Stripe does not have to be HIPAA compliant to provide payment processing services to HIPAA covered entities and business associates because payment processing services are exempted from HIPAA with regards to uses and disclosures of PHI. However, if any of Stripe’s other services are intended to be used by a covered entity or business associate to create, collect, maintain, or transmit PHI, it is important to know is Stripe HIPAA compliant.
What is Stripe?
Stripe is an automated payment gateway solution that securely connects a business’s website, app, or other payment channel (i.e., card reader) to a payment processor when a customer pays for something. Stripe claims to enhance the customer payment experience by supporting multiple payment types (i.e., debit card, ACH, digital wallets, etc.) and enabling customers to make payments anytime, anywhere, and from any device or in-person.
As well as facilitating secure and convenient payments, Stripe offers a range of additional business services such as billing, automatic invoice reconciliation, and chargeback protection that can be used as standalone services on the Stripe platform or integrated into other apps such as HubSpot, DocuSign, and Intuit QuickBooks. Businesses also have the opportunity to issue branded physical cards and virtual cards via Stripe to enhance customer loyalty.
Why Payment Processing Activities are Exempted by HIPAA
Payment processing activities are exempted by HIPAA due to §1179 of the Social Security Act being included in Title II of HIPAA. The inclusion of this section effectively allows the use or disclosure of PHI “for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care.”
In 2002, the Department of Health and Human Services published guidance stating “when it conducts these activities, the financial institution is providing its normal banking […] services to customers. It is not performing a function or activity for, or on behalf of, a covered entity.” The Department subsequently confirmed that payment processors do not qualify as business associates – and are not required to be HIPAA compliant – in the preamble to the HIPAA Omnibus Final Rule.
Is Stripe HIPAA Compliant for Its Other Services?
Although Stripe does not have to be HIPAA compliant for the exempted payment processing services it provides, Stripe does have to be HIPAA compliant if covered entities use any other service to create, collect, maintain, or transmit PHI. However, although Stripe complies with multiple data privacy and security regulations (i.e., CCPA, GDPR, and PIPEDA), HIPAA is not among them.
The reason Stripe is not HIPAA compliant is that Stripe combines personal and transaction data into a single data set, and shares the single data set with business partners to help improve its services, direct interest-based advertising, and detect fraud. Some of these uses are exempted by §1179 of the Social Security Act, but other uses are not. In the case of a non-exempt use, it would be necessary for Stripe to enter into Business Associate Agreements with its business partners before sharing a data set that included PHI.
However, some of Stripe’s business partners are not HIPAA compliant and will not enter into a Business Associate Agreement. As a result, Stripe is unable to enter into Business Associate Agreements with its customers and is not HIPAA compliant for its (for example) billing, automatic invoice reconciliation, and chargeback protection services. Covered entities and business associates disclosing PHI to Stripe for any other purpose than payment processing are in violation of HIPAA.
Other Considerations when Evaluating Stripe
The question of is Stripe HIPAA compliant is one of several questions covered entities and business associates should consider before adopting Stripe as an automated payment gateway solution. Other questions include how much will this cost, what integrations can I use with Stripe, and will Stripe accept my organization as a customer.
The cost of Stripe does not compare well to some other payment processing platforms, but it does accept more currencies in more formats than most – which will be more convenient for customers – and it has an excellent reputation for security. Stripe also has thousands of integrations businesses can take advantage of such as (for example) HubSpot, DocuSign, and Intuit QuickBooks.
The question of whether Stripe will accept your organization as a customer depends on the nature of the services being provided. Stripe does not allow its solution to be used to collect payments (including co-pays) for telemedicine and telehealth services, insurance services that include medical benefit packages, or prescription-only pharmaceuticals and regulated medical devices.
Covered entities and business associates are advised to meticulously review Stripe’s Service Agreement and associated documentation when evaluating Stripe as a payment gateway; and – if intending to disclose PHI in any transaction with Stripe – seek professional compliance advice.