:

When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

So, the vendor above is right: if they are only processing payments, no BAA is needed…but because there is a specific federal exemption, NOT because the data being transferred isn’t protected!

However, to make matters worse, here’s how the financial institute interpreted the Fed’s language:

HIPAA also provides an exemption under the business associate definition for financial services companies that are providing “normal banking or other financial transactions… for, or on behalf of, the covered entity…

Wait, wait, wait, wait. We’re on the right track – there’s a reference to the exemption – but the vendor has totally misinterpreted the Fed’s language. There isn’t an exemption for financial services companies, there’s an exemption for specific services that they might provide. That’s a subtle, but enormous, difference. With millions of dollars of fines at stake, these differences matter.

What services fall outside the exemption and require a BAA? As I mention up top, they include storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices, and much more. That’s right – if you are using Square or PayPal or Swipe and send electronic invoices or receipts…you need a BAA. Don’t take my word for it. Here’s what some experts say:





Here it is directly from the experts: Square and friends are not HIPAA compliant unless you turn off a lot of their services.

Still don’t see the problem? Here it is: there are data breaches of financial service vendors every day of the week. Your practice is exposed in a way that Target isn’t, though: you are on the hook for HIPAA. So if your business partner has a breach, and you don’t have a BAA in place, YOU are the one paying the fines and making the news. This has nothing to do with the risk of accidentally sharing data about the patient in front of you. Or any of your patients, really.

6 replies
  1. Paul Farrell
    Paul Farrell says:

    I understand what you are saying and I have only 1 question as it applies to my practice, Does Peds One have a need for a BAA ? I guess I should be asking them but I’m just amazed at how it seems someone else is ” looking out for a public Problem” that winds up slipping a rope around the neck of the medical practioners.

  2. Suzanne Berman, MD, FAAP
    Suzanne Berman, MD, FAAP says:

    It seems like having a data-use agreement would be sufficient for HIPAA protection (http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/251.html). Or is Vendor X saying they don’t even need that? Gulp!

    It occurs to me that our practice has neither a DUA or a BAA with the state of Tennessee, even though we regularly (unfortunately) use small claims court to pursue collections. We’re not dumping super-secret PHI, to be sure, but things like kids’ names and DOB, treatment dates, amounts billed, etc. come up. Who would even sign a BAA for this – the general sessions judge? The Tennessee Attorney General?

    I’m also now wondering about my liability when my medical records are released to the state (or the State) at the State’s behest without parental consent, and those records end up being inadequately protected after their release. Let’s say I release my records for a child abuse investigation but then they get left in the back of someone’s truck, and 2 weeks later a digital copy of my note ends up on a website somewhere. State and municipal employees often enjoy sovereign immunity for all but wanton or egregious errors. What’s my liability here?

    • Chip Hart
      Chip Hart says:

      Check this out:


      The first paragraph and the 3rd bullet in the list of permitted disclosures give you what you expect, I believe.

      As for your liability when the state effectively breaches: common sense says that you should be OK, because they are the ones who breached, not you. They aren’t acting as your agent, they are their own agents.

      One important point from my post, though: when it comes to mega-breaches, the potency of the PHI doesn’t matter. I agree that the actual “danger” or social negative impact of finding out who Dr. Berman’s patients are is minimal. But the new HIPAA construct doesn’t really make that distinction.

  3. Suzanne Berman, MD, FAAP
    Suzanne Berman, MD, FAAP says:

    Right. To probe a little deeper, I want to make sure I’m not conflating a) the release/consent issue with b) the need-for-BAA issue. That is, it’s OK for me to disclose PHI to get paid — which means I don’t have to get a signed release from the family to share their PHI with Financial Vendor X — but it *doesn’t* absolve me of the responsibility of getting a BAA from said vendor (a point you made well.)

    The guidance from the Feds you reference (http://www.hhs.gov/ocr/privacy/hipaa/faq/judicial_and_administrative_proceedings/704.html) gives clear permission to use & disclose for collections without an explicit consent from the family on Point A [and a good thing, too!] But it appears to be silent on Point B.

    Now, some of those examples are probably not disclosures for “health care operations.” In an abuse case, it’s not about getting paid; it’s about protecting a child. But in the collections example, it very clearly is using the power of a small claims judgment to get wages garnished to get paid – but I’m sharing PHI with the court, although the court has not signed a BAA.

    Or let’s take it one step further: independent review. Tennessee has a wonderful mechanism by which providers unhappy with a Medicaid claim denial may have it reviewed by someone appointed by the state; loser pays $400. When we do IRs, we send PHI (the stuff you’d find on a claim) to the state government, who is not a covered entity – the state isn’t a health plan, since this is managed Medicaid, right? I can send the PHI without mom’s consent under the “regulatory oversight” clause as well as the “health care operations” clause – so I’m good on Point A — but I’m disclosing *primarily* for the purpose of getting my claim paid — so do I need a BAA signed by the insurance commissioner?

    I *would think* that BAAs for the general sessions judge and the insurance commissioner would be overkill, since the chance of a mega-breach is nil — these are individually-prepared disclosures pushed to the state, rather than a vendor’s data pull that suddenly becomes a game of Global Thermonuclear War. But the statutory requirement for BAAs isn’t limited to only high-volume e-vendors – it’s global.

    • Chip Hart
      Chip Hart says:

      > The guidance from the Feds you reference….appears to be silent on Point B.

      I think this is because the courts are not acting as your agent. You aren’t employing them to do something for you.

      As for the other examples: I think there are a number of exemptions in play here. First, the gov’t can make up its own rules about how it manages PHI it oversees. Do you see Medicare paying HIPAA fines? No. Moreover, the patients have signed agreements with the payers directly (Medicaid or not) giving them access to the records. Everything is happening on their side of the fence and, again, they are not acting as your agents.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to Chip Hart Cancel reply

Your email address will not be published. Required fields are marked *