Wave App’s stance on PHI and HIPAA compliance – Protecting client data and running your practice smoothly

Wave is a tool we’ve recommended many times.  It’s simple and fast. It’s easy to understand.  Overall, we like its features for the price at least as well as Quickbooks, if not much better.  It’s an excellent choice for business owners with straightforward needs.

If you simply bill clients for services, and your business revenue (what clients pay you) is under $2M per year, it can be an excellent fit.  Once you grown beyond simple needs, some of the advanced features of Quickbooks start to make more sense.  For example, if your business using loans to fund growth (beyond using credit cards for paying bills), through acquiring other practices, you’re likely to want a little more advanced features.  There are definitely other reasons, too.  Talk to us for more detail.

Software providers take their stances

In 2024, Wave introduced stronger wording to their signup flow and terms of use.  These discourage mental health practices from using the service at all.

Quickbooks takes a different approach, with much less strong language.  Quickbooks’ US license agreement doesn’t mention PHI or HIPAA.  Instead, it recommends business owners not enter any PHI into the tool in the first place.  It sends us to the Health and Human Services HIPAA section for more information.  This is a fine approach.

One way to think about this

A common-sense approach is to not enter PHI in any tool where it’s not needed.  Use a EHR practice management tool, such as Simple Practice, for invoicing and payments.  For instance:

  1. Simple Practice will engage in a BAA with you. 
    This and other electronic health records tools are HIPAA compliant. They’re a great option for invoicing clients.

  2. Simple Practice will settle up with you after customers pay, using its payouts feature
    The actual movement of money to your bank account is through a payment processor, such as Stripe.  Many payment processors separate the collection and clearing steps.   Collection happens from client accounts, with a temporary stop in Stripe’s bank account.  Stripe’s clearing from their account to your business account is a completely separate, often aggregated step.  The clearing movements into your bank account are essentially anonymized, so the description of the transaction at your bank and in your accounting software will look like
    “Stripe Integrate TRANSFER ST-C6X5C….”
    Think of this as a pipeline, where only financial data is passed beyond a certain point.  It creates a PHI-aware zone and a PHI-free zone in your business.

  3. Your bookkeeping software matches this (anonymous) revenue up with all your expenses.

  4. You’ll use this income and expense data to manage your business.

  5. Your tax preparer can use the data from your bookkeeping software to prepare a tax return, so you stay compliant with those regulations as well!

What to watch out for

  1. Invoicing steps that are not HIPAA compliant.
    For instance, if you issue invoices directly in Quickbooks or Wave, that client data will be in those systems, which means PHI is in those systems.

  2. Payment-related steps that are not HIPAA compliant.
    For instance, if you accept payments via Venmo you’re likely to store client information in those systems for more than just payments (marketing by those companies, invoicing, etc).

  3. Client names in your bank statements.
    If you see client names in your bank statements, that data is going to to be in your bookkeeping systems as well.  Switch to a payment platform that guards this information more strongly.