HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care. This is especially true with the recent growth of telehealth and the need to receive payments electronically.
Today, we will determine if Stripe as a financial institution is HIPAA compliant or not.
Stripe is a popular online payment platform based in San Francisco, California used by tens of thousands of companies worldwide. The company also develops the economic infrastructures of online businesses through its Stripe Partner Program. Accordingly, Stripe connects with various applications that help businesses build websites, communicate with customers, manage revenue, and prevent fraud.
Founded in 2010, Stripe has seen enormous growth in recent years as well as a surge in usage over the past few months.
Stripe and the business associate agreementA BA is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a CE. Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA). However, several exceptions were built into the Privacy Rule including one addressing financial institutions:
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA. Unfortunately, there is no mention of a BAA anywhere on Stripe’s website.
Stripe and user information
Similar to other companies, including PayPal, Stripe collects and uses user data from its customers and its customers' customers. And while not shared with third parties, Stripe and its partners utilize the data for internal marketing and targeted advertisements.
According to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions. Even though Stripe’s robust cybersecurity is well documented, having the company collect and share sensitive data is troubling.
Is Stripe HIPAA compliant?
Although it is not required for financial institutions, the BAA is a key component of HIPAA compliance and Stripe does not appear to offer one.
Conclusion: Stripe is not HIPAA compliant.