A frequent question we get at iCouch is “Can I use PayPal?” The challenge of billing for mental health professionals is a big one. You want to get paid and you want to make it easy for your clients to pay you. However, we have some big, big problems with PayPal. This post should be an eye-opener if you use PayPal in your behavioral health practice.
PayPal became huge in the early days of internet commerce. One of the challenges of a site such as Ebay was how individual sellers could easily and safely get paid before sending a product to a stranger on the internet. PayPal was that solution. It is essentially an escrow service. A seller sends money to PayPal and you send the product, then PayPal sends you the money. However, in a mental health practice (or any medical practice for that matter,) there are significant issues with such an arrangement. The most notable being HIPAA.
PayPal is not HIPAA compliant
Anyone know of someone who has a Business Associates Agreement with PayPal? Neither do I. PayPal is not HIPAA compliant and is a serious violation of privacy for those paying for mental health treatment. A client pays you with PayPal for “Therapy Session With Dr. Therapist.” As most of you know, the procurement of medical services is considered protected health information. Now PayPal has a record of that treatment payment. Yet, PayPal isn’t HIPAA compliant, so that Protected Health Information is now living in a non-compliant system. PayPal uses things such as transaction history as part of their fraud prevention system, which means that protected health information isn’t only stored on PayPal systems — it’s actively used to create a payment history profile for that person.
So, unless you have a Business Associates Agreement (which you don’t,) you should never use PayPal for your therapy practice. Since you don’t have such an agreement, if PayPal were ever hacked and data released — YOU are on the hook for the HIPAA violations, which amounts to a minimum of $10,000 per record, per occurrence. If you have 20 patients who have used PayPal and PayPal gets hacked, that’s $200,000 in potential liability that is all on you. Even if you have strong trust in PayPal — are you willing to bet $200,000 on it? This is why it’s vital that you only accept payments through systems that are HIPAA compliant (such as iCouch, of course.) You can see iCouch’s Business Associates agreement here.
PayPal is great for beanie babies, bad for business
HIPAA compliance ought to be enough, however, for those that still insist on PayPal, there are countless horror stories of businesses that have had their accounts frozen for arbitrary and often undisclosed reasons.
First of all, PayPal is not a bank. This means that banking laws don’t apply. That means that they can do things like hold your funds for 180 days without any provided reason. It’s in their user agreement.
If we believe that you’ve engaged in any [restricted activities,] we may take a number of actions to protect PayPal, its customers and others at any time in our sole discretion. The actions we make take include, but are not limited to, the following:
Hold your PayPal balance for up to 180 days if reasonably needed to protect against the risk of liability or if you have violated our Acceptable Use Policy.
Notice it says, “If we believe,” not “if you have.” What that means is that even if they think you’ve done something wrong, they can hold your money. It’s up to you to prove that you haven’t. So, for example, if a client pays you with PayPal and then disputes the payment, PayPal can hold all your money. For a normal credit card system (such as we use at iCouch,) a disputed charge only affects the amount of the specific charge — not your entire account. Remember, PayPal is not a bank. You can’t file a complaint with your state’s banking commission. You could file a lawsuit, but how much will that cost? It isn’t worth it. So even without being concerned with HIPAA compliance, PayPal is a very risky means to take payments for a service. You can’t “prove” you delivered the service, thus in a PayPal dispute, you will lose — and potential have your entire account frozen and your funds unavailable for 180 days.
Think twice before you offer PayPal. There are better solutions that are affordable, secure and won’t violate HIPAA or hold your money hostage at the first hint of trouble.