HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care. This is especially true with the recent growth of telehealth and the need to receive payments electronically.
RELATED: Historic Expansions of Telehealth to Combat COVID-19 Today, we will determine if Venmo as a financial institution is HIPAA compliant or not.
RELATED: Guide to Online Payment Options & HIPAA Compliance
About Venmo
Venmo is a peer-to-peer payment app founded in 2009 and acquired by Braintree in 2012. Braintree and its subsidiaries were then procured by PayPal in 2013/2014. While Venmo is a popular finance app with over 60 million active customers, not many know that PayPal owns it. Currently, all merchants that accept PayPal can now accept Venmo, though it is only available within the U.S.
Venmo and the business associate agreement
A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE. Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA). However, several exceptions were built into the privacy rule including one addressing financial institutions:. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA. The Venmo website does not mention a BAA anywhere, and an email sent to the company received the response: “Venmo is not currently engaging in advertising or marketing with outside contractors.” Unfortunately, the representative did not seem to know anything about HIPAA or BAAs.
Venmo and its user policies
Similar to other companies today, Venmo includes security and privacy policies on its website. Venmo utilizes encryption and secure servers to protect account details, but within its privacy policy, the company makes it evident that it would be unable to safeguard data:We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards.
The policies further state that while the company doesn’t share user information with third parties, it does share within its network, including to PayPal who collects and sells user data to advertisers. And according to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.
Is Venmo HIPAA compliant?
The BAA is a key component of HIPAA compliance and Venmo does not appear to offer a BAA. Furthermore, while Venmo states that it protects customer details, it also specifies that the company cannot guarantee complete cybersecurity. Finally, Venmo shares customer information with PayPal which admits to collecting and selling user information. Given all three of these issues, if a breach or HIPAA violation occurs, the CE is liable. Conclusion Venmo is not HIPAA compliant.