Ivy Pay is an online payment processor that serves only licensed therapists. The service is offered by talktoivy.com, an online referral service that helps clients find the best therapist for them. Healthcare providers can only use HIPAA compliant payment processors to receive payments from patients. So, is Ivy Pay HIPAA compliant?
Ivy Pay and Information Protection
One of the key determinants of whether or not a service is HIPAA compliant is the security methods used to secure sensitive information transmitted through it. Providers or business associates using Ivy Pay for payments will require users to provide financial information such as debit/credit cards or account numbers.
Under HIPAA, debit cards, credit cards, bank account numbers, and all non-cash payment types are protected health information (PHI) when connected to treatment, payment, or healthcare operations. HIPAA requires organizations to implement security measures to ensure PHI’s confidentiality, integrity, and availability.
In response to our request for information about how Ivy Pay handles sensitive information, a member of their support team said,
“Ivy uses advanced security systems and data encryption to protect both clients and therapists, as well as safeguard against unauthorized transactions and access to personal or financial information. Administrative, technical, and physical safeguards are in place to ensure data is protected in transit, at rest, and when handled by Ivy Pay representatives.
All information on the Ivy Pay system is encrypted, stored, and protected on secure servers. We work with extreme vigilance to ensure that Ivy meets and exceeds security industry standards and best practices. Ivy Pay uses industry-standard SSL encryption on every part of the Ivy Pay system as well as PCI data security protocols. This is the same encryption technology used by banks and brokerages to safeguard financial information.”
Does Ivy Pay Sign Business Associate Agreements?
Based on their response, Ivy Pay appears to meet the HIPAA security requirements, but that is not the only factor that determines HIPAA compliance. To be HIPAA compliant, a service provider must also sign business associate agreements (BAAs) with their users.
If a healthcare provider accepts patients’ payments through an electronic payment service, that service provider is considered a business associate under HIPAA. Since HIPAA requires healthcare providers to have signed BAAs with all of their business associates, Ivy Pay would need to be willing and able to sign a BAA with users to be considered HIPAA compliant.
So does Ivy Pay sign business associate agreements? Ivy Pay’s website has a page that explicitly addresses their HIPAA compliant Business Associate Agreement. It is fair to assume that Ivy Pay does sign BAAs with its users.
Is Ivy Pay HIPAA Compliant?
Is Ivy Pay HIPAA compliant? In the final analysis, Ivy Pay appears to be HIPAA compliant, provided that users have a signed BAA with Ivy Pay before using its service.
Find out more about HIPAA compliance for therapists!