Are Venmo, Zelle, and PayPal HIPAA Compliant?
Digital payment methods are increasingly popular these days. Your local coffee shop, barber, grocery market, and shopping mall are all starting to implement the technology.
Healthcare practitioners are moving their way toward digital transactions too, utilizing forms of online bill pay. You might be wondering if it’s worth investing in a healthcare-specific payment platform or if something like Venmo, Zelle, or Payal can do the job.
It’s hard to ignore the low-cost investment and brand familiarity these payment platforms provide, but the risk might not be worth the savings.
Venmo, Zelle, and Paypal may open the risk of a HIPAA violation for your practice.
Yes, it’s as serious as it sounds. The cost of a HIPAA violation can be anywhere from $50,000 to $1.5 million per infraction.
We’ll briefly explain HIPAA and why a HIPAA-compliant payment processing platform can save you the headache surrounding this law.
What is HIPAA compliance?
HIPAA stands for The Health Insurance Portability and Accountability Act. The federally mandated law was enacted in 1996 to keep a patient’s personal information safe.
What kind of personal information is protected under HIPAA?
PHI, also known as Protected Health Information, is any piece of information that can be used to identify a patient. Examples include, but are not limited to:
- Date of Birth
- Telephone Number
- Fax Number
- Social Security Number
- Medical Record Number
- Health Plan Beneficiary Number
- Account Number
- Driver’s License
- Full-face Photos
- IP Address
How does HIPAA affect payment processing platforms?
Since its enactment in 1996, HIPAA has gone through various changes redefining its boundaries to further protect a patient’s PHI. One of those changes was the New Omnibus Rule in 2013.
The early stages of HIPAA focused mainly on healthcare practitioners, health plan providers, and clearinghouses. But the New Omnibus Rule extends HIPAA penalties to any affiliated business associates if there is evidence of negligence.
However, as of current, payment processing platforms are not considered business associates in accordance with the law.
HIPAA defines business associates as one (or more) of the following:
- Legal and accounting services
- Claims billing and processing services
- Data analysis services
- Benefit management services
This means that payment processing platforms have no legal obligation to maintain HIPAA compliance with their data, leaving you vulnerable in the event of a PHI breach.
Venmo, Paypal, and Zelle are not healthcare-specific platforms. Here are 3 reasons why that can hurt you.
- They have a history of security issues.
Widespread technology use always brings more considerable security risks.
Venmo, Paypal, and Zelle aren’t just used for enterprise-based solutions. These are apps used for a wide variety of reasons, from splitting a restaurant bill to buying a used couch from a stranger.
And some of them have a history of non-compliance or fraud.
For example, in February 2018, the FTC reached a settlement with Venmo (which is actually owned by PayPal) after an investigation showing that Venmo misled consumers about the extent of their privacy control.
Journalists have several accounts of Venmo’s privacy problems. Most recently, Buzzfeed News reports they found President Joe Biden’s Venmo account in less than 10 minutes.
Although PayPal at least offers a form of buyer protection, their widely-used platform has had a bevy of security hacks. Forbes issued multiple reports of theft in 2020.
On the other hand, Zelle is often touted as the “more secure” version of Venmo. But TechCrunch reveals that the service is also riddled with scams.
- They don’t prioritize HIPAA compliance.
Payment processing platforms don’t need to cooperate as HIPAA guidelines do not bind them. In the event of a data breach, HIPAA compliance is not a priority for Venmo, Paypal, and Zelle.
These payment platforms are designed to make transactions between acquaintances easier, not merchants and clients.
As quoted in Venmo’s help desk, “Venmo was originally designed for people who know and trust each other to send each other payments.” The same applies to most of these peer-to-peer payment apps.
Most notably, Venmo, PayPal, and Zelle won’t sign any Business Associate Agreements (BAAs).
A BAA is a written arrangement that specifies the responsibilities of each party when it comes to safeguarding PHI.
BAA’s are vital to ensure the business associate cooperates fully with a healthcare organization in the event of a data breach. At PayGround, we have all of our clients sign a business associate agreement with us.
An absence of a BAA means that when you need to report to the U.S. Department of Health and Human Services, a partner may make their cooperation with you slow and arduous, if at all. And failure to report in time can lead to harsher penalties.
- They may share a patient’s personal information with advertisers.
Venmo, Paypal, and Zelle are all free. So how do they make their money?
Some charge a fee for instant cash services. But that’s not all they’re doing to monetize. Mashable notes that some of these apps will use your data for marketing purposes.
Even if it’s just location data, HIPAA defines an IP address as protected health information.
The Benefit of Choosing PayGround Over Venmo, Zelle, and Paypal:
Venmo, Zelle, and Paypal take a one-size-fits-all approach to simplify payments. But PayGround takes a “white glove” approach, focusing on a business’s specific needs.
PayGround is not interested in focusing on peer-to-peer transactions or building a social media service. It also doesn’t monetize personal information for advertising.
Instead, PayGround is focused on a foundational business model of added care because healthcare payments require special attention, thoughtfulness, and respect.
Simplify Your Healthcare Payments Today.