Mental health professionals in private practice are subject to stringent data security regulations under the Health Insurance Portability and Accountability Act, or HIPAA. Failure to adequately protect Protected Health Information — such as a patient’s name, health status, provision of care, or payment for care — is potentially subject to severe penalties, including stiff fines and even jail time.
While psychotherapists are well aware of HIPAA, they may not always know what constitutes a violation. One area of vulnerability is the use of online accounting software, such as QuickBooks Online (QBO) or Xero, to process patient payments and maintain financial records. While these services are highly secure platforms, both companies explicitly state that they are not HIPAA compliant.
I recently encountered a psychotherapist who was using QBO to issue invoices to patients and process payments. For other businesses this would make perfect sense, but in this case, it emphatically did not. He was exposed to serious risk because he was not aware of the issue.
Psychotherapists should use Electronic Health Record (EHR) systems, such as SimplePractice or TherapyNotes, to store their patient data and process payments, to ensure compliance with HIPAA. These specialized platforms were designed to maintain compliant data security. While EHR systems are used to process insurance claims, even practitioners who do not accept insurance should use them for this reason.
So, if you are using online accounting software in your therapy practice, DO NOT assume that it is HIPAA compliant. A bookkeeping professional can work with you to devise a system that protects your patient’s PHI by keeping all sensitive data in your EHR system, while transferring relevant summary income data to your accounting system to ensure your business books are in order.