How to ensure HIPAA-compliant billing
When you hear someone reference HIPAA (aka the Health Insurance Portability and Accountability Act), you might think about client’s diagnoses, treatment plans, or progress notes.
But did you know that HIPAA’s privacy regulations also cover billing and how you get paid for providing therapy?
It’s true.
Whether you’re doing private pay or billing insurance, it’s essential that you have a HIPAA-compliant billing process.
This is especially important when you’re offering telehealth or teletherapy services, since you’re not accepting payment at the point of service as you would with in-person appointments.
The basics of HIPAA-compliant billing
- Provide a service
- Generate an invoice, superbill, or claim
- Share with the payer (client or insurance company)
- Get paid for your work
Here’s each step you need to consider to make sure your billing process is complying with HIPAA regulations:
Disclaimer: This article is for informational purposes only, and should not be considered legal or ethical advice. For specific guidance, consult with an attorney or your professional liability insurer.
1. Generate an invoice, superbill, or claim
You can’t use just any invoicing software for this.
It’s important to do the investigative work to determine if your invoicing software is HIPAA-compliant, as the SimplePractice EHR software is.
For example—QuickBooks, Wave, PayPal, and Zelle do not meet HIPAA requirements.
Certain vendors, like Venmo, even have explicit language in their Terms of Use that forbids the use of their software for healthcare-related transactions.
This means many different types of practices—like speech therapy or counseling—cannot safely use this payment solution.
While using payment processors does not fall under the HIPAA regulation, invoicing and billing needs to comply with HIPAA requirements.
By using SimplePractice, customers are already protected because they have a signed BAA with SimplePractice from the second they sign up for a trial or paid account.
A BAA is required for invoice processing—not payment processing—so there’s no need to sign any additional BAA.
Why does your practice need HIPAA-compliant payment processing?
It’s because invoices contain all sorts of Protected Health Information (PHI) on them.
As soon as you put the client’s full name, the service performed, or a CPT or ICD-10 code on your billing document, it’s considered PHI—and that falls under HIPAA regulations.
To create a HIPAA-compliant invoice without an EHR solution, you can generate it in a Word or Excel document as long as you password-protect it.
In comparison, if you use an EHR such as SimplePractice, most platforms will automatically create claims, invoices, and superbills for you based on appointments or services rendered.
2. Share a billing document
If you use a software solution like SimplePractice, you can securely generate and send any billing documents to clients or insurance companies straight from the platform.
You must use a HIPAA-compliant email to securely send invoices. If you’re sending invoices or claim information to a billing company, your only option may be to fax it.
3. Get paid
Now that you’ve created an invoice and figured out how to securely send it to the client, you need to get paid. In the same way you shouldn’t generate an invoice through a non-HIPAA-compliant service—like QuickBooks® or PayPal—you can’t accept payment through them either.
Again, their Terms of Use don’t typically cover healthcare services. This means you’d be in violation of both the processor’s terms and HIPAA regulations if you send client invoices via those services.
That leaves you with cash and check as your only options. However, one workaround is to create the invoice or superbill, send it to the client via a secure email, then have them pay using an on-the-spot payment capture solution like Square or Stripe.
But really, the easiest way to get paid is to use an EHR like SimplePractice.
With SimplePractice, you can generate claims, send them to clients, and get paid easily—all from one platform.
Plus, if you sign up for the insurance company’s Electronic Remittance Advice forms (ERAs) and Electronic Funds Transfer (EFT), you can receive an electronic Explanation of Benefits (EOB). That way the insurance company can directly deposit payments into your business checking account.
If a client is paying privately, they can use the credit card processor in your EHR to securely pay that bill right from their Client Portal.
The money will be deposited into your business bank account as soon as it becomes available.
Using an EHR like SimplePractice can ensure HIPAA-compliant billing
If you’ve been considering tying out a fully integrated, HIPAA-compliant EHR, SimplePractice gives you everything you need. You’ll get more organized and run a fully paperless practice.
Used by over 200,000 private practice clinicians nationwide, SimplePractice is the practice management software with HIPAA-compliant booking, billing, secure messaging, and telehealth for therapists, speech-language pathologists, occupational therapists, and other practitioners in the health and wellness industry.
To try SimplePractice out, sign up for a free, 30-day trial. No credit card needed.
More Stories
Stay inspired
Get the latest stories from your peers right to your inbox.