Zelle does not need to be HIPAA compliant before covered entities can use the fund transfer service to collect payments from patients and plan members because of an exemption in HIPAA for payment processors. However, covered entities must ensure that, if Zelle is offered as a payment method, procedures exist to make the use of Zelle HIPAA compliant.
Is Zelle HIPAA Compliant?
The perception that HIPAA covered entities have to offer HIPAA compliant payment methods to patients and plan members is untrue. Payment processors are excluded from having to comply with HIPAA under §1179 of the Health Insurance Portability and Accountability Act 1996. The exemption was confirmed by the Department for Health and Human Services (HHS) in 2013.
Therefore, in the context of the question is Zelle HIPAA complaint, the answer is Zelle is not required to be. Regardless of this, Zelle has strong data security protections equivalent to those required by the HIPAA Security Rule and provides quality advice on its website about how customers should take steps to secure their accounts and protect personal information.
Zelle is also transparent about what data is collected about customers and who it is shared with. Of particular relevance to this article, Zelle acknowledges that it collects health information entered into the memo field when a customer sends a payment. Presumably the same applies when a covered entity requests a payment or sends a payment reminder.
The Misperception about HIPAA Compliant Payment Methods
The misperception about HIPAA compliant payment methods exists because, although payment processors are exempt from HIPAA for payment processing activities, they are not exempt for any secondary services that involve uses or disclosures of Protected Health Information (PHI). Examples include invoicing, accounts payable, and accounting services.
When secondary services are used by a covered entity, and PHI is shared with the payment processor for these services, the payment provider becomes a business associate of the covered entity and must enter into a Business Associate Agreement. This arrangement only applies to secondary services. Payment processing services are still exempt.
Zelle does not offer secondary services, so there are no circumstances in which Zell would qualify as a business associate. However, because Zelle collects health information and shares data with affiliates, it is important measures are implemented to prevent PHI being entered into the memo field when a payment is being made or requested via the fund transfer service.
How to Make the Use of Zelle HIPAA Compliant
There are two things covered entities should do to make the use of Zelle HIPAA compliant. The first is to implement a policy not to use Zelle to request payments or send payment reminders. A policy of this nature eliminate the need for Zelle to access a covered entity’s contacts list – the data in which can also be collected by Zelle and shared with affiliates.
The second thing is to is to warn patients and plan members who want to send payments via Zell not to include health information in the memo field. It is advisable to document the warning and, if possible, obtain an acknowledgement of the warning. While this is not a requirement of HIPAA, it can help negate any Zelle-related complaints for impermissible disclosures of PHI.
In conclusion, Zelle does not need to be HIPAA compliant to accept payments from patients and plan members. However, covered entities should be careful about how Zelle is used by both members of the workforce and patients/plan members to eliminate the risk of impermissible disclosures. Covered entities who require assistance in using Zelle in compliance with HIPAA should seek independent compliance advice.
