Since Venmo is not a business associate, they do not sign business associate agreements (BAA). A BAA is a legal document that requires each signing party to be HIPAA compliant, and requires each to be responsible for maintaining their compliance. Although Venmo as a financial institution is not technically required to sign a BAA, should a covered entity choose to accept Venmo payments, and Venmo suffers a breach affecting protected health information (PHI), such as a patient’s name, email address, or credit card information — all of which are required to open a Venmo account — the covered entity would be held liable for the breach.
Venmo and PayPal: Security and Privacy Policies
Venmo states on their website that they utilize encryption to secure consumer data held in their systems. Venmo also states, “We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards.” This means there is potential for Venmo to suffer a breach affecting consumer data.
Additionally, under Venmo’s Privacy Policies they state that they don’t share consumer data with third-parties. They do, however, share data with PayPal, which is where the main issue of Venmo’s HIPAA compliance lies. PayPal openly admits that they sell and collect consumer data for advertising purposes. This practice is strictly forbidden by HIPAA compliance standards, so even if Venmo themselves does not share data with third-parties, their parent company PayPal does.
Is Venmo HIPAA Compliant?
So is Venmo HIPAA compliant? Given the fact that they share consumer data with PayPal, who may then sell that information to advertisers, Venmo is not HIPAA compliant.