Easy-to-use payment processing is becoming increasingly common. Companies like Venmo and CashApp allow friends and family to send money to one another quickly without extra charges. However, in a healthcare setting, are these payment methods HIPAA-compliant?

The short answer is “no.”

There are many convenient payment processing applications, each of which should be evaluated independently to determine whether it complies with HIPAA.

Many do not.

Evaluate Payment Apps

Before accepting payment via a payment app, HIPAA covered entities must do due diligence.

This topic can be confusing because HIPAA exempts financial institutions, like banks, from HIPAA compliance as a business associate if their role is restricted to payment processing.

In 2013, in the preamble to the 2013 Final Omnibus Rule, HHS stated:

“The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute.”

and further:

“A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity.” (italics added for emphasis)

If a payment app’s only function is payment processing, it would be exempt from HIPAA, like financial institutions. However, payment apps go beyond simple payment processing. Many also gather and store personal information they use and disclose to advertisers and other businesses in ways that violate HIPAA and other privacy laws.

Payment Processors are Usually Not Business Associates

Who’s who in the world of payment processors? Below is a list of some commonly known payment processing apps. (There are others.)

• PayPal (primarily a business app) owns Venmo (for individuals).
• Block, Inc. owns Square (a business app) and CashApp (for individuals).
• Stripe is a global internet payment processing company.
• Zelle is a digital payments network primarily offering bank-to-bank transfers.
• IvyPay is a payment processing app marketed to therapists – IvyPay will sign a business associate agreement.
• ApplePay is a mobile payment application that works on Apple devices.

Venmo, PayPal, CashApp, Stripe, and Zelle do HIPAA due diligence for you. They confirm they do not comply with HIPAA Rules and will not sign a HIPAA business associate agreement.

Note:

• Their privacy policies expressly state that they cannot guarantee that personal information may not be accessed, disclosed, altered, or destroyed.
• Their privacy policies state that personal data may be shared with other businesses, which HIPAA prohibits.
• HIPAA requires healthcare providers to exercise due diligence over third-party vendors, whether they are business associates or not.
• A provider that uses a payment processor that admits it shares PHI may be liable for noncompliance if a breach occurs at the payment processor.

ApplePay says it is not a business associate and will not sign a business associate agreement for payment processing. It claims to differ from Venmo, CashApp, etc., because its role is limited. It only links the individual’s credit card to the business receiving payment. Apple is not doing the processing and does not receive, store, or share any personal information.

However, this only applies to ApplePay’s payment facilitation. Covered entities and business associates should not store individually identifying health information (PHI) in the Apple Wallet app because Apple is not a business associate (and will not sign a business associate agreement.)

Some Payment Apps Sign Business Associate Agreements

Square, Inc. offers services beyond payment processing and is willing to execute a HIPAA business associate agreement. IvyPay, for therapists, considers itself a business associate and will enter a BAA.

Consider a HIPAA Authorization

If a provider wants to use a payment app, one option might be to obtain a valid HIPAA authorization from a patient in advance.

The authorization needs to be drafted carefully and specifically to ensure it meets HIPAA requirements. For example, it must describe the purpose of the disclosure of PHI, identify who will receive the PHI, have an expiration date, and give the patient the right to revoke. The patient must sign it.

Beyond HIPAA, FTC Privacy Rules Also Apply

HIPAA is not the only health privacy law to consider. The Federal Trade Commission (FTC) also regulates unfair or deceptive business practices, including consumer protection and health privacy.

The FTC and the Office for Civil Rights (OCR) have both expressed concern about website trackers that permit tech companies to share PHI with third-party advertisers. For example, the FTC has enforced privacy laws against non-business associate companies, like GoodRx, BetterHelp and PreMom, because their web trackers shared patient data with other companies to the detriment of patients. Because many of these payment apps share patient data with third parties, they are subject to FTC scrutiny.

If consumers complain or a significant data breach occurs at a payment processing company, the FTC can respond under the FTC Act or its own Health Breach Notification Rule.

Safer Payment Methods

Credit or debit cards and checks are the most secure methods from a HIPAA perspective.

Other options for accepting automatic payments from patients include:

• EHR-supported payment systems. A good bet is an electronic health records system that offers payment options, is otherwise HIPAA compliant, and will sign a business associate agreement.
• The ACH (automated clearing house) system is a traditional and secure method of sending money electronically. ACH offers direct debit transfers for individuals.

Follow the HIPAA Security Rule

Covered entities are not off the hook if a patient data breach occurs at a third-party vendor. Do your due diligence and consider options. For example, before you accept payments on a payment app, look at the app’s privacy policy carefully.

Your best option is a company you can verify follows HIPAA, accepts the role of a business associate, and will sign a business associate agreement.  A covered entity must do this due diligence with all its business associate vendors.

Even though payment processing is exempt from the HIPAA business associate requirements, HIPAA applies if other activities occur, e.g., invoicing or requesting payments, receiving, storing, or transmitting data, or disclosing data to third parties.

Using a payment app requires weighing your business needs, patient preferences, and compliance risks. Before you decide, consult with counsel about all your options.