PayPal, Venmo and Zelle - HIPAA Compliant Payment Methods - Landscape

PayPal, Venmo & Zelle: HIPAA Compliant Payment Methods?

317
37

As payment apps have become more popular, many businesses are adopting the technology for ease of use and accessibility. However, as a healthcare provider, it is important to assess whether or not technology is HIPAA compliant before collecting payment related to healthcare service delivery. Apps such as PayPal, Venmo, and Zelle make it easier to accept payments at a very low cost, but are they HIPAA compliant payment methods? Issues related to compliance with privacy and security requirements for digital transactions are gaining front stage as many healthcare providers are emerging from the COVID-19 lockdown and associated laxity with regard to safeguarding client and patient healthcare data.

What Are HIPAA Compliant Payment Methods?

HIPAA compliant payment methods are those that meet HIPAA Privacy and Security Rule requirements. There are two key factors to consider when determining whether a payment method is HIPAA compliant.

To be considered HIPAA compliant, payment methods and their software must:

  • Ensure the confidentiality, integrity, and availability of the electronically protected health information (ePHI) transmitted and stored in their software.
  • Sign a business associate agreement with their healthcare clients.

Is PayPal HIPAA Compliant?

PayPal secures consumer data through several means. According to their site, PayPal maintains “technical, physical, and administrative security measures designed to provide reasonable protection for your personal data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls.” While PayPal maintains adequate security protections to keep information private and secure, they also collect and sell consumer data for advertising purposes, which is prohibited under HIPAA standards. Also, PayPal does not sign business associate agreements. Then, PayPal is not HIPAA compliant and cannot be legally used by healthcare providers to collect payment from clients or patients.

Is Venmo HIPAA Compliant?

Rivaling PayPal for ease and convenience of digital payments, the Venmo app can be used for personal as well as business purchases. Venmo secures consumer data through encryption, stating on their website that, “We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered, or destroyed by breach of our administrative, managerial and technical safeguards.” However, Venmo is not a HIPAA compliant payment method for two reasons; they do not sign business associate agreements and share consumer data with PayPal, as PayPal is their parent company.

Is Zelle HIPAA Compliant?

Introduced to many banks just a few years ago, Zelle is gaining popularity for making quick and easy purchases. Available through many banking apps, Zelle allows you to transfer payment directly from your bank account to your recipient’s bank account without fees. That’s right. No fees.

HIPAA compliance is another issue, however. Zelle uses authentication and monitoring features to secure personal data transmitted through their service, which meets the HIPAA Security Rule requirements for those features. However, Zelle does not sign business associate agreements, which are required for all healthcare transactions with providers. Therefore, those healthcare professionals choosing to use Zelle for payment of professional services will not be HIPAA compliant. By using these easy payment systems, providers are leaving a digital trail of non-compliance.

UPDATE: Why Can’t We Just Use PayPal, Venmo or Zelle Systems without Invoicing?

Some comments below ask questions about the viability of simply billing without sending an invoice or receipt. For dertails, see Yale University’s Clinicians Guide to HIPAA Privacy and Security 8-2019. (Information below is found on page 3 of Yale’s document.)

Protected Health Information Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

  • The individual’s past, present or future physical or mental health.
  • The provision of health care to the individual.
  • The past, present or future payment for health care.

Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity (e.g., address, age, Social Security number, e-mail address). For a complete definition of PHI and other HIPAA terms see the HIPAA glossary at hipaa.yale.edu Identifiers Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:

  • Name 
  • Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone numbers
  • FAX number
  • E-mail address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

Note that identifiers alone, when they are derived from any of our clinical systems, are considered PHI as inclusion in our systems is indicative of having received treatment or payment for treatment and as such must be afforded the same protection as more detailed information. [Bolding added by TBHI].

Do These HIPAA Rules Apply to Independent Practitioners?

The TBHI interpretation of this information is that independent practitioners receiving payment to a business bank account for services without billing, at least one if not more than one of the identifiers listed above will be involved, whether or not you or your client/patient can see it. The digital footprint left behind can be hacked by evil-doers, and therefore increases the vulnerability of people relying on you for your professionalism when delivering care.  If you are receiving payment from your personal name rather than your practice name, speak with your attorney to be clear about this business practice.

HIPAA Compliant Payment Methods

Using payment methods through apps such as PayPal, Venmo, and Zelle is low-cost and convenient but violates HIPAA. It is best to use traditional payment methods when it comes to payment for clinical services or other healthcare-related charges.

This Article Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

Basic Telehealth Legal Issues: Rules, Regulations & Risk Management

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: The Telebehavioral Health Institute (TBHI Telehealth.org) offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Privacy Policy and Terms and Conditions.

Subscribe
Notify of
guest
37 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Doreen
Doreen
10 months ago

If a client pays you with a personal check for healthcare services and you take it to your bank to either deposit it or cash it how is this acceptable? Their check has all kinds of personal information on it. It may even say Dr. So & So. Or ABC Counseling Center. Often times clients will write in the memo spot was on the check “copay”. This is HIPPA compliant?

Sharon shrensel
Sharon shrensel
11 months ago

If we use square etc, to deposit virtual checks from insurers, aren’t we being taxed twice as income… once from insurer, and again invoiced as income from square etc??

Jennie Doe
Jennie Doe
1 year ago

Although processing payments through a credit card processor can generate personally identifiable information, Health and Human Services (HHS) have stated that collecting payments is excluded explicitly from HIPAA mandates.
Section: Other Situations in Which a Business Associate Contract Is NOT Required.
Point: When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Ref: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Also: HIPAA rules do not apply to banking and financial institutions with respect to the payment processing activities. This includes any activities surrounding authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare. https://www.connectria.com/blog/9-surprising-business-activities-affected-by-hipaa-compliance/#:~:text=To%20be%20clear%2C%20HIPAA%20rules,or%20collecting%20payments%20for%20healthcare.

Maryalice Balascio
Maryalice Balascio
1 year ago

IvyPay is HIPAA compliant. However, there is a fee.

Nan M.
Nan M.
1 year ago

This is very frustrating to hear. We never billed clients in all the years I was in private practice until COVID came along. It is very easy for clients to forget to send in their co-pays even if we call them or send them a bill for the services provided. As a result, we have had quite a few issues with collections of co-pays. I never used credit card companies because they are so expensive and we can’t change our rates to help defray those high costs. I look forward to seeing the list of HIPPA compliant ways to pay practitioners. We are treated like the medical community in so many ways yet, do not receive payments that are anywhere near the medical community. No wonder so many therapists are going to these crazy companies like Better Help.

Margie Steele
Margie Steele
1 year ago

For all with questions, I would recommend asking each of the trading companies, if the are HIPPA compliant, if they say they are ask for a copy of where they attains proof of certification. It would be easier to have an invoice program on your computer, you could use it as a receipt and as o billing method for those who “forgot” to bring their checkbook or stop at the ban,

Sandra
Sandra
1 year ago

Square – is HIPPA compliant

Linda Engelman
Linda Engelman
1 year ago

Ivy Pay is HIPAA compliant and provides a BAA. I’ve been using it for the past year and can’t speak highly enough of this service. I used to use Square, and I have to say, Ivy Pay is MUCH easier and more streamlined (for both the therapist and the client). Money is transferred immediately to your bank account, and the setup on the client’s end is seamless…takes less than 60 seconds for clients to input their info. the first time….after that first time, the client never needs to do anything again, and they will receive a text message every time their card is billed by you.
If you use this link, your first $1,000 in charges will incur no fee. https://app.talktoivy.com/0eBmJj3Bxkb

Julie Amundson
Julie Amundson
1 year ago

In this age of telehealth, are checks mailed to a practitioner via U.S. mail HIPAA compliant?

Melissa
Melissa
1 year ago

I use Therapy Partner for my CC transactions and while there
is a fee it is lower than most of their competitors or the local banks.

Rajani Levis
Rajani Levis
1 year ago

IvyPay is a fantastic HIPAA-compliant service created specifically to help therapists with this issue. They do provide BAAs and those of us who have been using it a long time, cannot speak highly enough of their customer service.

Rosanna
Rosanna
1 year ago

Hello,
Ivy Pay is HIPAA compliant.

Vikas
Vikas
1 year ago

Does private pay fall under HIPAA? I don’t think so. Is patient health information confidential? The answer is yes but if if you are private pay then it does not fall under HIPAA but under the state’s licensure and other federal guidelines.
What I am emphasizing is that HIPPA is Health Insurance Portability and Accountability Act and not a an entity that is covers all health related transactions.

Paulina Levinzon
Paulina Levinzon
1 year ago

Actually payment doesn’t have to be HIPAA compliant. Please provide more accurate information regarding the topic.

Melanie
Melanie
1 year ago

So how about if someone wants to Zelle me for a table I am selling at a yard sale? How about if I get PayPal from a neighbor for gas money for a girl scout outing? They are paying money to a healthcare worker. Does that not mean that if PayPal or Zelle are “hacked” the information would be considered “compromising” or go against some privacy laws? No one knows whether I am getting paid for coaching, counselling, tutoring, or selling lemonade on the sidewalk. I don’t understand why this would logically go against HIPPA. No information is attached that would indicate health services….. ?

rivkah lapidus
rivkah lapidus
1 year ago

Having been using paypal for years. This is rather a surprise. Looking forward to HIPAA compliant venues.

Jane Doe
Jane Doe
1 year ago

I don’t discredit this article, but there is a lot of manipulation going on here. Banks are HIPAA exempt. Bank transfers are HIPAA exempt. If your client is sending you money it is HIPAA exempt. The only time it’s not is if you send an invoice or a receipt. Those are the things that constitute a business agreement.

Murse Lance
Murse Lance
Reply to  Marlene
2 months ago

This sounds like complete and utter rubbish. We have a concept in nursing called “prudence”, what would a prudent person think? A prudent person sees a receipt with two peoples’ name on it…. no other descriptions other than name of business. There is a huge difference between having a person’s name on a sheet versus a person’s diagnosis on a sheet. A prudent person is not going to think twice about John Doe and a health clinic on a receipt, as everyone requires healthcare from time to time. However, giving someone a receipt with John Doe, diagnosis HIV +, is a very different scenario.

Maria Masciandaro, PsyD
Maria Masciandaro, PsyD
1 year ago

Thank you Dr Mayheu and the Compliancy Group for this information. I reserve Zelle for colleague payment for trainings and consultations and use a traditional billing method to send client bills to the client and a clearinghouse for electronic insurance billing, entering information directly on their secure website. I have a BAA with them as well as with Square where I accept only payment (no bills sent to clients). I believe I am HIPAA compliant.

Barbara Griswold, LMFT
Barbara Griswold, LMFT
1 year ago

So, do you have a list of some HIPAA-compliant payment methods?

MK
MK
1 year ago

Venmo and Zelle only say that person A sent money to person B. Is payment from one account to another considered protected health information?

Jeana
Jeana
1 year ago

Then which sources of client payments ARE HIPPA
compliant ????

Timisha Wilson
Timisha Wilson
1 year ago

What about Cashapp?

37
0
Would love your thoughts, please comment.x