Is PayPal HIPAA compliant?

Featured image

Share this article

PayPal logo on a cell phone.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care.

This is especially true with the recent growth of telehealth and the need to receive payments electronically.

RELATED: Historic Expansions of Telehealth to Combat COVID-19

Today, we will determine if PayPal as a financial institution is HIPAA compliant or not.

RELATED: Guide to Online Payment Options & HIPAA Compliance

About PayPal

PayPal is an online financial institution founded in December 1998. As an open digital payment platform, PayPal connects people worldwide by offering flexibility when sending and/or receiving payments.

In fact, with around 300 million active users, PayPal is one of the most popular online payment providers.

PayPal and the business associate agreement

A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE.

Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA).

However, several exceptions were built into the privacy rule including one addressing financial institutions:


. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.


Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA.

There is no mention of a BAA anywhere on the PayPal website. A message from the PayPal community addressed this without a helpful solution, one member stating, “Unless you signed a [BAA] with paypal [sic], which I’m sure they don’t offer, paypal is not HIPAA compliant.”

PayPal and user information

Similar to other companies today, PayPal collects user data and sells it to advertisers.

In 2016, then Head of Data Technology, Adam Christensen, stated:


By applying advanced analytics to big data, PayPal is able to present relevant offers from merchants to consumers— such as discounts when using PayPal as payment. These customized offers, based on algorithms using past-purchase history, are presented in-context, both online and in-app, driving higher transaction volume for merchants while enabling consumers to get more value from their purchase (like saving money!).


Knowing that a payment processor may sell user information should make a CE insist on a BAA at all times, even given the HIPAA Privacy Rule exception.

And according to HIPAA, any information that can identify a patient and is used or disclosed during care can be considered PHI, including a patient’s name, which is used for financial transactions.

Is PayPal HIPAA compliant?

The BAA is a key component of HIPAA compliance, and PayPal does not appear to offer a BAA. Furthermore, PayPal openly collects and sells user data, some of which could be considered PHI.

And if a breach or HIPAA violation occurs, the CE is liable.

RELATED: Paypal confirms users may have been affected by security breach

Conclusion

PayPal is not HIPAA compliant.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022