Credit cards are being used in more than 60 percent of all sales in the United States, and that number is expected to keep rising (see bit.ly/ccusage). That means it is increasingly challenging to run any sort of business without accepting credit cards. Counselors must also factor in the increasing number of clients who have a health savings account (HSA) or a flexible spending account (FSA) tied to a credit card.
The decision has become not so much whether to accept credit cards but how. With that in mind, this column will cover some things to be aware of, whether you have already been accepting credit cards or are just considering adding them to the payments you accept.
Lots of options
In the past, accepting credit cards meant purchasing equipment and paper and paying monthly minimum charges. But now, mobile options offered by Square, PayPal, Intuit and others let you swipe credit cards through a postage-stamp-size dongle attached to your smartphone or tablet. The dongle is typically free, and the merchant fee is usually a flat rate with no minimums.
A number of factors go into deciding which product is a good fit for you, including number of locations, business structure and expected monthly volume of credit card charges. Mobile dongles tend to be the best fit for solo and small group practices, particularly those with more than one office. Large practices that do a significant volume of credit card business may be able to negotiate a better merchant rate with a local bank. Banks have begun to catch on that mobile solutions are desirable, and some may even offer a hybrid solution.
Transactions exempt from HIPAA
In providing consultations to private practice owners, I often get asked whether counselors need to have a business associate agreement with their credit card merchant service. Because the merchant does access protected health information, one might think that a business associate relationship is established. However, the Health Insurance Portability and Accountability Act (HIPAA) exempts these transactions, stating that a business associate agreement is not required “when a financial institution processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity” (see bit.ly/HIPAABA). Note that this excludes only the transaction itself.
Special privacy and compliance concerns
Many financial services, especially those that provide mobile dongles, offer additional features beyond processing the transaction itself. Some provide the ability to email receipts to clients or prompt them for feedback on services. These features are not exempt from HIPAA regulations because they do not directly facilitate or effect the transfer of funds as noted above. In other words, a business associate agreement may be required if these features are turned on.
Counselors will need to perform a risk assessment (see bit.ly/TYPPCT) to determine how to address these features. This may involve turning the features off completely or documenting a client’s request to use them. For additional details, including the recommended actions to take, read the blog post I wrote at bit.ly/HIPAASquare.
It’s important to be aware that the credit card industry has its own form of HIPAA called Payment Card Industry Security Standards (commonly referred to as PCI or PCI compliance). These standards detail the responsibilities of merchants to keep credit card and related data secure. For an overview of compliance requirements, see bit.ly/TYPPCI.
Smart credit cards
Credit cards are in the process of becoming more secure. New credit cards, often referred to as “smart” credit cards, are shifting to the EMV (Europay, MasterCard and Visa) standard. This means that they will have a computer chip integrated into the card. Legacy cards carry all of the card’s and card holder’s data on the familiar magnetic stripe and are easily counterfeited. Through the computer chip, EMV cards are able to generate transaction data at the moment of the transaction, making them much more difficult to counterfeit and steal information from.
[See more on smart chips at Rob’s blog: http://bit.ly/1VhYF3h]
Because of concerns about fraud and theft, much of Europe converted to the EMV standard several years ago. It took large breaches at places such as Target for banks in the United States to finally move forward with the upgrade. Still, banks are moving forward at a slow pace, first switching to cards that have both the chip and the magnetic stripe to give merchants an opportunity to catch up to the technology.
Those that accept credit cards will need new card readers to process the new cards. As of Oct. 1, the banks will be placing more responsibility for fraudulent charges on merchants if they haven’t adopted the new technology. That said, the banks are currently running behind on printing the new cards, so it may be difficult for them to enforce this, especially as it relates to small businesses. In any case, those who accept credit cards will need to migrate to this new card reader technology sometime in the not too distant future.
Should you pass on charges?
In online forums, I often see counselors asking if they should pass on the credit card merchant fees to their clients. Up until 2013, credit card contracts blocked merchants from passing these charges on, but as a result of a lawsuit against MasterCard and Visa, they were forced to allow “swipe fees” to be passed along. Some merchants (and counselors) view this as a way to recoup some of the costs associated with accepting credit cards.
Counselors should consider a number of factors before engaging in this practice, however. In most cases, I find that the cons of such a policy outweigh the pros. Furthermore, several states have passed legislation to make the passing on of swipe fees illegal. For a more in-depth examination of this topic, you can read my blog post at bit.ly/SwipeFees.
Despite this additional array of information to be aware of, I highly recommend that those in private practice consider accepting credit cards. Offering convenience to clients while receiving quick and efficient payment yourself makes this an all-around plus for anyone who wants to run a successful practice.
Rob Reinhardt, a licensed professional counselor supervisor, is a private practice and business consultant who helps counselors create and maintain efficient, successful private practices. Before becoming a professional counselor, he worked as a software developer and director of information technology. Contact him at firstname.lastname@example.org.
Letters to the editor: email@example.com