Interesting payment UX: Wife received an SMS saying “This is [medical professional]. You have a bill for $X. Reply 1 to pay the bill with your credit card ending in 1234.” No actual bill or option to see the bill, presumably a combination of HIPAA and UX thinking.

Ruriko asked me if it was a scam. I said very probably not; nothing in the communication is necessarily trustworthy but a “1” by itself gets nothing unless they actually know the full CC number (and perhaps a few other bits). Immediate automated follow-up:

“You are authorizing a charge of $X on your credit card ending in 1234. Reply with your last name to authorize this charge.” We did; charge went through as inspected. Now, some commentary, about what this process cares about.

When you pay with a CC in the United States you have basically unrestricted right to tell your bank “I never authorized that!” and this is designed to automatically collect evidence which will be presented “Customer unambiguously authorized this transaction.”

Adopting medical institution cares zero about e.g. risk of interception of SMS, number used by new person, fraud within family, etc etc. They feel confident that at one point it was your number, and are maximizing for collecting legitimate bills.

If they lose a chargeback later because your ex paid for her medical care on your card despite what divorce decree said, “Oh well, cost of doing business.”

Cost-wise this is substantially less expensive than the traditional methods to get a payment, which are either a paper letter or (more rarely, as I understand it) a phone call from the billing desk.

There is something righteous in bills being self-documenting about their rationale and reminding people that they factually consumed specific services and that that means they should pay for them. Runs headlong into HIPAA and this former compliance officer doesn’t think crazy.

There are some precedents and rulings under which you sometimes have to be cagey about even putting the practice name into a patient-facing communication because the adversary might live in the same house and could infer nature of services from the practice name.

Given that, very obviously you can’t put a billing code in the SMS where it would be displayed on e.g. a phone lock screen, even if you think SMS is a secured channel, which most HIPAA practitioners would say “Opposite of truth! Upgrade to fax!”

I asked Ruriko if I should log into her XYZ account later, while having her nearby to get the authentication code sent to her phone, to actually read the bill and make decisions based on it. “Seems like way too much work.” Which, yep, rather little ROI in actually checking.

And so I feel a bit conflicted about this UX. It smoothes paying a bill for services which was justly incurred, and is quite solicitous of the time of a legitimate user relative to past approaches. But the past approaches were robust and self-documenting.

(It occurs to me that, as something of a stickler for this, I now have neither any record of paying the bill except for one non-descript line on a billing statement nor any record of *what bill* it was.)

(“Good thing that U.S. medical institutions keep accurate records and don’t confabulate bills or forget about posted payments.” Yeah, second thoughts, YEAH.)

* as expected (Don’t know what combination of brain, fingers, and predictive typeahead keyboard to blame for that one.)

@bsierakowski And I will absolutely die on the hill that a well-designed invoice is a contribution to humanity and may have required fairly sophisticated moral reasoning.