Storing Your Patient’s Credit Card/Payment Information
By Moira Wertheimer, RN, JD, CPHRM
Assistant Vice President, Psychiatric Risk Management Group

Q: My patients occasionally miss appointments, cancel at the last minute or do not pay their insurance co-payments at the time of the visit. Can I request and store credit card information from my patients in order to bill them immediately for these types of payments?

A: Whether you are a psychiatrist who takes insurance or one who is private pay, getting paid can be problematic at times, and attempts to collect payments owed could erode the physician-patient relationship. Increasingly, psychiatry practices are requesting payment information, mostly in the form of credit cards upfront, in order to collect payment immediately for missed appointments, co-pays, etc. Although this practice may simplify payment issues, requesting and storing a patient’s credit card information may subject the psychiatrist to ethical issues as well as federal and state laws. Psychiatrists who collect such billing information should have safeguards in place to protect both the confidential information entrusted to them as well as adhere to their ethical obligations to their patients. Although not exhaustive, this article briefly identifies some of the relevant issues to be considered when storing patient payment information.

First and foremost, with respect to the psychiatrist’s ethical obligations regarding payment issues, the American Psychiatric Association’s, “Opinions of the Ethics Committee on The Principles of Medical Ethics With Annotations Especially Applicable to Psychiatry,” Sec. 2, Annotation 5 (2014), specifically permits a physician to collect fees for missed appointments provided the patient is made aware of the policy ahead of time:

It is ethical for the psychiatrist to make a charge for a missed appointment when this falls within the terms of the specific contractual agreement with the patient. Charging for a missed appointment or for one not canceled 24 hours in advance need not, in itself, be considered unethical if a patient is fully advised that the physician will make such a charge. The practice, however, should be resorted to infrequently and always with the utmost consideration of the patient and his/her circumstances.1

insession-CCinfo-art1Psychiatrists should distribute and review copies of the practice’s payment expectations and policies at the first appointment and any time there is an addition or modification to the office policies. The next question then becomes can psychiatrists request patient payment information ahead of time in order to immediately bill for such fees, and if so, what are the legal and risk management considerations to doing so? Stored payment information is considered protected health information. Psychiatrists, therefore, are legally responsible to protect the information from unauthorized disclosure. Some of the laws and regulations that may come into play include:

  • HIPAA/state privacy laws
  • Payment Card Industry Data Security Standards (PCI DSS)
  • Federal Trade Commission Act (FTCA)2

There are generally two ways to store payment information: 1.) photocopy the credit card and store the copy in the patient’s medical record (paper or electronic), or 2.) store the information electronically using an online service. Each of these methods has its own security considerations and it is important to remember that credit card information is at a higher risk of breach than general health information.

HIPAA/State Privacy Laws

With respect to HIPAA and state privacy laws, regardless of how the information is stored (in hard copy or electronically); psychiatrists should adopt “reasonable” security measures to protect the information. HIPAA does not define “reasonable.” However, an example of a “reasonable” security measure could be to lock the file cabinet and keep the file cabinet in a locked room for extra security. For electronically stored information, reasonable measures could include using a HIPAA compliant storage program and having a Business Associate Agreement in place with the electronic storage provider.


In addition to HIPAA, PCI DSS security standards may also apply. PCI DSS are a set of security standards designed to protect cardholder data. They are not governmental standards, but rather they apply to businesses through their contracts with the various credit card companies. Businesses that do not comply with these standards can be fined or have their contract with the credit card company canceled. One example of a PCI DSS standard is a prohibition against recording a cardholder’s 3 digit security code that is located on the back of each credit card.3

Federal Trade Commission Act

The Federal Trade Commission Act (FTCA) and similar state laws may also apply to storing patient payment information. The FTCA mission is to prevent unfair competition methods and unfair or deceptive acts that may affect business commerce.4 While the FTCA does not prohibit storing patient payment information, it does, like HIPAA, require businesses to use “reasonable and appropriate” security measures to protect the information. As with HIPAA, the FTCA does not define “reasonable and appropriate.” Additionally, among other provisions, the FTCA prohibits businesses from charging an individual’s card without receiving prior authorization. For example, if a patient previously used a credit card to pay for an appointment, you cannot use the credit card at a later date to charge for a missed appointment without first notifying the patient and receiving authorization.5


Like other professionals, psychiatrists can, at times, have difficulty getting paid for their services. It is important that psychiatrists understand their rights and obligations when enacting and implementing payment policies. It is important that psychiatrists review proposed payment policies with their attorneys prior to implementing them to ensure compliance with state and federal laws.


About the Author

Moira Wertheimer is an Assistant Vice President in the Psychiatric Risk Management Group where she provides risk management services to Allied World’s insured psychiatrists and behavioral health providers.  Moira is a registered nursed and is admitted to the bar of the State of Connecticut. Prior to joining Allied World, she has worked as an attorney in the U.S. District Court in Connecticut and as a nurse providing direct patient care in child/adolescent inpatient mental health settings.

  1.  American Psychiatric Association, “Opinions of the Ethics Committee on The Principles of Medical Ethics With Annotations Especially Applicable to Psychiatry,” Sec. 2, Annotation 5. (2014).
  2. Roberts, S., “Legal Issues in Keeping Patients’ Credit Card Information on File,” DW Health Law Blog (August 29, 2013).
  3. Roberts, S.
  4. The Federal Trade Commission Act, 15 USC 45, Section 5.
  5. Id.