HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care. This is especially true with the recent growth of telehealth and the need to receive payments electronically.
RELATED: Historic Expansions of Telehealth to Combat COVID-19
Today, we will determine if Square as a financial institution is HIPAA compliant or not.
RELATED: Guide to Online Payment Options & HIPAA Compliance
Square is a financial service and mobile payment company founded in 2009 and based in San Francisco, California. The company is most known for its Square Reader which connects to a mobile device’s audio jack, transforming the device into a point-of-sale solution. Since first created, the company has upgraded the Square Reader several times. Now, they have a version that creates a complete payment system and a device that accepts chip and contactless payments. Square also allows for easy payments and/or money transfers via its app or website.
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA.
If you are subject to HIPAA as a [CE] or [BA] (as defined in HIPAA) and use the Services in a manner that causes Square to create, receive, maintain, or transmit [PHI] on your behalf, then you agree to the HIPAA [BAA].The only stipulation is that the Square users “are responsible for determining whether they are subject to HIPAA requirements and whether they intend to use the Services in connection with PHI.” While the BAA is downloadable, there is nothing to sign by either party.