More and more today, healthcare organizations are turning to online payment options. This is especially true with the recent growth of telehealth and the need to receive payments electronically.
But with this new need, healthcare organizations must continue to follow HIPAA (the Health Insurance Portability and Accountability Act of 1996), U.S. legislation created to improve healthcare privacy standards.
Several recent Paubox blogs have focused on online financial institutions. This guide will summarize what we have learned about online payment options and HIPAA compliance for the healthcare industry.
Online payments and HIPAA compliance
Before we dive into each payment option, there are a few things to remember about HIPAA compliance. Covered entities (CEs) and their business associates (BAs) maintain HIPAA compliance by protecting the rights and privacy of patients and their protected health information (PHI).
RELATED: What is ePHI?
A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE.
However, several exceptions were built into the privacy rule including one addressing financial institutions:
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
However, some financial institutions do more than process payments. For example, some companies generate and/or share bills and receipts, oftentimes containing PHI.
RELATED: Is a Name PHI?
For complete protection, a CE should utilize a financial institution that will sign a BAA.
Online payments and PHI
Besides ensuring that a financial institution will sign a BAA, a CE must look into how the company safeguards PHI as outlined in the HIPAA Security Rule.
This includes when and how invoices/receipts are securely sent (e.g., through HIPAA compliant email), where and how data is stored, and how payment transactions are protected.
And a final aspect of this is what the BA does with the PHI it receives. For example, does it collect customer data (and is it upfront about this)? Does it sell data? Use it for marketing? Does the BA keep PHI private and secure?
Given the numerous ways that PHI could be exposed during a financial transaction, any breach is a HIPAA violation and a BA and/or a CE could be held liable.
PayPal is an open digital payment platform used worldwide, offering flexibility when sending and/or receiving payments. Currently, there are around 300 million active users.
So is PayPal HIPAA compliant?
PayPal is not HIPAA compliant because it does not appear to offer a BAA and openly collects and sells user data.
Venmo is a peer-to-peer payment app procured by PayPal in 2013/2014. With over 60 million active customers, all merchants (within the U.S.) that accept PayPal can now accept Venmo.
Stripe is another popular online payment platform utilized by tens of thousands of companies worldwide. Through the Stripe Partner Program, Stripe is also able to connect with various apps that help businesses build websites and accept online transactions.
Stripe is not HIPAA compliant even though the company is known for its robust cybersecurity because it does not appear to offer a BAA and, like PayPal, openly collects/sells user data.
Square acts as both a financial service and mobile payment company and is most known for its Square Reader, which transforms a device into a point-of-sale solution. Beyond this, Square also allows payments and/or money transfers via its app or website.
Square appears to be HIPAA compliant because it offers a BAA to customers and explicitly states that it will not use or disclose PHI. There is nothing to sign by both parties; the BAA is built into a user agreement.
PayPal, Venmo, and Stripe are not HIPAA compliant because they will not sign a BAA and they collect and sell user data. Square, on the other hand, offers a BAA and affirms that its services will not violate HIPAA.
Nonetheless, even when using Square, a healthcare organization should still actively safeguard PHI with its own HIPAA compliant cybersecurity solutions. This includes up-to-date employee awareness training, offline backup, multi-factor authentication, and email security software.
Paubox Email Suite enables HIPAA compliant email communication between CEs and BAs, as well as between CEs and patients. Once configured, Paubox automatically encrypts every outbound email with no extra steps, clicks, or log-ins.
Utilizing a company such as Paubox is necessary today when so many services are done electronically, including financial transactions.