Note: this is a long post about untested legal issues. I may not know what I am talking about, so I welcome input!
Executive summary: if your financial services vendor does more for you than swipe your credit cards - such as storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices - then you need a BAA or are exposing yourself to millions of dollars of fines.
Earlier this year, Brandon Betancourt and I did a popular mediacast about keeping credit cards on file. The goal is to reduce personal A/R and make it easier for your patients to pay their bills by having the ability to hit your patients' credit cards easily and fairly. Some of the various payment vendors have also developed some clever patient budgeting tools, on-line bill delivery, and so forth.
All great ideas, imo. But there is an important caveat. If you are looking to implement any of these services and credit card processor is doing anything besides simply swiping the card, you need to get a Business Associates Agreement (BAA) signed right away. Using any financial service to do anything more than swipe the card falls outside the exemption created to avoid HIPAA mess.
Before I go through the details, here's why I think this is important:
- most of the vendors PCC (and our clients) work with don't appear to take this issue seriously or agree with the obvious conclusion. No surprise, when you think about it: they don't want to have to do more work or be on the hook for HIPAA violations. Remember, they protect themselves first, no you.
- many of PCC's clients don't think this is a big deal because they misunderstand what Protected Health Information (PHI) is or how it can be exposed. "So what if the credit card company has a patient name? It's low risk." The problem is that if your financial service has any kind of breach, your practice faces massive HIPAA fines. This isn't about the privacy of the patient in front of you but about a third-party and your HIPAA obligation.
Don't think it can happen? Play with this awesome site and see that breaches happen every day.
[Update: check out this informative site detailing the largest breaches YTD 2017!]
Don't think there's much to worry about if it does happen? "Civil monetary penalties after HITECH now range anywhere from $50,000 to $1.5 million per violation per calendar year."
What triggered this blog post? An email one of my clients shared with a very large, well known financial services company that made a couple of, well, crazy statements. First, our client asked:
We have additional privacy obligations by federal law as a medical practice. Do you have a HIPPA Business Associate contract we can sign?
You can remain HIPAA compliant however by not submitting to us any information that is covered by HIPAA, which is what many large and well-known medical companies who use XXXX do.
...and then went on to say:
Since XXXX only processes payments, we only receive payment information and don't have access to protected health information (PHI) as defined in HIPAA and because financial processing by a financial institution (such as our partner YYYY) is excluded from definition of business associates. Since we don't have access to PHI, our services don't need to be HIPAA-compliant.
It is, by any measure, impossible to perform a credit card transaction without sharing PHI. You've got a patient name (or patient family name) and the name of the practice. That's PHI, period. That some of these large vendors don't understand this scares me. What scares me more is that this vendor may be right about not needing a BAA here, but for the wrong reasons!
"But, wait?! I need a BAA with my credit card company?" No, you don't necessarily need a BAA at all. As long as the vendor is only processing your payments directly, you are all set. The reasoning is sensible and clear: the Feds knew that if they required BAAs between every practice and credit card company, things would grind to a halt. So they created a specific EXEMPTION for the sole purpose of processing payments referred to as "Sec. 1179." Here's the Fed's summary of their view:
When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
So, the vendor above is right: if they are only processing payments, no BAA is needed...but because there is a specific federal exemption, NOT because the data being transferred isn't protected!
However, to make matters worse, here's how the financial institute interpreted the Fed's language:
HIPAA also provides an exemption under the business associate definition for financial services companies that are providing "normal banking or other financial transactions... for, or on behalf of, the covered entity..."
Wait, wait, wait, wait. We're on the right track - there's a reference to the exemption - but the vendor has totally misinterpreted the Fed's language. There isn't an exemption for financial services companies, there's an exemption for specific services that they might provide. That's a subtle, but enormous, difference. With millions of dollars of fines at stake, these differences matter.
What services fall outside the exemption and require a BAA? As I mention up top, they include storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices, and much more. That's right - if you are using Square or PayPal or Swipe and send electronic invoices or receipts...you need a BAA. Don't take my word for it. Here's what some experts say:
Here it is directly from the experts: Square and friends are not HIPAA compliant unless you turn off a lot of their services.
Still don't see the problem? Here it is: there are data breaches of financial service vendors every day of the week. Your practice is exposed in a way that Target isn't, though: you are on the hook for HIPAA. So if your business partner has a breach, and you don't have a BAA in place, YOU are the one paying the fines and making the news. This has nothing to do with the risk of accidentally sharing data about the patient in front of you. Or any of your patients, really.