- Joined
- Nov 19, 2010
- Messages
- 21
- Reaction score
- 2
I wanted to share a thought-provoking, amusingly written lit review about digital payments and ethics. It kinda blew my mind yesterday. Trigger warning: it's basically terrifying. The author gave me permission to post it to this forum. I hope it's helpful to others, and please weigh in if you have additional perspective on this issue.
---------- Forwarded message ----------
From: Jeff Brand
Date: Wed, Nov 1, 2017 at 7:48 PM
Subject: Re: [NSGP] digital payments
To: [email protected]
A few weeks ago, I’d asked if anyone could give advice about using digital payments, and thank you to everyone who wrote back. Some said they’d be interested to hear what I learned. As someone who dislikes a digital lifestyle, I had hoped my question would subtly hint about how great it would be if someone— anyone!— wanted to figure this out for me so that I could spend as little time on it as possible. Much to my angst, the more I learned about this issue, the more complicated and intimidating it became. I wanted to share what I’d learned because I imagine that many of us feel the same, and those who are doing new fangled payments may be doing it without being fully aware of the liabilities. I don’t claim to know what the best solutions might be. Frankly, I can’t even claim to know what I’m talking about. I haven't talked to a lawyer in preparing any of this, but maybe this will help someone— anyone!— figure it out for the rest of us.
Let’s go back to the beginning of time: 1996. HIPAA was passed and requires you (the clinician) to be compliant with the law for all protected health information (PHI), and so this extends to anyone you hire to handle said information. PHI includes both the obvious (e.g., notes, treatment plans, etc.) and the not-so-obvious (e.g., an email requesting an appointment, a text message to reschedule, a Skype session, etc.). This can also (but not always) include payment information, but more on this later. When you enlist or partake of the services of a company that has access to PHI, you (the provider) are required to “…obtain satisfactory assurances that the business associate will appropriately safeguard” the information. This sort of business-legal assurance is called a “Business Associate Agreement” (BAA) and it represents a high bar. For example, BAAs stipulate that the company must track “security incidents” and notify you of data breaches. Types of services that would require this type of coverage include email, online data back-up, cloud-based EMRs, practice management systems (e.g., online scheduling), and any mobile payment/online transfer service. I’ll come back to this later. Read more about this here.
Different services may market themselves as “HIPAA compliant” but it pays to note that this is misleading in the way that casual shop-talk is not legalese. No product or service can be deemed “HIPAA compliant” because being in compliance with HIPAA is a process of safeguarding data, not a state or certification one achieves. And so in evaluating a potential “business associate,” one has to weigh out their demonstrated ability to meet the standards in addition to having a formal agreement. (You’re waiting for me to talk about digital payments, but I took the time to write this and so I’m going to let the suspense build.)
Beyond cash or check, there are several different ways clients could pay you, depending on what you accept. Paying with cards might include credit, debit, HSA/FSA cards or Pre-Paid Cards. Note that passing along credit card fees to clients is legal for credit, but apparently not legal for debit cards; extra fees should be listed separately as a “surcharge”. Oh, and passing on fees is apparently illegal in 10 states, but I don’t know which ones. It may also be problematic in the context of copays. When dealing with an HSA/FSA, you should know there are no guarantees that a service provided would be accepted, and hypothetically you could have to give money back. You can read more about this here.
A bright spot in all of this is that transactions with a credit card (i.e., basic submission of bills) were exempted from HIPAA. Even though the credit card companies could be “business associates,” there’s no need for a BAA as long as their dealings with you are basic financial transactions (e.g., processing a payment), but not for other services (e.g., submitting your billing, keeping your accounting). Some credit cards and banks dabble with this, and so you should be careful about what you sign up for. But the name of the game in our brave new world is the way technology is blurring the boundaries. "Mobile payment options" (e.g., Square, Apple Pay, PayPal, Venmo, etc.) and "online fund transfers" function differently and do different things with information. It may be useful, albeit simplistic, to think of it this way: credit card companies are traditionally more like banks, and mobile payment options are more like escrow companies. The user experience may not be that different, but the fine print is what will kill you— not the least of which is a BAA.
Let’s take an easy example like Square, which is a popular mobile payment option that allows you to turn your mobile device (e.g., phone, iPad) into a credit card terminal. (There’s also something called Square Pay, but god help us—at some point you’re just on your own…) Square also does a variety of other functions such as emailing or texting clients their receipts, which are functions you apparently can’t turn off (?). Hopefully your client is okay with that, but more importantly that brings it into HIPAA territory. The good news is that Square has a BAA built into their terms of service, so they’re supposedly in compliance. You can read Square’s BAA here. A lot of this information comes from here.
One of the complications comes with how you’re using this. Whatever you use to swipe a credit card—that is considered the Point of Sale (POS), which in the case of Square means your mobile device and your network. When you swipe a card, the encryption happens at the POS (i.e., the little swiping gadget you attach to your mobile device) and is then sent to the company. When you keep cards on file or manually enter the card number (as opposed to swiping the card), then that information is considered “in scope” which is subject to the Payment Card Industry Data Security Standard (PCI DSS). Not doing so would be out of compliance with HIPAA, and so at that point you have to think about the security of your mobile device and your wifi/network as well as your payment processor. Things like SMS (how texts are sent) or email are often not as secure because they’re typically not encrypted, and so sending receipts via text can create more exposure to risk. Not an issue if you’re buying a burrito (which is what a lot of mobile payment options are for), but more of an issue if you’re trying to be HIPAA compliant. You can supposedly reduce your exposure by providing paper receipts (as if you could turn off the texting function…), not writing anything in any of the “comments” sections of the transaction, and not keeping card information on file. Learn for yourself at here or here.
Confused? Well, that was the easy example because Square actually has a BAA in its terms. The majority of mobile payment options do not, and will not give you one. So in using them you are not in compliance with HIPAA. Or that’s what the internet says, and this is why: these services gather data on their users, and some will often provide invoices of services/expenditures (among other things). This not only constitutes functions above and beyond payment transaction, but the use of data goes beyond what the law stipulates. For example PayPal uses payment data to aggregate profiles of users. Let’s suppose that PayPal were hacked, then the escape of PHI (and any resultant fines from the government, potentially thousands per violation) would be on you. Again, there’s no BAA, and so in terms of HIPAA compliance, no one is looking after the data you just gave them. (Or that’s what these guys say). And by the way, settling with the government’s Office of Consumer Rights (OCR) re: HIPAA fines does not absolve you from any civil litigation your clients may bring.
If HIPAA compliance weren’t enough to make you think twice, you may also want to do a gut check on getting paid. PayPal, for example, can also leave you exposed to denial of payment. If a client files a dispute, then PayPal can (at their discretion) elect to freeze your account (meaning you can’t access the money you’re owed). The company can also decide on their own that if (according to their own fraud protection measures) your business seems “suspicious,” they can freeze your account until determined otherwise. For example, consider if half your clients suddenly decide to start paying by card because now that the option is available. Or, for example, a client with a large balance decides to pay it off all in one month. You could suddenly find all this money that’s owed to you is locked up and unavailable because such influxes might trigger attention from the mobile payment provider. “How is this possible?” you ask. Because PayPal, Square, etc. function as an “payment service providers” (aka, like an escrow service, not as a bank) and resolving a dispute is contingent on proof of service. How are you going to prove (without further exposing PHI) that you had a session? Okay, checkmate.
As if we all didn’t learn our lesson from the Equifax security breach of 2017 (143 million users), or the Target breach of 2013 (110 million users), or the Yahoo breach of 2014 (3 billion users, that’s billion with a “b”), etc., etc., the moral of the story is that you can’t turn your back on the internet. PayPal and Venmo, for example, are two of the most popular services (both owned by eBay; security breach 2014, 145 million users). Both have been taken to court by states (Texas, California) and effectively ordered to address security concerns over “unsafe practices,” including the lack of a coherent system for monitoring security breaches and being unclear about what data they’re gathering from users. Problems included an inability to notify users of important account changes (such as monitoring security incidents, e.g., someone hacked in and changed your password). There were also issues about the companies’ overzealous collection of users’ data (i.e., contact lists, payment transactions, etc.) So hypothetically, if you used the service and some clients were comfortable and some weren’t, it seems plausible that this could have exposed other contacts (i.e., the clients who didn’t feel comfortable with it) to Venmo’s drag net. If you’re hoping I’m wrong, you can read this and this, and this, and tell me what I don’t get.
While major breaches catch headlines, hackers often target small to medium sized companies for POS vulnerability. Costs of cleaning up a breach apparently average around $80,000 (e.g., legal fees, paying for credit monitoring for affected parties, etc.), but I’ll admit that I don’t know where that number comes from. And given the fact that the parent company of popular services (eBay) has _already_ had a major breach, it seems likely the cat’s out of the bag. So one way to read this (and I hope that I'm wrong) is that if you’re using these services (PayPal or Venmo), there’s a chance that the PHI you gave them has already been hacked, but in terms of monitoring “security incidents” and fully notifying you or your clients of said HIPAA violation, they’re not necessarily willing, able, or obligated to let you know because there’s no BAA. (I’ll pause here in case anyone needs to go get a Xanax.) (This article suggests some ways of trying to safeguard yourself.)
One option that seems _so_ 20th century is paying for a credit card terminal, the kind where you physically bring the credit card and swipe it every time. Terminals encrypt the information at the POS, and so there aren't the same device/network risks and there's no issue of storing data. If you work with a lot of Millennials (many of whom don’t even have pockets in their sweatpants), then that may not be quite as convenient, but you run less risk of a HIPAA violation or finding yourself or your clients subject to identity theft.
“Wait, didn’t you say something about email?” Yes, because once you start emailing clients, there’s PHI out on the web and many times it’s not encrypted. HIPAA doesn’t speak to any specific technologies (much), but it does allow clients to opt into non-encrypted email communication when informed of the risks. (If you’re not having your clients sign email or e-communication consents, then you are doubly exposed.) But that doesn’t automatically address the issue of having a BAA with your email provider. I took some comfort in learning that Google (which supports “G Suite” of applications: gmail, calendar, drive, google docs, etc.) has a BAA (which you can read here), but was surprised to read in a forum that this BAA doesn't cover gmail inbox. I don’t know if that’s true, but if so, that’s kind of like selling health insurance that leaves out your respiratory system. I don’t know how any of this applies to Google Voice.
Part of the market solution to all these problems is to pay money for all your BAA-related needs: encrypted email services, practice management systems, EMRs, secure mobile payment providers, etc., and to pay for other things like credit card terminals, etc. One of the few cold comforts in this is knowing that if a federal prosecutor or regulatory agency wanted to start aggressively pursuing HIPAA violations for online infractions, they would probably have to come after two-thirds of healthcare providers in the state, but that’s not a defense for not complying with the law. Even if you don't get fined, it’s also not going to pay your bills if someone takes you to court. There are some arguments suggesting that the law (which was written 20 years ago) stipulates that providers make “reasonable and appropriate levels” of security for their data, and the grounds of what this constitutes are clearly shifting. (One alternative perspective).
I don’t pretend to know what this means for using mobile payment options except that the technology is clearly way out in front of the law. So I hope this is helpful. Please make your own decisions. I’m hoping that someone— anyone!— does the legwork of making this simple, and understandable, and "HIPAA compliant," and affordable so that people like me can go back to our hoola hoops and rotary telephones.
Jeff Brand
---------- Forwarded message ----------
From: Jeff Brand
Date: Wed, Nov 1, 2017 at 7:48 PM
Subject: Re: [NSGP] digital payments
To: [email protected]
A few weeks ago, I’d asked if anyone could give advice about using digital payments, and thank you to everyone who wrote back. Some said they’d be interested to hear what I learned. As someone who dislikes a digital lifestyle, I had hoped my question would subtly hint about how great it would be if someone— anyone!— wanted to figure this out for me so that I could spend as little time on it as possible. Much to my angst, the more I learned about this issue, the more complicated and intimidating it became. I wanted to share what I’d learned because I imagine that many of us feel the same, and those who are doing new fangled payments may be doing it without being fully aware of the liabilities. I don’t claim to know what the best solutions might be. Frankly, I can’t even claim to know what I’m talking about. I haven't talked to a lawyer in preparing any of this, but maybe this will help someone— anyone!— figure it out for the rest of us.
Let’s go back to the beginning of time: 1996. HIPAA was passed and requires you (the clinician) to be compliant with the law for all protected health information (PHI), and so this extends to anyone you hire to handle said information. PHI includes both the obvious (e.g., notes, treatment plans, etc.) and the not-so-obvious (e.g., an email requesting an appointment, a text message to reschedule, a Skype session, etc.). This can also (but not always) include payment information, but more on this later. When you enlist or partake of the services of a company that has access to PHI, you (the provider) are required to “…obtain satisfactory assurances that the business associate will appropriately safeguard” the information. This sort of business-legal assurance is called a “Business Associate Agreement” (BAA) and it represents a high bar. For example, BAAs stipulate that the company must track “security incidents” and notify you of data breaches. Types of services that would require this type of coverage include email, online data back-up, cloud-based EMRs, practice management systems (e.g., online scheduling), and any mobile payment/online transfer service. I’ll come back to this later. Read more about this here.
Different services may market themselves as “HIPAA compliant” but it pays to note that this is misleading in the way that casual shop-talk is not legalese. No product or service can be deemed “HIPAA compliant” because being in compliance with HIPAA is a process of safeguarding data, not a state or certification one achieves. And so in evaluating a potential “business associate,” one has to weigh out their demonstrated ability to meet the standards in addition to having a formal agreement. (You’re waiting for me to talk about digital payments, but I took the time to write this and so I’m going to let the suspense build.)
Beyond cash or check, there are several different ways clients could pay you, depending on what you accept. Paying with cards might include credit, debit, HSA/FSA cards or Pre-Paid Cards. Note that passing along credit card fees to clients is legal for credit, but apparently not legal for debit cards; extra fees should be listed separately as a “surcharge”. Oh, and passing on fees is apparently illegal in 10 states, but I don’t know which ones. It may also be problematic in the context of copays. When dealing with an HSA/FSA, you should know there are no guarantees that a service provided would be accepted, and hypothetically you could have to give money back. You can read more about this here.
A bright spot in all of this is that transactions with a credit card (i.e., basic submission of bills) were exempted from HIPAA. Even though the credit card companies could be “business associates,” there’s no need for a BAA as long as their dealings with you are basic financial transactions (e.g., processing a payment), but not for other services (e.g., submitting your billing, keeping your accounting). Some credit cards and banks dabble with this, and so you should be careful about what you sign up for. But the name of the game in our brave new world is the way technology is blurring the boundaries. "Mobile payment options" (e.g., Square, Apple Pay, PayPal, Venmo, etc.) and "online fund transfers" function differently and do different things with information. It may be useful, albeit simplistic, to think of it this way: credit card companies are traditionally more like banks, and mobile payment options are more like escrow companies. The user experience may not be that different, but the fine print is what will kill you— not the least of which is a BAA.
Let’s take an easy example like Square, which is a popular mobile payment option that allows you to turn your mobile device (e.g., phone, iPad) into a credit card terminal. (There’s also something called Square Pay, but god help us—at some point you’re just on your own…) Square also does a variety of other functions such as emailing or texting clients their receipts, which are functions you apparently can’t turn off (?). Hopefully your client is okay with that, but more importantly that brings it into HIPAA territory. The good news is that Square has a BAA built into their terms of service, so they’re supposedly in compliance. You can read Square’s BAA here. A lot of this information comes from here.
One of the complications comes with how you’re using this. Whatever you use to swipe a credit card—that is considered the Point of Sale (POS), which in the case of Square means your mobile device and your network. When you swipe a card, the encryption happens at the POS (i.e., the little swiping gadget you attach to your mobile device) and is then sent to the company. When you keep cards on file or manually enter the card number (as opposed to swiping the card), then that information is considered “in scope” which is subject to the Payment Card Industry Data Security Standard (PCI DSS). Not doing so would be out of compliance with HIPAA, and so at that point you have to think about the security of your mobile device and your wifi/network as well as your payment processor. Things like SMS (how texts are sent) or email are often not as secure because they’re typically not encrypted, and so sending receipts via text can create more exposure to risk. Not an issue if you’re buying a burrito (which is what a lot of mobile payment options are for), but more of an issue if you’re trying to be HIPAA compliant. You can supposedly reduce your exposure by providing paper receipts (as if you could turn off the texting function…), not writing anything in any of the “comments” sections of the transaction, and not keeping card information on file. Learn for yourself at here or here.
Confused? Well, that was the easy example because Square actually has a BAA in its terms. The majority of mobile payment options do not, and will not give you one. So in using them you are not in compliance with HIPAA. Or that’s what the internet says, and this is why: these services gather data on their users, and some will often provide invoices of services/expenditures (among other things). This not only constitutes functions above and beyond payment transaction, but the use of data goes beyond what the law stipulates. For example PayPal uses payment data to aggregate profiles of users. Let’s suppose that PayPal were hacked, then the escape of PHI (and any resultant fines from the government, potentially thousands per violation) would be on you. Again, there’s no BAA, and so in terms of HIPAA compliance, no one is looking after the data you just gave them. (Or that’s what these guys say). And by the way, settling with the government’s Office of Consumer Rights (OCR) re: HIPAA fines does not absolve you from any civil litigation your clients may bring.
If HIPAA compliance weren’t enough to make you think twice, you may also want to do a gut check on getting paid. PayPal, for example, can also leave you exposed to denial of payment. If a client files a dispute, then PayPal can (at their discretion) elect to freeze your account (meaning you can’t access the money you’re owed). The company can also decide on their own that if (according to their own fraud protection measures) your business seems “suspicious,” they can freeze your account until determined otherwise. For example, consider if half your clients suddenly decide to start paying by card because now that the option is available. Or, for example, a client with a large balance decides to pay it off all in one month. You could suddenly find all this money that’s owed to you is locked up and unavailable because such influxes might trigger attention from the mobile payment provider. “How is this possible?” you ask. Because PayPal, Square, etc. function as an “payment service providers” (aka, like an escrow service, not as a bank) and resolving a dispute is contingent on proof of service. How are you going to prove (without further exposing PHI) that you had a session? Okay, checkmate.
As if we all didn’t learn our lesson from the Equifax security breach of 2017 (143 million users), or the Target breach of 2013 (110 million users), or the Yahoo breach of 2014 (3 billion users, that’s billion with a “b”), etc., etc., the moral of the story is that you can’t turn your back on the internet. PayPal and Venmo, for example, are two of the most popular services (both owned by eBay; security breach 2014, 145 million users). Both have been taken to court by states (Texas, California) and effectively ordered to address security concerns over “unsafe practices,” including the lack of a coherent system for monitoring security breaches and being unclear about what data they’re gathering from users. Problems included an inability to notify users of important account changes (such as monitoring security incidents, e.g., someone hacked in and changed your password). There were also issues about the companies’ overzealous collection of users’ data (i.e., contact lists, payment transactions, etc.) So hypothetically, if you used the service and some clients were comfortable and some weren’t, it seems plausible that this could have exposed other contacts (i.e., the clients who didn’t feel comfortable with it) to Venmo’s drag net. If you’re hoping I’m wrong, you can read this and this, and this, and tell me what I don’t get.
While major breaches catch headlines, hackers often target small to medium sized companies for POS vulnerability. Costs of cleaning up a breach apparently average around $80,000 (e.g., legal fees, paying for credit monitoring for affected parties, etc.), but I’ll admit that I don’t know where that number comes from. And given the fact that the parent company of popular services (eBay) has _already_ had a major breach, it seems likely the cat’s out of the bag. So one way to read this (and I hope that I'm wrong) is that if you’re using these services (PayPal or Venmo), there’s a chance that the PHI you gave them has already been hacked, but in terms of monitoring “security incidents” and fully notifying you or your clients of said HIPAA violation, they’re not necessarily willing, able, or obligated to let you know because there’s no BAA. (I’ll pause here in case anyone needs to go get a Xanax.) (This article suggests some ways of trying to safeguard yourself.)
One option that seems _so_ 20th century is paying for a credit card terminal, the kind where you physically bring the credit card and swipe it every time. Terminals encrypt the information at the POS, and so there aren't the same device/network risks and there's no issue of storing data. If you work with a lot of Millennials (many of whom don’t even have pockets in their sweatpants), then that may not be quite as convenient, but you run less risk of a HIPAA violation or finding yourself or your clients subject to identity theft.
“Wait, didn’t you say something about email?” Yes, because once you start emailing clients, there’s PHI out on the web and many times it’s not encrypted. HIPAA doesn’t speak to any specific technologies (much), but it does allow clients to opt into non-encrypted email communication when informed of the risks. (If you’re not having your clients sign email or e-communication consents, then you are doubly exposed.) But that doesn’t automatically address the issue of having a BAA with your email provider. I took some comfort in learning that Google (which supports “G Suite” of applications: gmail, calendar, drive, google docs, etc.) has a BAA (which you can read here), but was surprised to read in a forum that this BAA doesn't cover gmail inbox. I don’t know if that’s true, but if so, that’s kind of like selling health insurance that leaves out your respiratory system. I don’t know how any of this applies to Google Voice.
Part of the market solution to all these problems is to pay money for all your BAA-related needs: encrypted email services, practice management systems, EMRs, secure mobile payment providers, etc., and to pay for other things like credit card terminals, etc. One of the few cold comforts in this is knowing that if a federal prosecutor or regulatory agency wanted to start aggressively pursuing HIPAA violations for online infractions, they would probably have to come after two-thirds of healthcare providers in the state, but that’s not a defense for not complying with the law. Even if you don't get fined, it’s also not going to pay your bills if someone takes you to court. There are some arguments suggesting that the law (which was written 20 years ago) stipulates that providers make “reasonable and appropriate levels” of security for their data, and the grounds of what this constitutes are clearly shifting. (One alternative perspective).
I don’t pretend to know what this means for using mobile payment options except that the technology is clearly way out in front of the law. So I hope this is helpful. Please make your own decisions. I’m hoping that someone— anyone!— does the legwork of making this simple, and understandable, and "HIPAA compliant," and affordable so that people like me can go back to our hoola hoops and rotary telephones.
Jeff Brand
