HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care.
This is especially true with the recent growth of telehealth and the need to receive payments electronically.
Today, we will determine if Venmo as a financial institution is HIPAA compliant or not.
While Venmo is a popular finance app with over 60 million active customers, not many know that PayPal owns it. Currently, all merchants that accept PayPal can now accept Venmo, though it is only available within the U.S.
Venmo and the business associate agreement
A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE.
However, several exceptions were built into the privacy rule including one addressing financial institutions:
. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA.
The Venmo website does not mention a BAA anywhere, and an email sent to the company received the response: “Venmo is not currently engaging in advertising or marketing with outside contractors.”
Unfortunately, the representative did not seem to know anything about HIPAA or BAAs.
Venmo and its user policies
Similar to other companies today, Venmo includes security and privacy policies on its website.
We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards.
The policies further state that while the company doesn’t share user information with third parties, it does share within its network, including to PayPal who collects and sells user data to advertisers.
And according to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.
Is Venmo HIPAA compliant?
The BAA is a key component of HIPAA compliance and Venmo does not appear to offer a BAA.
Furthermore, while Venmo states that it protects customer details, it also specifies that the company cannot guarantee complete cybersecurity.
Finally, Venmo shares customer information with PayPal which admits to collecting and selling user information.
Given all three of these issues, if a breach or HIPAA violation occurs, the CE is liable.
Venmo is not HIPAA compliant.