HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care. This is especially true with the recent growth of telehealth and the need to receive payments electronically.
RELATED: Historic Expansions of Telehealth to Combat COVID-19 Today, we will determine if Venmo as a financial institution is HIPAA compliant or not.
Venmo is a peer-to-peer payment app founded in 2009 and acquired by Braintree in 2012. Braintree and its subsidiaries were then procured by PayPal in 2013/2014. While Venmo is a popular finance app with over 60 million active customers, not many know that PayPal owns it. Currently, all merchants that accept PayPal can now accept Venmo, though it is only available within the U.S.
Venmo and the business associate agreementA BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE. Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA). However, several exceptions were built into the privacy rule including one addressing financial institutions:
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA. The Venmo website does not mention a BAA anywhere, and an email sent to the company received the response: “Venmo is not currently engaging in advertising or marketing with outside contractors.” Unfortunately, the representative did not seem to know anything about HIPAA or BAAs.
We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards.
The policies further state that while the company doesn’t share user information with third parties, it does share within its network, including to PayPal who collects and sells user data to advertisers. And according to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.
Is Venmo HIPAA compliant?
The BAA is a key component of HIPAA compliance and Venmo does not appear to offer a BAA. Furthermore, while Venmo states that it protects customer details, it also specifies that the company cannot guarantee complete cybersecurity. Finally, Venmo shares customer information with PayPal which admits to collecting and selling user information. Given all three of these issues, if a breach or HIPAA violation occurs, the CE is liable. Conclusion Venmo is not HIPAA compliant.