More Than Just a Free Newsletter
Become a Tame Your Practice member for FREE and receive our newsletter, special offers, and exclusive members-only content.
Potential Privacy and HIPAA Compliance Concerns with Square
Update – Since I originally published this article in 2015, Square has really stepped up their game. They have clarified and streamlined the processes related to the confusion that was caused below. In addition, they have begun signing Business Associate Agreements. It’s still important that Covered Entities make sure they are classified correctly in the Square system and carry out an appropriate risk analysis (see below) to ensure they are using Square in a compliant manner. While these issues have been addressed, I’m leaving this article live as a case study to help understand and clarify HIPAA compliance issues.
Due to Square’s continued responsiveness to these issues and quality service, we continue to recommend them. If you sign up using our links*, you will receive free processing for your first $1000 in charges within 180 days!
I have been using Square* (also known as SquareUp) since 2012 and have been very pleased with the service. I’ve recommended it to countless mental health clinicians looking for an easy, affordable way to accept credit cards. For those who may not have seen it yet, Square is a set of small devices allowing you to accept credit cards through a mobile app.
Despite financial transactions being exempt from HIPAA/HITECH, Square has always needed to be a part of any Covered Entities risk assessment due to some of its other features. For example, Square allows you to email a receipt. This constitutes a transmission of Protected Health Information (PHI) outside of a financial transaction and is not exempt. Since I was aware of this, I’ve been able to readily address it in my risk analysis, informed consent, and policies and procedures.
What’s The Concern?
Recently, however, two Square features were brought to my attention that concerned me greatly. Katie Malinski, from HIPAA for Therapists reported hearing from therapists using Square that:
- The Square app was automatically sending receipts to clients who had used Square through other merchants (and thus provided their email address).
- The Square app was automatically asking clients to provide feedback on people they purchase from, essentially a Happy or Sad face rating (keep reading for the remedy). While Square reports the ratings are only available to the business using Square, this is still a transfer and storage of PHI outside of the financial transaction. This could mean that Square becomes a Business Associate under HIPAA, which I’m guessing they want to avoid. Unless you are notifying your clients of asking for their feedback through an app in your informed consent, this could potentially be an ethics issue as well.
While these are convenient and useful features for most businesses, they raise serious ethics, privacy, and HIPAA compliance concerns for mental health clinicians.
What Did Square Say About It?
I contacted Square to raise these concerns. I noted that I was especially concerned that these features appeared to have been turned on without my knowledge. What resulted was a fifteen email exchange over the course of 10 days that never fully answered my questions. In order to understand my confusion at their responses, it’s important to know a some facts:
- MCC stands for Merchant Category Code. It’s basically a way to let Square know what kind of business you are running for various reasons.
- In 2012 I contacted Square, letting them know that I needed to be able to accept HSA/FSA cards. They reported that they updated my MCC so that I could accept HSA/FSA cards. According to their current FAQ, that means they had to have updated me to a “Medical” MCC category.
Here is a brief summary of what Square representatives said to me during the recent exchange:
- “I have disabled the option for your clients to be asked for feedback and to receive automatic receipts on your account.”
- “If you are registered as Medical Services (which you are in our system) then we automatically turn on [sic]* the feedback feature to be in compliance with HIPPA [sic]” (*the rep later clarified that she meant to say “off” instead of “on”)
- “In general with Square if you have a MCC (Merchant Category Code) of Medical Services your Feedback option is automatically turned off because of HIPPA [sic].”
- “Your account did not have an MCC of Medical Services until 6/7/15.”
- “To clarify, you did not have an MCC related to Medical anything when you set up your account. When you called in [this would have been in 2012] and we got information we were able to change your MCC to Medical so you could accept HSA/FSA cards. Your account is classified as Medical Services 8099 now so you do not need to take any other action.”
- “You were listed as Professional Services rather than Medical Services in our system prior to 6/7/2015 We adjusted feedback to no longer appear on receipts for those with the Medical Services MCC in 2014 after feedback from our merchants.”
- “As we changed our policy on feedback for Medical MCCs in 2014 your account had to be updated again to reflect the changes. You can inform anyone who signs up now with a Medical MCC that they will not have the feedback option on their receipts.”
What’s So Confusing?
Did you catch the conflicting statements? For those that didn’t catch it, in one place they say I was classified as “Professional Services up until 6/7/2015 and in another they say I had to have been classified as Medical back in 2012 in order to accept HSA/FSA cards. Despite multiple attempts on my part to gain clarification, including asking that this be escalated, I never received a response that I felt adequately addressed these contradictions.
The remaining questions are: If I was truly classified as “Professional Services” from 2012 through June 17, 2015, how have I been able to accept HSA/FSA cards all this time? Why did she say “In general” in the third bullet point? (Are there exceptions?) Why didn’t the initial rep who replied to me mention that they were re-classifying me as Medical? Why did she say that the policy change in 2014 would have impacted me since she claimed I wasn’t classified as Medical at the time? And why do they say that “anyone that signs up now (emphasis mine), will not have the feedback option”?
Based on what I do know and what Square reps did not clarify/address, and adding a healthy dose of Occam’s Razor, I’m lead to theorize the following:
- Square implemented the Feedback feature without initially considering the impact on users in health care fields.
- For some period of time (I don’t know exactly when the Feedback feature was launched), up until sometime in 2014, some clients were asked to provide feedback to their therapist if they were sent a receipt.
- It’s possible that those who were classified as Medical prior to the policy change still have Feedback turned on. Based on the responses, I feel I might have been classifed as Medical ever since 2012, however, when the policy changed, Feedback was not turned off for me.
- It’s unclear whether being classified as Medical turns off automatic emailing of receipts (this is more fact that theory)
What Action Can You Take?
Based on this, I strongly encourage therapists and counselors using Square, that want to address privacy concerns as well as be in compliance with HIPAA, to do the following:
If you signed up with Square, prior to 2015, Contact Square immediately. Ask them to confirm that:
- You are classified as Medical (unfortunately, I see nowhere in Square account settings to check this)
- Customer Feedback is turned off
- Automatic sending of emailed receipts is turned off (unless you are addressing this in your informed consent and/or HIPAA documentation)
If you signed up with Square in 2015 or later, you could also follow the steps above to be sure. According to Square you should not have these issues however. So, you may just want to ask some of your clients if they’ve been receiving emailed receipts and/or been asked for feedback before taking the actions above.
I’d love to hear from others who have experienced this issue. Please leave a comment below!
Update 6/22/2015 In the five days since I published this article, I’ve heard from a number of therapists who have contacted Square. Many of them have noted that Square confirmed that they were listed as “Medical”, but that the feedback and automatic emailing of receipts was NOT turned off. This appears to confirm my suspicions that this was not universally turned off for those classified as Medical. This makes it even more important that those using Square contact them to be sure your settings are what you want them to be.
If you’re looking for a user-friendly way to complete your HIPAA Risk Analysis, the answer is here!
Similar articles you might be interested in!
Tame Your Practice membership is free and provides therapists access to exclusive content, discounts, and deals from partners!
Recommendations for technology, web sites, secure email, phone, credit card processing, therapy tools/interventions, podcasts, and much more!
In addition to using strong-passwords, and a password manager (I use LastPass), I strongly encourage everyone to use Multi-Factor Authentication (now, more commonly referred to as Two-Factor Authentication or 2FA) whenever possible.
About the Author
Rob has been covering technology and business news for mental health professionals since 2011. His extensive experience in IT, business, and private practice allow him to synthesize information in a friendly, digestible manner. He also enjoys time with his family, ultimate frisbee, and board gaming.