HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care.
This is especially true with the recent growth of telehealth and the need to receive payments electronically.
Today, we will determine if Stripe as a financial institution is HIPAA compliant or not.
Stripe is a popular online payment platform based in San Francisco, California used by tens of thousands of companies worldwide.
The company also develops the economic infrastructures of online businesses through its Stripe Partner Program. Accordingly, Stripe connects with various applications that help businesses build websites, communicate with customers, manage revenue, and prevent fraud.
Founded in 2010, Stripe has seen enormous growth in recent years as well as a surge in usage over the past few months.
Stripe and the business associate agreement
A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a CE.
However, several exceptions were built into the Privacy Rule including one addressing financial institutions:
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA. Unfortunately, there is no mention of a BAA anywhere on Stripe’s website.
Stripe and user information
And while not shared with third parties, Stripe and its partners utilize the data for internal marketing and targeted advertisements.
According to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.
Even though Stripe’s robust cybersecurity is well documented, having the company collect and share sensitive data is troubling.
Is Stripe HIPAA compliant?
Although it is not required for financial institutions, the BAA is a key component of HIPAA compliance and Stripe does not appear to offer one.
And Stripe still handles all payment operations, so if a breach or HIPAA violation occurs, the CE is liable.
Stripe is not HIPAA compliant.