April 19, 2022

HIPAA-Compliant Payment for Therapists: Everything You Need to Know

In this blog post, I'll explain why HIPAA-compliant payment processing is so important and how you can get started using it in your practice.

If you told someone ten years ago that depression in boys would increase by 21% and in girls by 50% within the next decade, no one would’ve believed you.

Yet, that’s the reality that therapists currently face.

On top of the influx of individuals needing therapy, multiple celebrities have recently come out with their stories of mental health advocacy.

In other words, mental health has never been more in the limelight than it is right now.

Yes, that’s a good thing.

However, it also means that therapists are under the microscope.

Not to mention the direct relationship that exists between increasing your patient volume and your organization’s operating risk. If you see more clients, you’re handling more protected health information (PHI).

That last sentence hinted at the entire reason why you’re reading this blog post in the first place.

PHI exists because of the Health Insurance Portability and Accountability Act (HIPAA) and this law applies to how every therapist operates.

Outside of keeping PHI secure and training your employees annually, sourcing a HIPAA-compliant payment solution is a must.

If you don’t offer your clients a way to pay you that’s compliant with HIPAA, you could face a massive fine. Not good. The last thing you want is your practice to end up on the list of HIPAA horror stories.

As a therapist, it's important to stay up-to-date on the latest technology tools that can make our lives easier. And one of those tools is HIPAA-compliant payment processing.

I know what you're thinking: "That's a boring topic." But trust me, this is something that we need to pay attention to.

In this blog post, I'll explain why HIPAA-compliant payment processing is so important and how you can get started using it in your practice.

Therapy Client Pay Preferences

Historically, therapists accepted cash or checks after every session. How passé.

The fact of the matter is that those two forms of payment aren’t the preferred method by younger generations.

So, what’s the trendiest form of patient payment? Mobile payments.

Let’s look at Starbucks. I know, they aren’t a therapy organization. But, I’m willing to bet that you have a client who is always accompanied by a drink from Starbucks during their sessions with you.

Starbucks has a mobile app that lets you use your phone to order your coffee ahead of time, earn rewards and make in-app purchases. It’s nifty…you might even use it yourself. Around 13 million consumers use the app and mobile payments account for almost 30% of all Starbucks transactions.

But what payment option do those Starbucks users prefer? I’d wager to bet that most of those transactions use Apple Pay.

Over 90% of US mobile transactions happen via Apple Pay.

So, what’s the point I’m trying to make with all of this?

First, odds are your patients want to pay you via their mobile device. Second, there is a good chance that they prefer paying you with Apple Pay.

HIPAA Compliance Payment Requirements

Although it’s an all-encompassing law, HIPAA doesn’t spell out specific payment requirements within it.

Since it’s a law that applies to every type of healthcare provider, it leaves some room for interpretation.

In essence, therapist payment providers need to have the following in place for it to be HIPAA compliant…

  1. Administrative, technical and physical safeguards are in place that protect ePHI
  2. A business associate agreement (BAA) is in place with the mental health organization
    You’ll find that payment providers already have a ton of safeguards in place to protect their user’s data in most cases. However, those safeguards aren’t specific to HIPAA.

You see, payment providers need to follow the Payment Card Industry Data Security Standard (PCI-DSS). In a nutshell, PCI-DSS ensures that organizations that accept, process, store, or transmit credit card information maintain a secure environment.

Thus, if the payment provider you’re evaluating follows PCI-DSS (they have to by law) they’ll likely already be in line with HIPAA’s required administrative, technical and physical safeguards.

Check.

Now all they have to do is be willing to sign a business associate agreement (BAA) with you, easy right?

Not so fast.

You see, none of the most popular payment processors out there are going to sign a BAA with you. Don’t take that personally, they’re not going to sign one with any therapist. Period.

Do you remember the statistic I mentioned in the previous section regarding the popularity of Apple Pay? After reading it, you probably decided that you should consider accepting that form of payment from your clients. With that much control over the mobile transaction market, who wouldn’t want to accept it?

Apple isn’t going to sign a BAA with your organization.

Your clients want you to offer and accept modern forms of payment. But, the processors who provide those modern payment types won’t sign a BAA with you. How are you supposed to accept more than cash and/or check?

Payment Information vs. PHI

Although payment information is sensitive data, it isn’t the same as PHI. If it were the same, PCI-DSS wouldn’t exist and both healthcare organizations and payment providers would operate under HIPAA.

HIPAA relates to and defines two types of entities; covered entities and business associates.

In a nutshell, covered entities electronically transmit health information. As a therapist, you fall under this category.

Business associates are third parties that perform or assist the covered entity with a function or activity regulated by HIPAA. With that in mind, most people assume that payment providers fall under HIPAA’s classification of a business associate.

Payment by itself isn’t a function or activity regulated by HIPAA.

Thus, you can accept any type of payment as a therapist from your patients.

What a relief, right?

Although that’s the case, accepting payment by yourself isn’t the best option for you to take as a therapist.

The Best Payment Offering for Therapists

Now we know that payment processing falls outside of the bounds of HIPAA you can offer and accept however your clients want to pay you, right?

Although technically you could, handling payment transactions on your own isn’t the best practice.

To understand why it’s not the best practice, let’s break down a few statistics about therapy appointments.

On average, it takes 15-20 individual sessions to achieve a 50% patient-determined success rate. That rate is likely different for most practices, but it’s the industry average.

Anyway, the point I’m trying to make is that you’re going to see the same patients multiple times over several weeks or months.

Each session you have with your clients has a billable Current Procedural Terminology (CPT) code attached to it. Even though it will likely be the same code after every session.

Even though your client owes you after each session, it would get tedious for both you and your client if you had to process their payment before they leave every time.

Enter payment plans. Almost 80% of patients who use payment plans complete all payments on time.

There are payment processors out there that exist to make this process easier for therapists (like us). They’ve worked with therapy organizations for decades and understand the patient payment landscape.

From establishing automatic payment plans tied to billable CPT codes to signing a BAA with you to offload risk, these solutions ultimately exist so that you can focus on your clients.

Conclusion

Finding HIPAA compliant payment for your therapy organization is a mountainous task.

You’re likely on the same page as your patients. They want you to accept more modern forms of payment because it’s more convenient for them. If you allow your patients to pay you how they want, the chances that you’ll have to outsource to a collections agency decreases.

It’s a win-win.

However, what you likely didn’t know before reading this blog post is that payment isn’t a function that relates to HIPAA.

Even though that’s the case, handling and managing payment on top of providing therapy services to your clients is tedious and unrealistic.

That’s why the thing to take away from all of this is that you should outsource your payment processing as a therapist to an organization whose…

  • Familiar with the healthcare industry
  • Willing to sign a BAA with you
  • Offers automatic payment plans