PayPal is not required to be HIPAA compliant for payment processing activities when a payment collected on behalf of a covered entity relates to a payment for health care or health insurance. However, PayPal does not meet the requirements to be HIPAA compliant for any other service or activity. In addition, because of concerns about PayPal’s Privacy Policy, it is not advisable to disclose any sensitive personal information to PayPal.
PayPal – like all other financial institutions – is exempt from complying with HIPAA when the authorization, collection, processing, or transfer of a payment relates to health care or health insurance. However, when a financial institution provides secondary services to a HIPAA covered entity (i.e., invoicing services), the financial institution is required to comply with HIPAA if the secondary service involves uses or disclosures of Protected Health Information (PHI).
In such circumstances, the financial institution would qualify as a business associate to the covered entity, would be required to comply with all applicable standards of the Security Rule, and enter into a Business Associate Agreement with the covered entity. The Business Associate Agreement can stipulate additional compliance requirements for the business associate depending on the nature of the service being provided for, or on behalf of, the covered entity.
The HIPAA Exemption for Payment Processors
The HIPAA exemption for payment processors appears in §1179 of HIPAA and is codified in 42 USC §1320d-8. The exemption only applies to activities related to the processing of a payment and only applies if the payment is related to health care or health insurance. To clear up any possible confusion about whether a financial institution still qualified as a business associate, the HHS included the following in the preamble to the HIPAA Omnibus Final Rule in 2013:
“Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules to the extent that these activities constitute […] collecting payments for health care or health plan premiums. However, a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities […], such as performing accounts receivable functions on behalf of a health care provider.”
Is PayPal HIPAA Compliant for “Functions Above and Beyond”?
Despite having safeguards in place to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the safeguards lack the necessary controls for PayPal to be HIPAA compliant for functions above and beyond the exempted payment processing activities. This means that covered entities cannot use PHI for any business services offered by PayPal (invoicing, analytics, reporting, etc.), as to do so would be a violation of HIPAA.
While these services can be used if PHI is not disclosed to PayPal, it is important to be aware that PayPal’s Privacy Policy states it collects sensitive information and may use it for marketing activities or share it with business partners. For this reason, no sensitive information – even if it is not considered PHI under HIPAA – should be used in a business service offered by PayPal. Although this would not be a HIPAA violation, it may lead to complaints about data privacy.
Alerting Patients and Plan Members to the Privacy Risks
Offering PayPal as a payment option has benefits for health care and health insurance providers inasmuch as PayPal is a popular online payment option for consumers and funds are received almost immediately. However, if offering PayPal as a payment option, covered entities are advised to alert patients and plan members to the privacy risks and advise them to keep the amount of sensitive personal information included in payments to the minimum necessary.
In can be a good idea to include training on payment processing in HIPAA training in case members of the workforce are asked about the privacy risks. The training should be documented, as should any warnings provided to patients and plan members. Covered entities with questions about making the use of PayPal HIPAA compliant and training members of the workforce on payment processing should seek professional HIPAA compliance advice.