More people use mobile payment apps every day. They like the convenience and safety during the COVID-19 crisis because payment is touch-free. Now patients are asking to pay their medical bills by using Venmo, a popular bill-splitting and cash payment app. In fact, Venmo is so common among millennials, it’s become a verb – “I’ll Venmo you for lunch.”

But what about medical information and HIPAA? Can providers use payment apps to collect payment?

HIPAA and Payment Processing

HIPAA was written in 1996 long before smartphone payment apps arrived. Payment apps like PayPal and Venmo are similar to credit cards, except they cost much less (Venmo is free).

HIPAA says companies engaged only in ‘authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums’ are not required to comply with HIPAA Privacy and Security Standards*. That means, for example, health care providers don’t need a business associate agreement (BAA) with a credit card company or a bank to accept and process credit card payments.

Venmo’s services seem to fit well within the description of payment processing services that are exempt from HIPAA regulation. Neither Venmo nor PayPal (which owns Venmo) will sign a BAA and HIPAA doesn’t require one just like it doesn’t require a BAA between a provider and a credit card company

However, patients who want to pay medical bills by Venmo raise a brand new issue. Patient engagement is essential for high quality health care. Are providers who refuse Venmo payment failing their millennial patients?

Venmo

PayPal and Venmo confirm that they collect and sell user information that HIPAA defines as protected health information (PHI). But Venmo doesn’t have to comply with HIPAA because it is not a business associate. However covered entities like healthcare providers need to comply with HIPAA and have the responsibility to protect and maintain patient privacy and security.

May Providers use Payment Apps like Venmo?

The demand from patients to use Venmo and other convenient payment apps will grow. If Venmo is demanded by patients and you want to accommodate them, first check with your legal counsel about accepting Venmo payment.

From a HIPAA perspective, here are some suggestions to consider – and remember this is not legal advice. This is similar to the “safe harbor” three-step process HIPAA requires to communicate with patients via unencrypted text and email.

1. Inform patient that Venmo is not compliant with health information privacy laws and Venmo may share information about payment for their health care with others.
2. Allow the patient to use Venmo if they wish after they have been warned.
3. Document the Venmo warning and patient’s direction to use Venmo to pay for health care services.

New Development – CVS Pharmacy

On November 16, 2020 CVS Pharmacy announced that customers can now check out touch-free using PayPal and Venmo at its 8,200 standalone retail locations. This will be hugely popular among lots of customers.

Providers Should Weigh the Risks

The popularity of payment apps means that their usage will grow. As long as PayPal and Venmo do not suffer a major security breach putting user data at risk, people will likely continue to favor its convenience. Healthcare providers should consider whether the demand from patients, the convenience and low cost outweigh the chance of a security breach that could compromise patient privacy. Credit cards and Automated Clearing House (ACH) transfers, (bank to bank) are more secure, although a fee is required.

Confirm with patients that use of the payments apps is their preference, but give them the light warning outlined above. It’s the provider’s responsibility to guard privacy and security, so let your patients know the risk, and let them decide.

*See 78 FR 5575 and 42 U.S.C. 1320d–8