Is Square HIPAA Compliant for Healthcare Professionals

Square's compliance with HIPAA regulations is a concern for healthcare professionals. Square is not a Business Associate of healthcare providers, which means it's not directly liable for HIPAA compliance.

However, Square does provide tools and services that can be used by healthcare professionals, such as Square Invoices and Square Online Store. These tools require healthcare providers to handle sensitive patient information.

Square's terms of service explicitly state that users are responsible for ensuring their own compliance with HIPAA. This means healthcare professionals must take extra steps to ensure their Square accounts meet HIPAA requirements.

Healthcare professionals can use Square's services, but they must implement additional security measures to protect patient data. This includes using Square's encryption features and storing sensitive data securely.

You might enjoy: Hipaa Compliance Plan

I've come across some confusing information about Square's HIPAA compliance, specifically regarding their classification of businesses and the impact on clients. Square reps have made conflicting statements about a business's classification, with one saying it was classified as "Professional Services" up until 6/7/2015 and another saying it had to be classified as Medical back in 2012 to accept HSA/FSA cards.

Readers also liked: Data Classification Hipaa

The statements have left me wondering about the accuracy of Square's classification system. I've tried to get clarification, but the responses haven't been satisfactory. This has led me to theorize that Square may have implemented the Feedback feature without considering its impact on users in healthcare fields.

One of the main concerns is the Feedback feature, which was automatically asking clients to provide feedback on people they purchase from. This could be a transfer and storage of PHI outside of the financial transaction, potentially making Square a Business Associate under HIPAA. Unless therapists notify their clients about asking for feedback through an app in their informed consent, this could be an ethics issue as well.

Square reps have also made conflicting statements about the Feedback feature. They claim that it was only available to the business using Square, but this doesn't seem to be the case. I've seen therapists using Square who have clients receiving receipts and being asked for feedback, even if they didn't purchase from the therapist directly.

Here are some key points that have left me confused:

Square takes privacy and compliance seriously, and they offer a Business Associate Agreement (BAA) to customers, which is a key component of HIPAA compliance.

If you're using Square for client management and payments, you don't need to sign any additional documents to use the service in a HIPAA compliant manner.

Square's BAA ensures that any data processed through their system remains secure and in compliance with HIPAA regulations.

You can find the terms of Square's BAA on their website, which is essential for healthcare providers to be aware of.

Square is a covered entity, so it's great to know that they have taken steps to ensure HIPAA compliance in their payment processing platform.

Recommended read: Hipaa Compliance Audit Cost

Secure payment forms with Square can be created to comply with HIPAA. You can customize these forms using Jotform, which incorporates Square payments.

These forms have been tested for years and are a safe way for healthcare professionals to collect electronic payments. Dr. Cynthia Brattesani, a dentist, used to rely on checks but switched to secure payment forms and no longer spends time chasing unpaid bills.

Broaden your view: What Is Square Payment System

Processing Square payments in a HIPAA-friendly manner is possible with ready-made and customizable secure forms that protect patient data and your reputation.

Secure payment forms are a safe and convenient way to collect electronic payments from patients. You can create customized, secure Square payment forms, which helps you comply with HIPAA regulations.

Square payment forms have been tested for many years and are a trusted way for healthcare professionals to collect electronic payments. Dr. Cynthia Brattesani, a dentist, used to rely on checks, but after switching to secure payment forms, she no longer had to spend as much time chasing after unpaid bills.

To set up secure Square payment forms, go to Jotform and pick a template that incorporates Square payments. Then, customize the form, select the Square icon in the Form Builder, and log in to connect your Square account.

Ready-made and customizable secure forms take the hassle out of using Square and ensure you're protecting patient data and your reputation.

Recommended read: Pci Dss Payment Gateway

If you're looking for alternative payment options, you have a few choices. Square is a viable option, offering free mobile payment solutions and online payment services that don't require a merchant services account.

PayPal and Intuit also provide these services, but they won't do a Business Associate Agreement (BAA) with you, which is necessary for HIPAA compliance when using a third-party service to handle client information.

Using PayPal or Intuit for charging a credit card or transferring funds is unlikely to threaten your HIPAA compliance, as long as you're aware of the details outlined in our article on HIPAA and banking.

You can explore these options, but keep in mind that PayPal's invoicing service would be a no-go for HIPAA compliance due to the lack of a BAA.

Suggestion: Free Hipaa Compliant Phone Number

Running a private practice can be a challenging balance of client care and managing business logistics, but finding cost-effective tools that handle scheduling, payments, and remain HIPAA-compliant is essential.

Automated credit card billing ensures prompt, consistent payments that simplify your revenue stream, reducing the administrative tasks required to maintain steady cash flow.

By adopting a payment processing service, private practitioners can provide flexible, efficient options that cater to client needs while freeing up time to focus more on delivering quality care.

Credit card processing fees are an unavoidable cost, but the time and effort saved, along with the peace of mind, can make it well worth the investment.

Using Square's free plan can help therapists streamline appointment booking, invoicing, and payment processing, all while maintaining HIPAA compliance.

Square's free plan is a great choice for therapists in private practice, offering powerful tools for appointment scheduling and payment processing, all for free for single users.

Many clients appreciate the option of paying with a credit card, whether for its convenience or the ability to use Health Savings Account (HSA) or Flexible Spending Account (FSA) cards for covered services.

Explore further: Free Hipaa Training with Certificate

To ensure you're using Square for HIPAA-compliant payment processing, it's essential to understand the security measures in place. Square is willing to sign a Business Associate Agreement (BAA) with healthcare clients, making it a HIPAA-compliant option when used properly.

Square's security features include access controls, user authentication, and audit controls, which ensure only authorized users can access sensitive data. They also implement encryption, security patches, incident response plans, and regularly review policies and procedures to protect patient data.

Here are some key security features that Square has in place to protect patient data:

Safeguards are a crucial aspect of protecting sensitive data, and it's essential to understand what they entail. HIPAA requires organizations to implement administrative, technical, and physical safeguards to secure protected health information (PHI).

Access controls are a key safeguard, ensuring that only authorized users have access to data. Square accomplishes this by granting access to cryptographic keys and application data only to employees who require it.

User authentication is another vital safeguard, verifying that users are who they claim to be. Square uses strong passwords and two-factor authentication for administrative access to their systems, utilizing multiple login credentials like passwords and security questions.

Audit controls track access to sensitive data, enabling administrators to attribute actions to specific users. Square logs and reviews access to data and their secure services on a regular basis, ensuring transparency and accountability.

Encryption masks sensitive data, making it unreadable to unauthorized users. Square encrypts data within their card reader upon swiping and data stored and transmitted through their platform.

Security patches ensure that systems are updated to prevent unauthorized access. Square implements patches and updates on their equipment and servers as they become available, staying ahead of potential vulnerabilities.

Incident response plans are in place to deal with emergencies, ensuring data protection and a quick response in case of a breach. Square has incident response plans in place, enabling them to respond promptly and effectively.

Policies and procedures are essential for protecting sensitive data, and Square frequently reviews their policies and procedures to ensure the protection of sensitive data.

Recommended read: Hipaa Incident Response Plan

Here are some key safeguards that Square has in place:

Appointment scheduling is a crucial part of any private practice, and Square offers a free and user-friendly solution.

Square's appointment scheduling tool is easy to use and client-friendly. You can allow clients to book appointments directly from your website by embedding your Square calendar or by adding a booking button on your website which links to Square Appointments.

Customizing a Square booking site with your branding is also an option, and you can share your booking link with clients via email. This way, clients can easily book appointments online and you can manage your schedule efficiently.

Square's appointment reminders and notifications feature is a game-changer. Once an appointment is booked, Square can send automatic reminders to clients via email and SMS, reducing no-shows and last-minute cancellations.

You can customize the reminder frequency and message to fit your needs, ensuring clients show up and are well-prepared for their sessions. This feature has been a huge help for many therapists in reducing missed appointments.

Suggestion: Hipaa Email Disclaimer

The Square mobile app allows you to manage your entire appointment schedule from your phone, giving you flexibility and convenience. You can view your calendar, book appointments, and send reminders and invoices all from your mobile device.

Having the Square mobile app is especially useful for therapists who may not always be working from the same location. With this app, you can stay on top of your schedule and communicate with clients no matter where you are.

Check this out: Hipaa Compliant Ai Note Taking

The Square app was automatically sending receipts to clients who had used Square through other merchants, which raises serious concerns about HIPAA compliance.

This feature is a transfer and storage of PHI (Protected Health Information) outside of the financial transaction, which could potentially make Square a Business Associate under HIPAA.

The Square app was also automatically asking clients to provide feedback on people they purchase from, essentially a Happy or Sad face rating.

Take a look at this: Hipaa Compliant App Development

This feature raises ethics and privacy concerns for mental health clinicians, as it could be seen as a transfer and storage of PHI without proper notification or consent.

To address these concerns, therapists using Square can consider disabling these features or using alternative payment processing methods that prioritize client privacy and HIPAA compliance.

Here are some potential solutions to consider:

Square representatives had a lot to say about the concerns raised. They claimed that the feedback feature was automatically turned off for accounts with a Medical Services MCC due to HIPAA compliance.

Square's representatives mentioned that MCC stands for Merchant Category Code, which helps them understand the type of business being run. This code is used for various reasons, including accepting certain types of cards.

One Square representative stated that the account did not have a Medical Services MCC until June 7, 2015. This date is significant in understanding the changes made to the account.

See what others are reading: Hipaa Security Services

The representatives also mentioned that the account was initially classified as Professional Services, not Medical Services, prior to 2015. This classification change is tied to the feedback feature on receipts.

A key point made by the representatives is that the account was updated to reflect changes in Square's policy on feedback for Medical MCCs in 2014. This update is crucial in understanding the current state of the account.

Here are the key statements made by Square representatives:

For mental health clinicians, HIPAA compliance is just one aspect of a larger concern. Besides HIPAA, there's the risk of clients suffering harm when they use a credit card to pay for services. This can happen even if there's no HIPAA violation.

A client's credit card information can be used against them in various ways, such as if an abuser intercepts their mail or online banking. This can lead to client harm, which is a serious issue.

You might enjoy: How to Use Square for Credit Cards

Square's services, like email receipts and on-file email addresses, can increase this risk. For example, if a client's work email is used for Square and their employer monitors their emails, sensitive information can be compromised.

To mitigate this risk, clinicians should discuss confidentiality concerns with clients before they run a credit card for the first time. This can help prevent harm and ensure clients are aware of the potential risks.

Here are some examples of confidentiality risks associated with credit card payments: