Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
As payment apps have become more popular, many businesses are adopting the technology for ease of use and accessibility. However, as a healthcare provider, it is important to assess whether or not technology is HIPAA compliant before collecting payment related to healthcare service delivery. Apps such as PayPal, Venmo, and Zelle make it easier to accept payments at a very low cost, but are they HIPAA compliant payment methods? Issues related to compliance with privacy and security requirements for digital transactions are gaining front stage as many healthcare providers are emerging from the COVID-19 lockdown and associated laxity with regard to safeguarding client and patient healthcare data.
What Are HIPAA Compliant Payment Methods?
HIPAA compliant payment methods are those that meet HIPAA Privacy and Security Rule requirements. There are two key factors to consider when determining whether a payment method is HIPAA compliant.
To be considered HIPAA compliant, payment methods and their software must:
- Ensure the confidentiality, integrity, and availability of the electronically protected health information (ePHI) transmitted and stored in their software.
- Sign a business associate agreement with their healthcare clients.
Is PayPal HIPAA Compliant?
PayPal secures consumer data through several means. According to their site, PayPal maintains “technical, physical, and administrative security measures designed to provide reasonable protection for your personal data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls.” While PayPal maintains adequate security protections to keep information private and secure, they also collect and sell consumer data for advertising purposes, which is prohibited under HIPAA standards. Also, PayPal does not sign business associate agreements. Then, PayPal is not HIPAA compliant and cannot be legally used by healthcare providers to collect payment from clients or patients.
Is Venmo HIPAA Compliant?
Rivaling PayPal for ease and convenience of digital payments, the Venmo app can be used for personal as well as business purchases. Venmo secures consumer data through encryption, stating on their website that, “We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered, or destroyed by breach of our administrative, managerial and technical safeguards.” However, Venmo is not a HIPAA compliant payment method for two reasons; they do not sign business associate agreements and share consumer data with PayPal, as PayPal is their parent company.
Is Zelle HIPAA Compliant?
Introduced to many banks just a few years ago, Zelle is gaining popularity for making quick and easy purchases. Available through many banking apps, Zelle allows you to transfer payment directly from your bank account to your recipient’s bank account without fees. That’s right. No fees.
HIPAA compliance is another issue, however. Zelle uses authentication and monitoring features to secure personal data transmitted through their service, which meets the HIPAA Security Rule requirements for those features. However, Zelle does not sign business associate agreements, which are required for all healthcare transactions with providers. Therefore, those healthcare professionals choosing to use Zelle for payment of professional services will not be HIPAA compliant. By using these easy payment systems, providers are leaving a digital trail of non-compliance.
UPDATE: Why Can’t We Just Use PayPal, Venmo or Zelle Systems without Invoicing?
Some comments below ask questions about the viability of simply billing without sending an invoice or receipt. For dertails, see Yale University’s Clinicians Guide to HIPAA Privacy and Security 8-2019. (Information below is found on page 3 of Yale’s document.)
Protected Health Information Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity (e.g., address, age, Social Security number, e-mail address). For a complete definition of PHI and other HIPAA terms see the HIPAA glossary at hipaa.yale.edu Identifiers Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
- Name
- Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- FAX number
- E-mail address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
Note that identifiers alone, when they are derived from any of our clinical systems, are considered PHI as inclusion in our systems is indicative of having received treatment or payment for treatment and as such must be afforded the same protection as more detailed information. [Bolding added by Telehealth.org].
Do These HIPAA Rules Apply to Independent Practitioners?
Telehealth.org interpretation of this information is that independent practitioners receiving payment to a business bank account for services without billing, at least one if not more than one of the identifiers listed above will be involved, whether or not you or your client/patient can see it. The digital footprint left behind can be hacked by evil-doers, and therefore increases the vulnerability of people relying on you for your professionalism when delivering care. If you are receiving payment from your personal name rather than your practice name, speak with your attorney to be clear about this business practice.
HIPAA Compliant Payment Methods
Using payment methods through apps such as PayPal, Venmo, and Zelle is low-cost and convenient but violates HIPAA. It is best to use traditional payment methods when it comes to payment for clinical services or other healthcare-related charges.
- For a growing list of HIPAA-compliant credit card companies, see the Telehealth.org Telehealth and Technology Buyer’s Guide.
- For more information, see Telehealth.org’s previous article HIPAA Business Associates. Additionally, a software’s HIPAA compliance ultimately comes down to their end-use, so healthcare workers must be trained on the proper use of the software before they are permitted access to it. Also see HIPAA Privacy Rule Overview & HIPAA Security Rule: HIPAA 101 Review.
This Article Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
If a client pays you with a personal check for healthcare services and you take it to your bank to either deposit it or cash it how is this acceptable? Their check has all kinds of personal information on it. It may even say Dr. So & So. Or ABC Counseling Center. Often times clients will write in the memo spot was on the check “copay”. This is HIPPA compliant?
Doreen,
Thank you for commenting. You make a good point, and there are many examples where in-person care does not protect client or patient privacy. HIPAA cannot address that.
From where I stand, researching and teaching Legal and ethical healthcare issues since 1994, many governments around the world focused primarily on developing stringent policies regarding digital transactions because there was no way to effectively clean up the mess that was occurring in person. Consider the clinician who left their office desk with open files for a few minutes to grab a cup of coffee between sessions, but allowed the next client or patient to enter the office. Or therapy offices where walls were so thin that therapeutic conversations (or sobs & screams) could be heard from the hallway – or even outside on the sidewalk.
Worldwide digital privacy rules and their enforcement have had a trickle-down effect so that now when checking into a doctor’s office, only one person is allowed up to the counter at a time. Other patients are asked to hang back to protect the first person’s privacy. In fact, I went to a doctor’s office today and upon entering, went to the admin’s desk to have her take my temperature. She asked me to step back to protect the privacy of people whose records were listed on the screen (I didn’t even see words on the screen because the angle backed everything out automatically.) We see privacy being protected in-person in other areas now, too. Back 40-50 years ago, when going to the bank, you literally could be standing three feet from the person cashing a check. Now, people are held back with cordoned areas and told to wait.
Many of us in the US and Canada can see an increase in privacy protections in-person as well as online now. They are needed for the greater good. I am sure that in a few decades, the protections that we have now will seem archaic, and people will compare them to the simplicity of what we have now.
If we use square etc, to deposit virtual checks from insurers, aren’t we being taxed twice as income… once from insurer, and again invoiced as income from square etc??
Sharon, Thank you for your comment. Digitally processing checks from payers is potentially different from processing payments from clients and patients directly. At issue is whether or not Protected Health Information (PHI) is being transmitted, and whether or not Square meets HIPAA standards. One way to know for sure is to go to Square’s privacy policy on their website and search for the word “HIPAA” by clicking control or command “F” to open a search bar. When we did that, we found that it offers a BAA, and so it is ok! See here:
Sharon, This may be an issue for a qualified bookkeeper to untangle.
Although processing payments through a credit card processor can generate personally identifiable information, Health and Human Services (HHS) have stated that collecting payments is excluded explicitly from HIPAA mandates.
Section: Other Situations in Which a Business Associate Contract Is NOT Required.
Point: When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Ref: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Also: HIPAA rules do not apply to banking and financial institutions with respect to the payment processing activities. This includes any activities surrounding authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare. https://www.connectria.com/blog/9-surprising-business-activities-affected-by-hipaa-compliance/#:~:text=To%20be%20clear%2C%20HIPAA%20rules,or%20collecting%20payments%20for%20healthcare.
Jennie, Thank you for your information, and particularly for your links. I just love it when colleagues supply their sources.
In response, I reached out to HIPAA Compliancy Group, the contributors of the article that sparked this discussion. They reportedly reach out to their legal office, which sent along this response for you:
“A bank or a financial institution may or may not be a business associate, depending on whether it performs business associate functions. If the bank or financial institution performs these functions, it is a BA and subject to HIPAA; if it doesn’t perform these functions, it isn’t a BA and it’s not subject to HIPAA. So, the issue is whether Zelle, Paypal or Venmo, as financial institutions, are performing business associate functions. If they are performing these functions, they are business associates. If they are not, they are not business associate functions.
Banks and financial institutions are not business associates if all they do is authorize, process, clear, settle, bill, transfer, reconcile, or collect payments for health care or health plan premiums. The law specifically exempts these activities from being covered by HIPAA. However, a banking or financial institution like Zelle or Paypal may be a business associate where the institution performs functions above and beyond these payment activities, that put them in contact with PHI on a regular basis. If, for example, a bank performs accounts receivable functions on behalf of a healthcare provider, the bank is considered to be a business associate; performing accounts receivable functions is a business associate activity. Offering invoicing services for healthcare clients, performing benefits management, data analysis, or providing healthcare provider lending, are other examples of activities that may qualify as business associate functions. Once something qualifies as a business associate function, the bank or app performing that function is a business associate, subject to HIPAA.
Paypal is not HIPAA compliant not because it is or isn’t a bank. It is not HIPAA-compliant because it does not offer a BAA, and it openly collects and sells user data. Venmo is not HIPAA compliant because it does not offer a BAA and it shares customer data with Paypal. Zelle, as the article states, does have some security features that are needed for Security Rule compliance, but, I checked again, it does not sign a BAA, so it is not HIPAA compliant. It offers a user agreement, but the user agreement I am looking over does not contain business associate agreement terms. This is not to say that NO payment app is HIPAA-compliant. Square does indeed offer a BAA to customers, and explicitly provides that it will not use or disclose PHI. Ivy Pay is an app for therapists that enters into a BAA; it appears to be HIPAA compliant.”
On our side at TBHI, one of our long-term affiliates is Card Choice, a credit card processing intermediary. They offer 0% credit card fees for those who qualify. We will be posting more information and a special offer from them in the next few weeks.
If anyone else would like to comment on the issues, please feel free to leave your thoughts below.
Jennie, Thank you for citing your sources. The devil is in the details. Please see my prior response from Card Choice, our affiliate and author of this original article.
IvyPay is HIPAA compliant. However, there is a fee.
This is very frustrating to hear. We never billed clients in all the years I was in private practice until COVID came along. It is very easy for clients to forget to send in their co-pays even if we call them or send them a bill for the services provided. As a result, we have had quite a few issues with collections of co-pays. I never used credit card companies because they are so expensive and we can’t change our rates to help defray those high costs. I look forward to seeing the list of HIPPA compliant ways to pay practitioners. We are treated like the medical community in so many ways yet, do not receive payments that are anywhere near the medical community. No wonder so many therapists are going to these crazy companies like Better Help.
For all with questions, I would recommend asking each of the trading companies, if the are HIPPA compliant, if they say they are ask for a copy of where they attains proof of certification. It would be easier to have an invoice program on your computer, you could use it as a receipt and as o billing method for those who “forgot” to bring their checkbook or stop at the ban,
Square – is HIPPA compliant
Ivy Pay is HIPAA compliant and provides a BAA. I’ve been using it for the past year and can’t speak highly enough of this service. I used to use Square, and I have to say, Ivy Pay is MUCH easier and more streamlined (for both the therapist and the client). Money is transferred immediately to your bank account, and the setup on the client’s end is seamless…takes less than 60 seconds for clients to input their info. the first time….after that first time, the client never needs to do anything again, and they will receive a text message every time their card is billed by you.
If you use this link, your first $1,000 in charges will incur no fee. https://app.talktoivy.com/0eBmJj3Bxkb
In this age of telehealth, are checks mailed to a practitioner via U.S. mail HIPAA compliant?
I use Therapy Partner for my CC transactions and while there
is a fee it is lower than most of their competitors or the local banks.
IvyPay is a fantastic HIPAA-compliant service created specifically to help therapists with this issue. They do provide BAAs and those of us who have been using it a long time, cannot speak highly enough of their customer service.
Hello,
Ivy Pay is HIPAA compliant.
Does private pay fall under HIPAA? I don’t think so. Is patient health information confidential? The answer is yes but if if you are private pay then it does not fall under HIPAA but under the state’s licensure and other federal guidelines.
What I am emphasizing is that HIPPA is Health Insurance Portability and Accountability Act and not a an entity that is covers all health related transactions.
Vikas,
You are right. HIPAA does not apply to providers who collect private pay, and who have never billed or collected payment electronically. However, when you collect electronically, all HIPAA rules apply because of the privacy concerns outlined in the Yale document. The HHS.gov website provides the same details, but it is more simply explained in the Yale document.
Again, none of this is new. It is just that many providers do not yet understand the rules. We have gone out of our way to gather this information because we specialize in HIPAA and privacy training.
Actually payment doesn’t have to be HIPAA compliant. Please provide more accurate information regarding the topic.
Paulina, According to our legal sources, all digital interactions covered entities have with client or patients who reside in the United States must be HIPAA compliant. When we send a bill to someone digitally, that digital vehicle must be HIPAA compliant. When we receive money from them digitally, the vehicle receiving payment and transferring information and funds to us must be HIPAA compliant. If you have contrary information, please supply a link to the source of your information for us all to consider.
So how about if someone wants to Zelle me for a table I am selling at a yard sale? How about if I get PayPal from a neighbor for gas money for a girl scout outing? They are paying money to a healthcare worker. Does that not mean that if PayPal or Zelle are “hacked” the information would be considered “compromising” or go against some privacy laws? No one knows whether I am getting paid for coaching, counselling, tutoring, or selling lemonade on the sidewalk. I don’t understand why this would logically go against HIPPA. No information is attached that would indicate health services….. ?
Melanie, Thank you for your question. All personal interactions with non-client or non-patients are exempt. For reviewing the specifics of how you bill, whether you use your business or private account to bill healthcare services, and how you describe the service that you deliver when you bill, I suggest you speak with your malpractice attorney or the attorney at your local state or national association. They can review your processes in more detail than we can through this comment box. You also can run a search online and let us know if you find anything contrary to what we are publishing. Please provide links if you do so.
Having been using paypal for years. This is rather a surprise. Looking forward to HIPAA compliant venues.
I don’t discredit this article, but there is a lot of manipulation going on here. Banks are HIPAA exempt. Bank transfers are HIPAA exempt. If your client is sending you money it is HIPAA exempt. The only time it’s not is if you send an invoice or a receipt. Those are the things that constitute a business agreement.
Jane Doe,
Thank you for your comment. There is much confusion about this issue, so your question is particularly helpful. Whatever HIPAA-compliant payment system you use, the payment platform automatically issues your client or patient a receipt. Your clients then, do get a digital receipt from you, whether you identify your services on that receipt or not. Your name is on it, and so is theirs.
If you are a covered entity, that state exchange is in violation of HIPAA if not conducted through a HIPAA-compliant system. We have added more information to the article above to clarify this point, along with the source of our information.
At issue is that hackers are very clever at piecing together data crumbs to identify the information they want. A quick scan of our previous blog will show Run a simple search for “HIPAA compliant payment systems” and you will see a plethora of companies that advertise HIPAA compliant systems. An entire industry has proliferated to help us be HIPAA compliant.
This sounds like complete and utter rubbish. We have a concept in nursing called “prudence”, what would a prudent person think? A prudent person sees a receipt with two peoples’ name on it…. no other descriptions other than name of business. There is a huge difference between having a person’s name on a sheet versus a person’s diagnosis on a sheet. A prudent person is not going to think twice about John Doe and a health clinic on a receipt, as everyone requires healthcare from time to time. However, giving someone a receipt with John Doe, diagnosis HIV +, is a very different scenario.
Murse,
Thank you for your perspective.
Thank you Dr Mayheu and the Compliancy Group for this information. I reserve Zelle for colleague payment for trainings and consultations and use a traditional billing method to send client bills to the client and a clearinghouse for electronic insurance billing, entering information directly on their secure website. I have a BAA with them as well as with Square where I accept only payment (no bills sent to clients). I believe I am HIPAA compliant.
So, do you have a list of some HIPAA-compliant payment methods?
Barabara, It will take us a few weeks but we will list some in the TBHI Buyer’s Guide. Thanks for asking.
Venmo and Zelle only say that person A sent money to person B. Is payment from one account to another considered protected health information?
MK – yes, any digital payment that includes info that identifies the person as having purchased services from any healthcare professional is protected. Plus you need a BAA to use the service. If they won’t give you one, them you can’t use that service. See the top part of the recent article for details. Also, search our site for other articles about “PHI” and “ePHI”. Also look at the “HIPAA wall of shame” article that we posted a few years ago.
All this is a major pain – but required by federal law to protect the vulnerable people who come see us from the prying eyes of hackers. Asking questions is the right thing to do. Ask more of us if needed.
Then which sources of client payments ARE HIPPA
compliant ????
Jenna, I will give you the same response that I gave to Barbara above: “It will take us a few weeks but we will list some in the TBHI Buyer’s Guide. Thanks for asking.”
What about Cashapp?
Timisha, Thank you for your inquiry. I haven’t heard of that payment system but if you read the top part of our article, you will see the two criteria needed. My suggestion is that you write to Cashapp and ask them questions about both issues. Get their response in writing before proceeding.