Updated 3/2/2020

One of the most frequent questions I get asked in my course and see in private SLP practice groups is "How do I bill and accept payments ethically and without violating HIPAA?" If you haven't thought about that, you should, because 1) you need to be paid for your services and, 2) you need to do so in a HIPAA-compliant manner (whether you’re private pay-only or accepting insurance). Here's my guide to ethically accepting and processing payments for your private practice.

Whether you are billing the client directly (private pay) or billing an insurance company, the basics of billing are that you

1. need to generate an invoice /superbill /claim;

2. get it to the payer (client or insurance company); and

3. they will pay you for your services. HOWEVER- you have to do ALL of these steps in a HIPAA-compliant manner.  

Have questions about HIPAA and BAA’s? Check out my blog series here.

Here's how to bill ethically and securely:

1. Generate a superbill/invoice/claim: 

You cannot just use any old invoicing software for this.
Quickbooks- Nope.
WaveApps- Nada
PayPal- No.
Square- yes, IF you sign a BAA with them (not sure what a BAA is? Check out my blog post here).
Stripe- yes, IF you sign a BAA with them.

Jane Payments: yes, since you must sign a BAA with them

The reason these invoicing services have to be HIPAA compliant is that the invoice you're generating has all sorts of PHI (Protected Health Information) on it. As soon as you put the client's full name,  the fact that the invoice is for speech therapy, a CPT or ICD-10 code (all of which  you need for a superbill or invoice)- that invoice has become PHI and is therefore regulated by HIPAA rules. This applies EVEN IF you are private pay only.

To create an invoice in a HIPAA-compliant manner, you need to either create it as a Word or Excel doc and password protect it, or create it in your EMR (most will automatically create claims, invoices, and superbills for you). 

2. Share the superbill/invoice/claim: If you are using an EMR, they all have an option to securely generate and send any billing documents to clients or insurance companies (not sure what an EHR is? Check out my blog post)

If you aren't using an EHR, though, you MUST have a HIPAA-compliant email to send invoices (Google Workspace from Google, Microsoft Office 365, or another option like Hushmail or Virtru). You cannot send an invoice or superbill through regular, unsecured email.  

3. Get paid. Now we get down to the gist of this post- getting paid. Just like you shouldn't generate an invoice through a non-HIPAA-compliant service, you can't send the invoice through them either. These services include PayPal, Zelle, Venmo, QuickBooks, etc. Their Terms of Use do NOT cover healthcare services, and you are violating both their terms AND HIPAA regulations if you send speech therapy invoices through them. They all collect information from clients that violates HIPAA.

If you choose to create a superbill outside of an EMR and you would still like to accept credit cards as payment, you must make sure that the credit-card processor will sign a BAA with you. If you're going that route, you would create the superbill, securely send it to the client, then have them pay using that outside credit card processor.

​However- if you are using any credit card processor OTHER THAN Stripe, Square, or others that sign a BAA , you would have to have clients pay an invoice that has absolutely ZERO PHI on it (no names, no birthdate, no CPT or ICD-10 codes), and clients cannot submit an invoice like that for reimbursement. So, using an outside credit card processor for invoicing AND payment would only be a viable option if you had a private pay client who was not interested in submitting a superbill for reimbursement. If your client is using an HSA to pay, then the invoice/ superbill MUST have identifying information on it, so this option won't work. 

If you are using an EMR and billing insurance, sign up for the insurance company's ERA's (Electronic Remittance Advice forms) and EFT (Electronic Funds Transfer). That way, when they pay for a claim, you will get an electronic copy of the EOB, and the money will be directly deposited into your business checking account. 

If you want to read the HIPAA Security Rule, the CMS website has some helpful information and guidance here.

Want to know more about how billing and coding for your private SLP practice? My course, Private Practice Essentials on Northern Speech Services, has an entire section on Setting Your Rate, How to Accept Payments, and even a Credit Card Processor comparison chart! I guide you through all of the steps necessary to ethically and HIPAA-compliantly bill your clients. 

Do you have questions about HIPAA-compliant billing? Ask in the comments!