Is Ivy Pay HIPAA Compliant?

Ivy Pay is HIPAA compliant for therapists who are required to comply with HIPAA due to qualifying as a covered or hybrid entity, or qualifying as a business associate when providing a service for or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information.

When healthcare providers conduct or outsource electronic healthcare transactions for which the Secretary for Health and Human Services has published standards, they are considered HIPAA covered entities and are required to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations.

However, depending on the nature of a healthcare provider’s activities, they have the discretion to isolate non-covered activities from those covered by HIPAA and operate as a hybrid entity. This would mean that the health information of clients billed directly would have to be maintained separately from clients covered by health insurance or Medicare.

Because of the administrative overhead of isolating non-covered activities from those regulated by HIPAA, most healthcare providers in this position choose to become “full” HIPAA covered entities. This means they have to apply the same privacy and security safeguards to all individually identifiable health information and comply with all applicable HIPAA laws.

The Implications of the HIPAA Requirements

Regardless of whether a healthcare provider chooses to remain a hybrid entity or become a “full” HIPAA covered entity, there are implications with regards to how information protected by HIPAA can be used and disclosed. The implications not only apply to interactions with service providers and other healthcare providers, but also with the software used in the practice.

For example, if a healthcare provider stores Protected Health Information in Microsoft OneDrive or discloses to colleagues via Microsoft Teams,  a Business Associate Agreement has to be in place with Microsoft, the services must be configured to support HIPAA compliance, and any members of the workforce with access to the services must be trained on their compliant use.

The implications are not necessarily the same for all software applications that create, receive, maintain, or transmit Protected Health Information (PHI). For example, healthcare providers can disclose PHI for processing payments without a Business Associate Agreement in place, provided the payment processor provides no other invoicing or management services.

For this reason, it is possible to use a service that does not support HIPAA compliance (i.e., PayPal) to process payments, but not to invoice clients. If a healthcare provider wants to take advantage of invoicing and management services offered by a payment provider, the payment provider must themselves by HIPAA compliant and offer a Business Associate Agreement.

Is Ivy Pay HIPAA Compliant?

Ivy Pay is one of a number of payment processors that support HIPAA compliance for therapists. The benefit Ivy Pay has over most of its competitors is that it is easy to use and has a low per transaction cost. It also allows clients to upload their credit, debit, FSA, or HSA card details so that payments can be taken with the tap of a smartphone screen.

For therapists, this has the benefit of avoiding scenarios in which clients have just benefitted from a therapy session, but some of the benefit is lost due to the clients having to change focus to complete a financial transaction. With Ivy Pay, the payment can be taken by the therapist at the end of each session and the client advised of the transaction via an SMS message.

Because Ivy Pay also support client intake, appointment scheduling, and payment management, Ivy Pay has implemented safeguards to protect PHI at rest and in transit, and includes the safeguards required prevent unauthorized access to client databases. Ivy Pay also offers a Business Associate Agreement to therapists that qualify as a covered or hybrid entity.

With regards to configuring the software to make Ivy Pay HIPAA compliant, the software is HIPAA ready by default. Therapists only need to sign up for an account, verify their licensing credentials, and agree to the Business Associate agreement before the software can be used to collect payments from clients. For more information, visit

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X