Zelle and Information Protection
One of the key determinants on whether or not a service is HIPAA compliant is the security methods used to secure sensitive information transmitted through it. While Zelle doesn’t necessarily require sensitive data to be input into their service, they do require users to enter their email address and phone number in order to send payments through their service.Â
Under HIPAA, both email addresses and phone numbers are considered protected health information (PHI) when they are connected to treatment, payment, or healthcare operations. HIPAA requires organizations to implement security measures to ensure the confidentiality, integrity, and availability of PHI. According to Zelle’s website, they implement user authentication and monitoring features to ensure the security of payments sent through their service. So, Zelle meets HIPAA security requirements, but that is not the only determinant of a service’s HIPAA compliance. To be HIPAA compliant, a service provider must also sign business associate agreements with their users.
Does Zelle Sign Business Associate Agreements?
Does Zelle sign business associate agreements (BAAs)? If a healthcare provider is accepting payments from patients through an electronic payment service, that service provider is considered a business associate under HIPAA. Since HIPAA requires healthcare providers to have signed BAAs with all of their business associates, Zelle would need to be willing and able to sign a BAA with users to be considered HIPAA compliant.
So does Zelle sign business associate agreements? Since there is no mention of HIPAA, business associates, or business associate agreements on Zelle’s website, it is fair to assume that Zelle does not sign BAAs with their users.Â
Is Zelle HIPAA Compliant?
So, is Zelle HIPAA compliant? No, Zelle is not HIPAA compliant. While they implement security measures to keep user data safe they do not sign BAAs, and therefore healthcare providers cannot use Zelle to accept patient payments.