PayPal does not need to be HIPAA compliant to accept payments for healthcare due to an exemption in HIPAA that applies to all banks and financial institutions for payment processing. However, banks and financial institutions do need to be HIPAA compliant for supplementary services they offer covered entities that involve a use or disclosure of Protected Health Information (PHI).
The exemption to banks and financial institutions is in §1179 of the text of HIPAA. It is also codified in 42 USC §1320d-8. The exemption applies to authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for healthcare or health plan premiums; and, according to the preamble of the Omnibus Final Rule, means that banks and financial institutions do not qualify as business associates for payment processing activities.
However, if a bank or financial institution offer covered entities supplementary services that require uses or disclosures of PHI (i.e., performing accounts receivable functions), the services are not exempted from HIPAA. In such cases, a bank or financial institution would qualify as a business associate, would be required to comply with the standards of the Security Rule, and required to enter into a Business Associate Agreement with the covered entity.
Is PayPal HIPAA Compliant for Supplementary Services
PayPal is not HIPAA compliant for supplementary services such as invoicing, analytics, and reporting. Although PayPal has measures in place to comply with the Payment Card Industry Data Security Standard (PCI DSS), the measures do not match the standards required by the Security Rule. As a result, PayPal cannot ensure the confidentiality, integrity, and availability of electronic PHI and will not enter into a Business Associate Agreement with covered entities.
This does not mean covered entities cannot take advantage of PayPal’s supplementary services. It means that, if they do, it is not permissible to use or disclose PHI. This can create challenges in obtaining any benefit from the supplementary services. In addition, most covered entities do not receive the majority of their incomes via PayPal, so using PayPal’s supplementary services may not be worthwhile in any case.
Why You Might Want to Alert Patients to PayPal’s Privacy Policy
Although giving patients the option to pay for healthcare with PayPal can be convenient for patients, there are privacy risks. PayPal’s Privacy Policy states that it will collect sensitive personal information and may use it for marketing purposes or may share it with business partners. As this may result in patient’s sensitive information being widely disclosed, it is advisable to alert patients to PayPal’s privacy policy and offer an alternative payment option.
If a covered entity does not warn a patient of the privacy risks, and the patient receives targeted marketing emails about a sensitive subject from a source they have had no contact with, this may lead to allegations of HIPAA violations. Although the allegations would be unjustified, alerting patients to PayPal’s Privacy Policy can reduce the administrative burden of responding to a compliant or the complaint being escalated to HHS’ Office for Civil Rights. Covered entities requiring more information on this subject should speak with a HIPAA compliance professional.
