Comprehensive Consulting for Mental Health and Wellness Professionals in Private Practice

 

Hello | My Account | Login
Our blog

The Blog

Occasional insights, inspirations, and recommendations for practice taming.

 

Potential Privacy and HIPAA Compliance Concerns with Square

Potential Privacy and HIPAA Compliance Concerns with Square

Important Note: If you are currently using Square and are not 100% sure feedback and automatic email receipts are turned off in your account, I strongly encourage you to read to the bottom and take the suggestion action(s).

I have been using Square (also known as SquareUp) since 2012 and have been very pleased with the service. I've recommended it to countless mental health clinicians looking for an easy, affordable way to accept credit cards. For those who may not have seen it yet, Square is a postage stamp sized dongle you connect to your smart phone or tablet, allowing you to swipe client credit cards for payment.

Despite financial transactions being exempt from HIPAA/HITECH, Square has always needed to be a part of any Covered Entities risk assessment due to some of its other features. For example, Square allows you to email a receipt. This constitutes a transmission of Protected Health Information (PHI) outside of a financial transaction and is not exempt. Since I was aware of this, I've been able to readily address it in my risk analysis, informed consent, and policies and procedures.

Update April 2017 - Since I originally published this article, Square has really stepped up their game.  They have clarified and streamlined the processes related to the confusion that was caused in 2015.  In addition, they have begun signing Business Associate Agreements. It's still important that Covered Entities carry out an appropriate risk analysis (see below) to ensure they are using Square in a compliant manner.

Due to Square's continued responsiveness and quality service, we continue to recommend them.  If you sign up using our links, you will receive free processing for your first $1000 in charges within 180 days!

 

 

What's The Concern?

Recently, however, two Square features were brought to my attention that concerned me greatly. Katie Malinski, from HIPAA for Therapists reported hearing from therapists using Square that:

  • The Square app was automatically sending receipts to clients who had used Square through other merchants (and thus provided their email address).

  • The Square app was automatically asking clients to provide feedback on people they purchase from, essentially a Happy or Sad face rating. While Square reports the ratings are only available to the business using Square, this is still a transfer and storage of PHI outside of the financial transaction. This could mean that Square becomes a Business Associate under HIPAA, which I'm guessing they want to avoid. Unless you are notifying your clients of asking for their feedback through an app in your informed consent, this could potentially be an ethics issue as well.

While these are convenient and useful features for most businesses, they raise serious ethics, privacy, and HIPAA compliance concerns for mental health clinicians.

Credit Cards and HIPAA

 

What Did Square Say About It?

I contacted Square to raise these concerns. I noted that I was especially concerned that these features appeared to have been turned on without my knowledge. What resulted was a fifteen email exchange over the course of 10 days that never fully answered my questions. In order to understand my confusion at their responses, it's important to know a some facts:

  • MCC stands for Merchant Category Code. It's basically a way to let Square know what kind of business you are running for various reasons.

  • In 2012 I contacted Square, letting them know that I needed to be able to accept HSA/FSA cards. They reported that they updated my MCC so that I could accept HSA/FSA cards. According to their current FAQ, that means they had to have updated me to a “Medical” MCC category.

 

Here is a brief summary of what Square representatives said to me during the recent exchange:

  • “I have disabled the option for your clients to be asked for feedback and to receive automatic receipts on your account.”

  • “If you are registered as Medical Services (which you are in our system) then we automatically turn on [sic]* the feedback feature to be in compliance with HIPPA [sic]” (*the rep later clarified that she meant to say “off” instead of “on”)

  • “In general with Square if you have a MCC (Merchant Category Code) of Medical Services your Feedback option is automatically turned off because of HIPPA [sic].”

  • “Your account did not have an MCC of Medical Services until 6/7/15.”

  • “To clarify, you did not have an MCC related to Medical anything when you set up your account. When you called in [this would have been in 2012] and we got information we were able to change your MCC to Medical so you could accept HSA/FSA cards. Your account is classified as Medical Services 8099 now so you do not need to take any other action.”

  • “You were listed as Professional Services rather than Medical Services in our system prior to 6/7/2015 We adjusted feedback to no longer appear on receipts for those with the Medical Services MCC in 2014 after feedback from our merchants.”

  • “As we changed our policy on feedback for Medical MCCs in 2014 your account had to be updated again to reflect the changes. You can inform anyone who signs up now with a Medical MCC that they will not have the feedback option on their receipts.”

What's So Confusing?

Did you catch the conflicting statements? For those that didn't catch it, in one place they say I was classified as “Professional Services up until 6/7/2015 and in another they say I had to have been classified as Medical back in 2012 in order to accept HSA/FSA cards. Despite multiple attempts on my part to gain clarification, including asking that this be escalated, I never received a response that I felt adequately addressed these contradictions.

The remaining questions are: If I was truly classified as “Professional Services” from 2012 through June 17, 2015, how have I been able to accept HSA/FSA cards all this time? Why did she say “In general" in the third bullet point? (Are there exceptions?) Why didn't the initial rep who replied to me mention that they were re-classifying me as Medical? Why did she say that the policy change in 2014 would have impacted me since she claimed I wasn't classified as Medical at the time? And why do they say that “anyone that signs up now (emphasis mine), will not have the feedback option”?

Based on what I do know and what Square reps did not clarify/address, and adding a healthy dose of Occam's Razor, I'm lead to theorize the following:

  • Square implemented the Feedback feature without initially considering the impact on users in health care fields.

  • For some period of time (I don't know exactly when the Feedback feature was launched), up until sometime in 2014, some clients were asked to provide feedback to their therapist if they were sent a receipt.

  • It's possible that those who were classified as Medical prior to the policy change still have Feedback turned on.  Based on the responses, I feel I might have been classifed as Medical ever since 2012, however, when the policy changed, Feedback was not turned off for me.

  • It's unclear whether being classified as Medical turns off automatic emailing of receipts (this is more fact that theory)

What Action Can You Take?

Based on this, I strongly encourage therapists and counselors using Square, that want to address privacy concerns as well as be in compliance with HIPAA, to do the following:

If you signed up with Square, prior to 2015, Contact Square immediately. Ask them to confirm that:

  • You are classified as Medical (unfortunately, I see nowhere in Square account settings to check this)

  • Customer Feedback is turned off

  • Automatic sending of emailed receipts is turned off (unless you are addressing this in your informed consent and/or HIPAA documentation)

If you signed up with Square in 2015 or later, you could also follow the steps above to be sure. According to Square you should not have these issues however. So, you may just want to ask some of your clients if they've been receiving emailed receipts and/or been asked for feedback before taking the actions above.

I'd love to hear from others who have experienced this issue. Please leave a comment below!

Update 6/22/2015 In the five days since I published this article, I've heard from a number of therapists who have contacted Square.  Many of them have noted that Square confirmed that they were listed as "Medical", but that the feedback and automatic emailing of receipts was NOT turned off. This appears to confirm my suspicions that this was not universally turned off for those classified as Medical.  This makes it even more important that those using Square contact them to be sure your settings are what you want them to be.

If you're looking for a user-friendly way to complete your HIPAA Risk Analysis, the answer is here!

Subscribe to our mailing list to receive quarterly newsletters full of timely information!

Rob Reinhardt, LPCS, M.Ed., NCC

Rob is a Licensed Professional Counselor in private practice and
owner of Tame Your Practice, which provides comprehensive
consulting to mental health and wellness professionals.

©2015 Rob Reinhardt, LPC, PA   www.tameyourpractice.com

 

 

 

Share This: 

Comments

Karen's picture
Submitted by Karen on Wed, 06/24/2015 - 12:45

I was wondering if you have had any trouble with accepting HSA/FSA cards for therapy sessions. Have all insurance companies been okay with it? Is a pre-auth required? Do you swipe it just for the copay amount and bill insurance like normal?

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Wed, 06/24/2015 - 12:51

Hi Karen,
With regard to Square, HSA/FSA cards are another reason to ensure you are categorized as "Medical" (so that your clients can use those types of cards with you). HSA/FSA cards work much like any other credit card. With HSA cards, it's primarily the card holders responsibility to document proper use of the funds. With FSA cards they may require more information from you (like a Superbill or other documentation showing it was for a medical expense). I'm not aware of any situations where pre-auth is required or where the insurance companies are involved at all. However, since FSA programs vary widely, so do requirements.

B's picture
Submitted by B on Thu, 07/02/2015 - 12:25

Square did not have me classified as medical, however I have accepted HSA/FSA cards in past years with no issues, so that doesn't make any sense! I made the necessary updates with Square, documented the call and requested email confirmation of these changes. Thank you for addressing this issue and providing guidelines for the risk analysis form.

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Thu, 07/02/2015 - 12:30

Hi B,

Thank you for sharing your experience.  I've heard from a great number of Square users since publishing this article and there doesn't seem to be any consistency in experience.  It all points to the high likelihood that, as Square changed things, they may not have done so in a consistent manner.  This makes it all the more important that everyone verify that their settings are as they want and need them to be.

Ed Burris's picture
Submitted by Ed Burris on Thu, 10/08/2015 - 09:18

So why in the world would anyone in the medical field risk liability using Square and not simply using a direct credit card processor that is without doubt HIPPA compliant as well as PCI compliant?

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Thu, 10/08/2015 - 09:32

To be clear, in most cases credit card processors don't have to worry about HIPAA compliance at all. It's only in the cases of some of these specific features Square has offered. Square definitely handles the PCI compliance piece.

Why use Square instead of a "traditional" merchant account? Primarily because:
1) It's usually a better deal if you process under $6000 in credit card charges each month.
2) It's mobile
3) There are no equipment charges, paper receipts to deal with, etc.
4) The fee structure is simple and straight-forward.
5) As long as you're aware of the issues mentioned here, there isn't a problem with HIPAA compliance.

Jeremy H Broussard's picture
Submitted by Jeremy H Broussard on Thu, 11/05/2015 - 11:17

Thanks Rob for all the information about helping us staying HIPPA compliant and informing us of how to stay both ethical and HIPPA compliant. Recently, I received an email from Square about a new feature: Square Appointments. What is your take on this? I'm seriously concerned about the exchange of PHI unless Square signs a BAA.

Rob Reinhardt's picture
Submitted by Rob Reinhardt on Thu, 11/05/2015 - 20:59

Hi Jeremy,

I've not looked at the Square Appointments feature, however, you're right to be concerned that this wanders into HIPAA territory. Since it's not directly related to a financial transaction and does involve transmitting ePHI it would require a BAA which I don't believe Square will sign. At least they wouldn't last I checked.

Pages

Add new comment


Note: Anonymous comments are moderated. To better make and track comments, you may create an account.
Read our policies: Comment Policy Terms of Service Privacy Policy