Venmo is a popular secure online payment platform that allows users to instantly send payments to other Venmo users. Part of the reason it has become so popular is its ease of use and no fee structure. However, what many people fail to realize is that Venmo is owned by PayPal, and they openly share data between the two platforms. As such, when inquiring as to whether or not Venmo is HIPAA compliant, you must also look at PayPal to determine its HIPAA compliance. So, are PayPal and Venmo HIPAA compliant?
Why Does it Matter if Venmo and PayPal are HIPAA Compliant?
As a covered entity, you must assess the HIPAA compliance of your business associates before conducting business with them. However, the HIPAA Privacy Rule does have some exceptions, including for financial institutions.
“A financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.”
Under this exception, it appears as though Venmo would not be considered a business associate. So again, why does it matter if Venmo is HIPAA compliant?
Since Venmo is not a business associate, they do not sign business associate agreements (BAA). A BAA is a legal document that requires each signing party to be HIPAA compliant, and requires each to be responsible for maintaining their compliance. Although Venmo as a financial institution is not technically required to sign a BAA, should a covered entity choose to accept Venmo payments, and Venmo suffers a breach affecting protected health information (PHI), such as a patient’s name, email address, or credit card information — all of which are required to open a Venmo account — the covered entity would be held liable for the breach.
Venmo and PayPal: Security and Privacy Policies
Venmo states on their website that they utilize encryption to secure consumer data held in their systems. Venmo also states, “We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards.” This means there is potential for Venmo to suffer a breach affecting consumer data.
Additionally, under Venmo’s Privacy Policies they state that they don’t share consumer data with third-parties. They do, however, share data with PayPal, which is where the main issue of Venmo’s HIPAA compliance lies. PayPal openly admits that they sell and collect consumer data for advertising purposes. This practice is strictly forbidden by HIPAA compliance standards, so even if Venmo themselves does not share data with third-parties, their parent company PayPal does.
Is Venmo HIPAA Compliant?
So is Venmo HIPAA compliant? Given the fact that they share consumer data with PayPal, who may then sell that information to advertisers, Venmo is not HIPAA compliant.