How to Bill and Process Payments for Your Private Practice

One of the most frequent questions I get asked in my course and see in private SLP practice groups is "How do I bill and accept payments ethically and without violating HIPAA?" If you haven't thought about that, you should, because 1) you need to be paid for your services and, 2) you need to do so in a HIPAA-compliant manner (whether you’re private pay-only or accepting insurance). Here's my guide to ethically accepting and processing payments for your private practice.

Billing Steps in Private Practice

Whether you are billing the client directly (private pay) or billing an insurance company, the basics of billing are that you

1. need to generate an invoice /superbill /claim;

2. get it to the payer (client or insurance company); and

3. they will pay you for your services. HOWEVER- you have to do steps 1-2 in a HIPAA-compliant manner.  Payment processing itself does NOT actually have to be HIPAA compliant- but it's pretty impossible to process a payment for a blank invoice, without sending it via non-secure email or text. 

Here's how to bill ethically and securely:

1. Generate a superbill/invoice/claim: 

You cannot just use any old software for this.

• Quickbooks- Nope.
• Wave- Nada
• PayPal, Venmo, or Zelle: Absolutely not.
• Jane Payments: yes, since you must sign a BAA with them
• Square- yes, IF you sign a BAA with them. Many EMRs use Square for payment processing.
• Stripe- yes, IF you sign a BAA with them. Many EMRs integrate with Stripe for payment processing

The reason these invoicing services have to be HIPAA compliant is that the invoice you're generating has all sorts of PHI (Protected Health Information) on it. As soon as you put the client's full name,  the fact that the invoice is for speech therapy, a CPT or ICD-10 code (all of which  you need for a superbill or invoice)- that invoice has become PHI and is therefore regulated by HIPAA rules. This applies EVEN IF you are private pay only.

To create an invoice in a HIPAA-compliant manner without an EMR, you need to either create it as a Word or Excel doc and password protect it before sending it to the client. Or, just create it in your EMR, all of which can create claims, invoices, and superbills for you in 1-2 clicks. I am a BIG proponent of using your EMR- you are paying for it, and you should get use out of all of the features! 

2. Share the superbill/invoice/claim: If you are using an EMR, they all have an option to securely generate and send any billing documents to clients or insurance companies.

If you aren't using an EHR, though, you MUST have a HIPAA-compliant email to send invoices (Google Workspace from Google, Microsoft Office 365, or another option like Hushmail or Virtru). You cannot send an invoice or superbill through regular, unsecured email.  

3. Get paid. Now we get down to the gist of this post- getting paid. Just like you shouldn't generate an invoice through a non-HIPAA-compliant service, you can't send the invoice through them either. These services include PayPal, Zelle, Venmo, QuickBooks, etc. Their Terms of Use do NOT cover healthcare services, and you are violating both their terms AND HIPAA regulations if you send speech therapy invoices through them. They all collect information from clients that violates HIPAA.

If you choose to create a superbill outside of an EMR and you would still like to accept credit cards as payment, you must make sure that the credit-card processor will sign a BAA with you. If you're going that route, you would create the superbill, securely send it to the client, then have them pay using that outside credit card processor.

How to Bill Without an EMR

If you choose to use a credit card processor OTHER THAN Stripe, Square, or others that sign a BAA , you would have to have clients pay an invoice that has absolutely ZERO PHI on it (no names, no birthdate, no CPT or ICD-10 codes), and clients cannot submit an invoice like that for reimbursement.

So, using an outside credit card processor for invoicing AND payment would only be a viable option if you had a private pay client who was not interested in submitting a superbill for reimbursement. If your client is using an HSA, FSA, or HRA to pay, then the invoice/ superbill MUST have identifying information on it, so this option won't work. 

If you are using an EMR and billing insurance, sign up for the insurance company's ERA's (Electronic Remittance Advice forms) and EFT (Electronic Funds Transfer- direct deposit). That way, when they pay for a claim, you will get an electronic copy of the EOB directly into your EMR, and the money will be directly deposited into your business checking account. 

If you want to read the HIPAA Security Rule, the CMS website has some helpful information and guidance here.

Want to know more about how billing and coding for your private SLP practice? My course, Private Practice Essentials , has an entire section on Setting Your Rate, How to Accept Payments, and my EMR comparison chart! I guide you through all of the steps necessary to ethically and HIPAA-compliantly bill your clients. 

 

Do you have questions about HIPAA-compliant billing? Ask in the comments!