The Problems with Therapists Using Square
Square really revolutionized credit card processing when it came out in 2010. I jumped on the bandwagon quickly and happily, thankful to have an easy and affordable way to take credit card payments. It was cool, even, clients often asked what it was or remarked positively on it.
Fast forward to today, and I haven’t used Square in more than a year. It’s still cool, and convenient, but I switched providers because I didn’t feel like it was HIPAA compliant.
HIPAA says that “basic financial transactions” aren’t covered by their rules. However, when you dig in to what “basic financial transactions” are, you discover that receipts (or invoicing) are not included.
This matters with Square because of one of their convenience features. If a customer pays with Square at the coffeehouse down the street and elects to have them send the receipt via email, Square will remember that credit card and automatically send a receipt the next time it’s used, even at a different merchant—say, for example—the therapist’s office.
An automatically sent receipt isn’t necessarily the worst privacy issue in the world, although it is technically a HIPAA no-no. Sadly, though, the problems with Square don’t stop there. When 2 people share one credit card, the receipts can be sent to the person who isn’t making the charge. I once had a client whose husband had used their joint credit card somewhere else and opted for an emailed receipt sent to his email address. When my client (the wife) came in to see me, the automatically sent receipts were going to… her husband. For some clients, this could be a real issue.
And then there’s a third problem with Square, a newish one. A therapist in one of my HIPAA workshops told me that Square is now sending receipts with a ‘review this business’ option. Oh, no! Soliciting testimonials is dangerous ground for therapists, prohibited by most if not all Ethical Codes. She sent me a screenshot of the email (see picture above.) As a therapist, the idea that my credit card processor might send an email to a client asking them to review my services? Well, if I hadn’t already left Square, that would have been the last straw.
There are multiple competitors for Square, and I won’t recommend one over another. Rather, I encourage you to put “credit card processor” into your risk assessment, and evaluate how well whomever you use is protecting patient privacy and allowing you to be compliant with HIPAA requirements and Ethical Code requirements.
UPDATE: My colleague Rob Reinhardt got inspired by this post and did further research. He contacted Square and has more details & recommendations about how to continue using Square in an ethical, HIPAA compliant way. Read it here on his blog. Thanks Rob, you’re awesome! (By the way, Rob is also the therapist-techie who has the super-helpful collection of cloud-based practice management system reviews available to read for free on his blog… a resource I highly recommend in the workshop.)
UPDATE #2: Square has made important changes that make it safer for therapists to use. See this blog post for details.