As payment apps have become more popular, many businesses are adopting the technology for ease of use and accessibility. However, as a healthcare provider, it is important to assess whether or not technology is HIPAA compliant before collecting payment related to healthcare service delivery. Apps such as PayPal, Venmo, and Zelle make it easier to accept payments at a very low cost, but are they HIPAA compliant payment methods? Issues related to compliance with privacy and security requirements for digital transactions are gaining front stage as many healthcare providers are emerging from the COVID-19 lockdown and associated laxity with regard to safeguarding client and patient healthcare data.
What Are HIPAA Compliant Payment Methods?
HIPAA compliant payment methods are those that meet HIPAA Privacy and Security Rule requirements. There are two key factors to consider when determining whether a payment method is HIPAA compliant.
To be considered HIPAA compliant, payment methods and their software must:
- Ensure the confidentiality, integrity, and availability of the electronically protected health information (ePHI) transmitted and stored in their software.
- Sign a business associate agreement with their healthcare clients.
Is PayPal HIPAA Compliant?
PayPal secures consumer data through several means. According to their site, PayPal maintains “technical, physical, and administrative security measures designed to provide reasonable protection for your personal data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls.” While PayPal maintains adequate security protections to keep information private and secure, they also collect and sell consumer data for advertising purposes, which is prohibited under HIPAA standards. Also, PayPal does not sign business associate agreements. Then, PayPal is not HIPAA compliant and cannot be legally used by healthcare providers to collect payment from clients or patients.
Is Venmo HIPAA Compliant?
Rivaling PayPal for ease and convenience of digital payments, the Venmo app can be used for personal as well as business purchases. Venmo secures consumer data through encryption, stating on their website that, “We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered, or destroyed by breach of our administrative, managerial and technical safeguards.” However, Venmo is not a HIPAA compliant payment method for two reasons; they do not sign business associate agreements and share consumer data with PayPal, as PayPal is their parent company.
Is Zelle HIPAA Compliant?
Introduced to many banks just a few years ago, Zelle is gaining popularity for making quick and easy purchases. Available through many banking apps, Zelle allows you to transfer payment directly from your bank account to your recipient’s bank account without fees. That’s right. No fees.
HIPAA compliance is another issue, however. Zelle uses authentication and monitoring features to secure personal data transmitted through their service, which meets the HIPAA Security Rule requirements for those features. However, Zelle does not sign business associate agreements, which are required for all healthcare transactions with providers. Therefore, those healthcare professionals choosing to use Zelle for payment of professional services will not be HIPAA compliant. By using these easy payment systems, providers are leaving a digital trail of non-compliance.
UPDATE: Why Can’t We Just Use PayPal, Venmo or Zelle Systems without Invoicing?
Some comments below ask questions about the viability of simply billing without sending an invoice or receipt. For dertails, see Yale University’s Clinicians Guide to HIPAA Privacy and Security 8-2019. (Information below is found on page 3 of Yale’s document.)
Protected Health Information Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity (e.g., address, age, Social Security number, e-mail address). For a complete definition of PHI and other HIPAA terms see the HIPAA glossary at hipaa.yale.edu Identifiers Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
- Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- FAX number
- E-mail address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
Note that identifiers alone, when they are derived from any of our clinical systems, are considered PHI as inclusion in our systems is indicative of having received treatment or payment for treatment and as such must be afforded the same protection as more detailed information. [Bolding added by TBHI].
Do These HIPAA Rules Apply to Independent Practitioners?
The TBHI interpretation of this information is that independent practitioners receiving payment to a business bank account for services without billing, at least one if not more than one of the identifiers listed above will be involved, whether or not you or your client/patient can see it. The digital footprint left behind can be hacked by evil-doers, and therefore increases the vulnerability of people relying on you for your professionalism when delivering care. If you are receiving payment from your personal name rather than your practice name, speak with your attorney to be clear about this business practice.
HIPAA Compliant Payment Methods
Using payment methods through apps such as PayPal, Venmo, and Zelle is low-cost and convenient but violates HIPAA. It is best to use traditional payment methods when it comes to payment for clinical services or other healthcare-related charges.
- For a growing list of HIPAA-compliant credit card companies, see the TBHI Telehealth and Technology Buyer’s Guide.
- For more information, see TBHI’s previous article HIPAA Business Associates. Additionally, a software’s HIPAA compliance ultimately comes down to their end-use, so healthcare workers must be trained on the proper use of the software before they are permitted access to it. Also see HIPAA Privacy Rule Overview & HIPAA Security Rule: HIPAA 101 Review.
This Article Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!