Are You Using HIPAA Compliant Billing Software?

To help you decide, we’ve prepared an overview of what the HIPAA regulations state. We also reviewed some of the most popular payment apps available to determine whether or not they are HIPAA compliant payment apps. 

How Does HIPAA Define Billing Software Compliance?

HIPAA regulations are very clear regarding protected health information (PHI). Covered entities (like a doctor, clinic, or hospital) and their business associates (like a billing service or payment processor) must protect the rights and privacy of patients as part of their HIPAA compliance strategy. Having a business associate agreement signed with those companies before services are provided fulfills part of that responsibility.

However, one of the things that makes HIPAA so hard to fully grasp is the exceptions it has. One of these exceptions specifically addresses financial transactions.

“When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.”

It sounds relatively straightforward until you consider the evolution and innovation within the financial world. Options that were unimaginable when the law was initially passed in 1996 are commonplace today. While these new options are very convenient, not all meet the standards for HIPAA Compliance.

Traditional Financial Institutions: Are You Using HIPAA Compliant Billing Software?

Suppose your financial institution simply cashes checks and processes debit or credit card payments (like a traditional bank or credit union). In that case, you’re unlikely to need a business associate agreement with them. The problem is that very few of these institutions limit themselves to those traditional activities. Nearly all have some type of online service or application.

Many “old school” banks now offer investment, insurance, billing, and collection services. The question to ask regarding HIPAA compliance is:  Does my financial institution use or disclose patient protected health information either through services provided to or action taken on my behalf? 

If they generate bills or receipts that contain PHI, they have to be HIPAA compliant. If you’re still unsure, ask if they will sign a business associate agreement. It may be wise to think about others who will if they won’t. It’s better to be safe than sorry.  

Online Billing and Payment Options

To be HIPAA compliant, online financial service providers must be willing to sign (or provide) a valid business associate agreement to be HIPAA compliant. The Security Rule provides guidance regarding PHI’s use, handling, and storage.

For example, do they collect customer data (and are they aboveboard about this practice)? Do they use customer data for marketing or sell it? Do they keep PHI private and secure?

Do they send receipts and invoices using a HIPAA compliant email or texting service if they provide billing? There are countless ways PHI could be exposed during a financial transaction. Don’t be liable for a breach caused by someone else’s action. 

Contenders and Pretenders: Are These HIPAA Compliant Payment Apps?

Listed below are some of the most recognized billing and payment services online. So, how do they measure up to the HIPAA regulations? Are any of them HIPAA compliant payment apps?

Square

According to Square’s website, they implement data encryption within their card reader at the moment of swipe. They also provide around-the-clock monitoring by dedicated security staff to ensure the security of payments sent through their service. They are also PCI compliant. 

So, Square meets HIPAA security requirements, but that is not the only determinant of a service’s HIPAA compliance. A service provider must also sign business associate agreements with their users to be HIPAA compliant.

Because Square’s website has a page that specifically addresses HIPAA compliance, including a link to their HIPAA Business Associate Agreement, it is fair to assume that Square does sign BAAs with its users. 

Conclusion: Square is HIPAA compliant, provided that users have a signed BAA with Square before using their service.

Zelle

Zelle doesn’t necessarily require sensitive data to be input into their service. They require users to enter their email address and phone number to send payments through their service. 

Under HIPAA, both email addresses and phone numbers are considered protected health information (PHI) if connected to treatment, payment, or healthcare operations. HIPAA requires organizations to implement security measures to ensure the confidentiality, integrity, and availability of PHI. Zelle’s website states that they implement user authentication and monitoring features to ensure the security of payments sent through their service. So, Zelle meets HIPAA’s requirements for security.

Does Zelle sign business associate agreements? There is no mention of HIPAA, business associates, or business associate agreements on Zelle’s website. In this case, it is fair to assume that Zelle does not sign BAAs with their users. 

Conclusion: Zelle is not HIPAA compliant. While they do implement security measures to keep user data safe, they do not sign BAAs. Thus, healthcare providers cannot use Zelle to accept patient payments.

PayPal

PayPal was not the first to provide online billing and payment services, but they are the world’s most widely used; in 2020, they processed over $936 billion in payments. Their security protections include 24/7 monitoring, fraud detection, firewalls, and encryption. All of these are standards in the financial industry.

However, when you examine the personal data they collect and how it is used, it’s problematic. PayPal collects at least nine of the 18 types of data that are considered PHI. 

And while their Privacy Policy states that they do not sell data, they admit sharing data with:

• Other members of the PayPal corporate family, including our brands such as Venmo and;
• Service providers that help us with processing payments, marketing, research, compliance, audits, corporate governance, communications, and security.

You have no control over how or when they share information that HIPAA classifies as PHI. Also, there is no mention of a business associate agreement anywhere in their Legal Agreements for PayPal Services. The safe assumption would be that they do not sign or participate in business associate agreements. 

Conclusion: PayPal is not HIPAA compliant. Their security features seem to be sufficient. But you have no control over how PHI would be used, and there is no business associate agreement. Using PayPal would be a HIPAA violation just waiting to be discovered in an audit.

Venmo

You may not know that Venmo is a subsidiary company of PayPal. Both companies share data with each other. This interconnected relationship creates gray areas that can cause concern regarding HIPAA compliance.

Venmo admits they use personal data for their internal marketing purposes. They also confirm that they share data for joint marketing with other financial companies. 

They also share data with:

• Our parent company, PayPal, Inc., and affiliates and subsidiaries it controls, but only for purposes allowed by this document.
• Companies that PayPal, Inc. plans to merge with or be acquired by or, in the event of any bankruptcy, a bankruptcy estate. Should such a combination occur, we will require that the new combined entity follow this privacy policy with respect to your personal information. If your personal information could be used contrary to this policy, you will receive prior notice and the opportunity to communicate preferences you may have, if applicable.
• The other Venmo users participating in the transaction and, depending on the privacy setting of each Venmo account transaction, your Venmo friends and the Venmo friends of the other user participating in the transaction, or the public, through the Venmo feed on our website and mobile application and elsewhere on the internet.

Venmo doesn’t mention business associate agreements or HIPAA anywhere on their website. They claim status as a financial institution and therefore do not sign business associate agreements.

Conclusion: Venmo is not HIPAA compliant. Venmo uses data that is considered PHI for marketing purposes. Venmo shares data with PayPal who also uses data that is considered PHI for marketing purposes. HIPAA compliance standards strictly forbid this practice. 

Finally, they do not sign business associate agreements. Any of those three reasons is enough to qualify as non-compliance. That means your organization would be liable for any breach resulting from their actions.

Stripe

Stripe is a payment processor and much more. They feature a robust suite of applications covering everything from identity verification to help starting a new business online. Their security measures are outstanding, including meeting the standards of the European Union’s General Data Protection Regulation (GDPR).

Like PayPal and Venmo, they do use personal data for promotional purposes. They share this data with their affiliate companies and third-party companies that provide services to them. There is no mention of HIPAA or business associate agreements on their site. Because of that, it’s safe to assume that they don’t sign or offer them.

Conclusion: Stripe is not HIPAA compliant. There are a lot of reasons to like Stripe, but the risks do not appear to outweigh the benefits. Transmitting ePHI without a signed business associate agreement is an automatic violation of HIPAA regulations.

So, Is Your Payment Software HIPAA Compliant?

Of the five best-known online payment processors, only Square clearly and definitively is HIPAA compliant. This is not an exhaustive list of all options available in the marketplace, but we will continue to add to this list as others emerge or questions are asked.