3 min read

Guide to online payment options & HIPAA compliance

Kapua Iao October 20, 2020

Risk management

Guide to online payment options & HIPAA compliance

More and more today, healthcare organizations are turning to online payment options. This is especially true with the recent growth of telehealth and the need to receive payments electronically. RELATED: Historic Expansions of Telehealth to Combat COVID-19 But with this new need, healthcare organizations must continue to follow HIPAA (the Health Insurance Portability and Accountability Act of 1996), U.S. legislation created to improve healthcare privacy standards. Several recent Paubox blogs have focused on online financial institutions. This guide will summarize what we have learned about online payment options and HIPAA compliance for the healthcare industry.

Online payments and HIPAA compliance

Before we dive into each payment option, there are a few things to remember about HIPAA compliance. Covered entities (CEs) and their business associates (BAs) maintain HIPAA compliance by protecting the rights and privacy of patients and their protected health information (PHI). RELATED: What is ePHI? A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE. Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA). However, several exceptions were built into the privacy rule including one addressing financial institutions:

. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

However, some financial institutions do more than process payments. For example, some companies generate and/or share bills and receipts, oftentimes containing PHI. RELATED: Is a Name PHI? For complete protection, a CE should utilize a financial institution that will sign a BAA.

Online payments and PHI

Besides ensuring that a financial institution will sign a BAA, a CE must look into how the company safeguards PHI as outlined in the HIPAA Security Rule. This includes when and how invoices/receipts are securely sent (e.g., through HIPAA compliant email), where and how data is stored, and how payment transactions are protected. And a final aspect of this is what the BA does with the PHI it receives. For example, does it collect customer data (and is it upfront about this)? Does it sell data? Use it for marketing? Does the BA keep PHI private and secure? Given the numerous ways that PHI could be exposed during a financial transaction, any breach is a HIPAA violation and a BA and/or a CE could be held liable.

PayPal

PayPal is an open digital payment platform used worldwide, offering flexibility when sending and/or receiving payments. Currently, there are around 300 million active users. So is PayPal HIPAA compliant? PayPal is not HIPAA compliant because it does not appear to offer a BAA and openly collects and sells user data.

Venmo

Venmo is a peer-to-peer payment app procured by PayPal in 2013/2014. With over 60 million active customers, all merchants (within the U.S.) that accept PayPal can now accept Venmo. Venmo is not HIPAA compliant because it does not appear to offer a BAA and it also shares customer information with PayPal who admits to collecting and selling user information. Also, Venmo states within its privacy policy that it cannot guarantee complete data protection.

Stripe

Stripe is another popular online payment platform utilized by tens of thousands of companies worldwide. Through the Stripe Partner Program, Stripe is also able to connect with various apps that help businesses build websites and accept online transactions. RELATED: How to Make Sure You Have a HIPAA Compliant Website Stripe is not HIPAA compliant even though the company is known for its robust cybersecurity because it does not appear to offer a BAA and, like PayPal, openly collects/sells user data.

Square

Square acts as both a financial service and mobile payment company and is most known for its Square Reader, which transforms a device into a point-of-sale solution. Beyond this, Square also allows payments and/or money transfers via its app or website. Square appears to be HIPAA compliant because it offers a BAA to customers and explicitly states that it will not use or disclose PHI. There is nothing to sign by both parties; the BAA is built into a user agreement.

Conclusion

PayPal, Venmo, and Stripe are not HIPAA compliant because they will not sign a BAA and they collect and sell user data. Square, on the other hand, offers a BAA and affirms that its services will not violate HIPAA. Nonetheless, even when using Square, a healthcare organization should still actively safeguard PHI with its own HIPAA compliant cybersecurity solutions. This includes up-to-date employee awareness training, offline backup, multi-factor authentication, and email security software. Paubox Email Suite enables HIPAA compliant email communication between CEs and BAs, as well as between CEs and patients. Once configured, Paubox automatically encrypts every outbound email with no extra steps, clicks, or log-ins. RELATED: Why Paubox Marketing is the Best HIPAA Email Marketing Solution Available Utilizing a company such as Paubox is necessary today when so many services are done electronically, including financial transactions.

Try Paubox Email Suite for FREE today.

Start for free