Key Takeaways:
- Using a HIPAA-compliant credit card processor is essential if any of your credit card charges or billing records include client protected health information (PHI).
- If a payment solution provides a Business Associate Agreement (BAA) with HIPAA provisions, it’s compliant.
- Thrizer is the best all-round option, particularly when it comes to supporting clients with OON benefits.
- Consider Ivy Pay for payments without OON benefits, EHRs like SimplePractice and TherapyNotes for built-in billing, and Square for billing with a POS terminal.
- Avoid PayPal, Cash App, Venmo, and other popular payment platforms–unless explicitly stated otherwise, they are not HIPAA-compliant.
For private pay therapists, Thrizer is the best all-round pick for HIPAA-compliant credit card payments.
It offers out-of-network (OON) support that other credit card processors do not—making it easier for clients to afford therapy while streamlining superbills and compliance for therapists.
But maybe you’re not looking for OON features—or maybe you just want to consider your options. We’ve rounded up the best HIPAA-compliant credit card processors across four categories so you can choose the best fit for your practice.
- Best overall
- Best for payment without OON benefits
- Best EHR with built-in payment processing
- Best option with point-of-sale (POS) terminal
Why use a HIPAA-compliant credit card processor?
Credit card payment processors are not HIPAA-compliant by default. If you don’t use a HIPAA-compliant processor, you put the protected health information (PHI) of your clients at risk.
Financial institutions—including banks and credit card companies—are exempt from HIPAA Administrative Simplification Regulations. But a third party that acts as an intermediary between you and a financial institution is not. That includes most credit card payment processors.
For a payment processor to be HIPAA-compliant, it must provide you with a Business Associate Agreement (BAA). The BAA spells out the processor’s responsibility to protect PHI and your responsibility to abide by HIPAA rules.
When do credit card processors need to be HIPAA-compliant?
When using a credit card processor, you may share PHI without realizing it.
- Including the client’s name with treatment details. If you charge a client’s personal credit card and the transaction record shows they received treatment from you, you’re transmitting PHI. Even a transaction label like “Talk Therapy Hourly Rate” qualifies.
- Storing a client’s name in association with your therapy practice. Any record including your client’s name and the name of your therapy practice qualifies as PHI. An outside observer could conclude from it that the client received treatment from you. A common example: Storing your client’s name in the dashboard of your credit card processing platform.
- Allowing a processor to store your client’s name and the name of your practice together. Any records kept internally by a processing platform that associate your practice with the identity of your client qualify as PHI.
- Receiving chargebacks or disputed charges. If a chargeback or a disputed charge includes your client’s identity with treatment details or the name of your practice, it counts as PHI.
- Billing outside a HIPAA-compliant platform. Invoices sent by text or email from your practice to a client qualify as PHI. All invoicing must be done within a HIPAA-compliant platform.
What is a Business Associate Agreement (BAA)?
In order to be HIPAA-compliant, a credit card processor must provide you with a BAA that you sign. A BAA typically includes the following.
- Permitted use and disclosure of PHI: How and when PHI is shared. PHI should be exclusively used for processing payments or when required by law.
- PHI definition: What counts as PHI in the context of credit card payments. Some BAAs stipulate that you must not transmit diagnoses or clinical notes using the platform.
- Administrative, technical, and physical safeguards: How PHI is stored and transmitted, including encryption, role-based access controls, audit logs, secure hosting, and employee HIPAA training.
- Breach detection and avoidance: The processor’s obligations to inform you without delay in the event of a data breach, and your obligation to cooperate with an investigation.
- Subcontractor info: Any downstream businesses or individuals who will have access to PHI, with specifications that they meet HIPAA requirements.
- Your responsibilities: Representations that you will not transmit PHI unless necessary, that you’ll configure the platform to limit exposure, and that you’ll train your staff to use it properly.
- Right to audit: A BAA may include the right to audit your practice for HIPAA compliance.
- Termination: How and when PHI will be deleted or (if deletion is not possible) securely stored after you terminate your agreement with the processor.
- Indemnification/liability: Most BAAs include strict limits on the processor’s liability and exclude indirect damages. Some require you to cover a portion of the costs in the event of a data breach.
Best overall: Thrizer
Thrizer is the best overall option for HIPAA-compliant credit card processing.
It offers transparent, competitive pricing with no monthly fees. It’s designed for therapists in private practice. And it’s flexible—you can bill clients directly or with support for OON benefits, and use Thrizer alongside other payment solutions.
OON support is Thrizer’s biggest selling point. Using it, you receive full payment upfront without the need to provide your client with a superbill. On the client’s side, they only need to cover their co-insurance after meeting their annual deductible. Thrizer claims and collects the reimbursement for OON coverage, taking that part of the process off the client’s plate completely.
Price
No monthly fee or setup charge.
- Therapists pay a standard 3% credit card processing fee on each transaction.
- For Thrizer Pay, clients are charged a 5% fee when they cover their coinsurance upfront.
- For OON Pay, clients pay a 1% fee when Thrizer is successfully reimbursed by insurance.
Features
- HIPAA-compliant direct charges. Therapists can charge clients directly through Thrizer’s secure online portal.
- Instant OON benefit verification. Thrizer automatically checks clients’ benefits and estimates their coinsurance.
- Automatic claim submission. Therapists do not need to send clients superbills.
- Superbill upload. For clients who prefer to seek reimbursement from insurance on their own, Thrizer makes it easy for therapists to provide superbills.
- Weekly payouts. Funds are directly deposited to therapists’ bank accounts.
- Transparent claims tracking. Both therapists and clients can track the claims submission process through Thrizer’s online dashboard.
- Group practice support. It’s easy to onboard new team members, set permissions, and manage your group practice’s finances.
Pros & Cons
Pros
- Streamlined OON billing for therapy
- More affordable therapy for clients with OON benefits
- Transparent and predictable pricing
- No insurance admin work for therapists
- Adaptable—Thrizer can be used alongside other payment systems and EHRs
Cons
- Currently, Thrizer does not integrate directly with EHR platforms
- Variable client rates—clients’ fees (1%–5%) vary according to how they choose to pay
Thrizer is best for…
Any therapy practice that wants to make therapy more affordable for clients with OON benefits while reducing the paperwork and admin that comes with preparing superbills.
Best for payment without OON benefits: Ivy Pay
If you do not accept clients with OON benefits—or if you don’t intend to support those that do—then Ivy Pay is a straightforward option for credit card processing. Keep in mind that it lacks the features of other providers—such as EHR integration or POS payments.
Price
Ivy Pay has no setup fee, no monthly fee, and no cancellation fees. Therapists pay a 2.75% fee on all transactions, with no per-transaction fee.
Features
- Multiple payment types. Ivy Pay accepts credit cards, debit cards, HSA cards, and FSA cards.
- Setup via text. Clients receive secure texts allowing them to set up payments. They pay for future sessions with a single tap.
- Quick deposits. Funds typically appear in your bank account instantly or on the next business day.
- Text updates. Clients receive payment confirmation and receipts via text.
- Mobile-focused. Therapists use Ivy Pay’s iPhone or Android app to accept payments, store cards, and charge clients.
Pros & Cons
Pros
- Only serves qualified therapists
- Competitive fees and transparent pricing
- Quick deposits
- Easy setup via mobile app
- Basic features suitable for small practices
Cons
- No OON billing support
- Lack of billing automation
- Zero integration with EHR or practice management platforms
- Entirely mobile-based with limited desktop support
- Not ideal for larger practices seeking robust reporting, team dashboards, etc.
Ivy Pay is best for…
Small practices looking for a straightforward solution that do not need robust reporting, EHR integration, or other advanced features.
Best EHR with built-in payments: SimplePractice
SimplePractice is one of the most popular EHR platforms for therapists, and it includes HIPAA-compliant payment processing as one of its services.
If you already have an EHR, or if you don’t plan on using one, then signing up for SimplePractice purely for the sake of processing payments doesn’t make sense financially. Other, standalone options like Thrizer are less expensive and do not include monthly subscription costs.
But if you’re in the market for an EHR with integrated HIPAA-compliant payments, SimplePractice may be the right choice for you.
Price
SimplePractice charges 3.15% + $0.30 per transaction. The same rate applies whether you use a card at the time of service or use stored card data to charge a payment.
But SimplePractice comes with a monthly subscription cost. Plans range from $29 to $99 per month. The costlier plans include more features, but all plans include the option for integrated payments.
Features
- Multiple payment methods. Clients can pay via online portal, with tap to pay (using the mobile app), or by using Link by Stripe (Stripe’s digital wallet product).
- Multiple cards accepted. SimplePractice allows you to charge debit, credit, and HSA/FSA cards.
- Billing integration. SimplePractice’s payment processing integrates with the EHR’s digital invoicing and receipts features.
- AutoPay. Automatic billing allows you to charge clients automatically using stored card data.
Pros & Cons
Pros
- Integrated with EHR workflows
- Flexible payment options
- AutoPay for streamlined payments
Cons
- More expensive than standalone options
- Some users report unpredictable timing of payouts
- No other integrations—you must use SimplePractice’s built-in payment solution and there’s no way to connect standalone payment processors to the EHR
SimplePractice is best for…
Practices already in the market for an EHR looking for a fully integrated billing and payments solution.
Best SimplePractice alternative: TherapyNotes
TherapyNotes is one of the leading SimplePractice competitors. Users rank it slightly higher based on aggregated reviews, with some saying it offers better ongoing support for users.
If you’re shopping around for an EHR with built-in payment processing, TherapyNotes is an option well worth exploring.
Price
As an EHR platform, TherapyNotes starts at $49 per month for a single user.
Client payments are charged 3.1% plus $0.30 per transaction. This is paid separately from TherapyNotes’ monthly subscription cost.
Additional fees may apply. Chargebacks are charged a $25 fee, and additional fees may be charged by individual credit card networks. There’s a $29.95 PCI non-compliance fee if you fail to complete a PCI questionnaire within three months of being approved by TherapyNotes as a merchant.
Features
- EHR integration. Credit card processing is part of TherapyNotes’ larger EHR platform. Payments are linked to each client’s record.
- Manual card reader. Therapists can use an optional USB card reader to swipe client cards and securely store info for future payments.
- Billing and reporting. Credit card payments are part of TherapyNotes’ larger billing ecosystem, which includes patient balance tracking and statements.
- AutoPay. You have the option of enrolling a stored card for automatic overnight billing of outstanding balances—useful for collecting unpaid fees or copays.
- Quick deposits. Payments processed before a daily cutoff are deposited into your bank account the next day.
Pros & Cons
Pros
- Comes packaged with the TherapyNotes EHR platform
- Next-day fund deposits
- Simple setup if you already use TherapyNotes
Cons
- Copay and coinsurance support does not include advance payment (ie. Thrizer)
- High fees compared to standalone options
- Merchant setup requirements (may not be compatible with all banks)
- Incidental fees (chargebacks, PCI compliance)
- Locked into TherapyNotes (doesn’t integrate with other platforms)
TherapyNotes is best for…
Practices that are already in the market for an EHR and considering TherapyNotes as an option.
Other EHR alternatives
If you’re still not settled on an EHR for your private practice, here’s a breakdown of fees for the most popular platforms for therapists.
| EHR Platform |
Minimum Monthly Fee |
Credit Card Processing Fee (per transaction) |
| Jane |
$54 |
Online: 2.85% + $0.25
In-person: 2.6% + $0.10 |
| Upheal |
$0 |
2.9% + $0.30 |
| Sessions Health |
$0 (up to 3 clients) or $39+ (more than three clients) |
2.9% + $0.30 |
| Healthie |
$19.99 |
2.9% + $0.30 |
| Ensora (TheraNest) |
$29 per therapist |
2.99% + $0.30 |
| Carepatron |
$0 |
2.9% + $0.60 |
| Blueprint |
$0 |
3.15% + $0.30 |
Best option with POS: Square
Square gives you the option of using a traditional point-of-sale (POS) terminal in addition to online payment options. Its low fees make it an attractive choice if having a payment terminal is important to your practice.
While not HIPAA-compliant by default, you can sign a BAA with Square to set up HIPAA-compliant payments.
Price
Square offers transparent pricing:
- In-person or card-present payments: 2.6% + $0.15 per transaction
- Online payments: 2.9% + $0.30 per transaction
- Manually entered payments: 3.5% + $0.15
Square’s Free plan comes with no monthly fees. A Square POS credit card terminal costs $299 or $27 per month for 12 months.
Features
- POS terminal. Quickly and conveniently charge a variety of credit cards with a retail-style terminal.
- Other POS options. Square’s POS app turns your mobile device into a checkout terminal.
- Instant funds. For an additional fee (1.75%), you can have funds deposited at the moment a payment is made.
- Appointments and online booking. Square offers features designed for scheduling clients in-person and online.
Pros & Cons
Pros
- Competitive, transparent fees
- Flexible payment acceptance
- Multiple payment channels including POS
- No monthly fees
Cons
- Fee structures and plans subject to change
- For client refunds, Square does not refund the processing fee
- Limited user support for free plans
Square is best for…
Practices looking for a robust payment processor with the option of using a retail-style credit card terminal.
Payment processors to avoid
When choosing a HIPAA-compliant payment processor for your therapy practice, these options won’t fit the bill.
- Stripe (without an EHR). Most HIPAA-compliant EHRs use Stripe as a backend for payment processing. But when used alone, Stripe does not provide a BAA and is not HIPAA-compliant.
- Paypal, Venmo, Cash App, etc. Major cash transfer apps and services do not provide BAAs and are not HIPAA-compliant. Avoid using these to accept payments from clients.
—
Charging clients is just one part of the equation. Learn more about the best billing software for therapists.
This blog post is provided for informational purposes only and is not intended as legal, business, medical, or insurance advice. Laws relating to health insurance and coverage are complex, and their application can vary widely depending on individual circumstances and state laws. Similarly, decisions regarding mental health care should be made with the guidance of qualified health care providers. We strongly recommend consulting with a qualified attorney or legal advisor, insurance representative, and/or medical professional to discuss your specific situation and how the laws apply to you or your situation.
