Is Stripe HIPAA compliant?

Featured image

Share this article

Stripe logo (white words, blue background) on a smart phone.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care.

This is especially true with the recent growth of telehealth and the need to receive payments electronically.

RELATED: Historic Expansions of Telehealth to Combat COVID-19

Today, we will determine if Stripe as a financial institution is HIPAA compliant or not.

RELATED: Guide to Online Payment Options & HIPAA Compliance

About Stripe

Stripe is a popular online payment platform based in San Francisco, California used by tens of thousands of companies worldwide.

The company also develops the economic infrastructures of online businesses through its Stripe Partner Program. Accordingly, Stripe connects with various applications that help businesses build websites, communicate with customers, manage revenue, and prevent fraud.

Founded in 2010, Stripe has seen enormous growth in recent years as well as a surge in usage over the past few months.

Stripe and the business associate agreement

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a CE.

Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA).

However, several exceptions were built into the Privacy Rule including one addressing financial institutions:


. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.


Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA. Unfortunately, there is no mention of a BAA anywhere on Stripe’s website.

Stripe and user information

Similar to other companies, including PayPal, Stripe collects and uses user data from its customers and its customers’ customers.

And while not shared with third parties, Stripe and its partners utilize the data for internal marketing and targeted advertisements.

According to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.

Even though Stripe’s robust cybersecurity is well documented, having the company collect and share sensitive data is troubling.

Is Stripe HIPAA compliant?

Although it is not required for financial institutions, the BAA is a key component of HIPAA compliance and Stripe does not appear to offer one.

And Stripe still handles all payment operations, so if a breach or HIPAA violation occurs, the CE is liable.

RELATED: Stripe Users Targeted in Phishing Attack That Steals Banking Info

Conclusion

Stripe is not HIPAA compliant.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022