Zelle is not required to be HIPAA compliant due to a clause in the text of HIPAA that exempts payment processors from complying with HIPAA. However, covered entities that offer Zelle as a payment option should implement procedures for making the use of Zelle HIPAA compliant.
When covered entities accept payments directly from plan members and patients, it is not true that the payment options provided have to be HIPAA compliant payment options. In the original text of HIPAA, clause 1179 states that entities engaged in the activities of a financial institution are not required to comply with standards “adopted under this part” – “this part” being the HIPAA Administrative Simplification Regulations which include the Privacy and Security Rules.
To clarify what activities were exempted from HIPAA compliance, the clause lists “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments” when the use or disclosure of individually identifiable health information is related to a payment for health care or health insurance. The exemption applies regardless of whether a transaction is conducted by credit, debit, or other payment card, check, or electronic funds transfer.
When Does HIPAA Apply to Payment Processors?
The reason some sources believe that healthcare payment options have to be HIPAA compliant payment options is that the exemption for payment processors only applies to payment processing activities. If a financial entity offers secondary services to a covered entity (i.e., invoicing services), and the secondary service requires uses or disclosures of Protected Health Information, HIPAA applies to the secondary service (but not the payment processing service).
In such circumstances, the financial entity is a business associate of the covered entity, it must implement safeguards to comply with the standards of the Security Rule, and enter into a Business Associate Agreement with the covered entity. However, if a secondary service does not require uses or disclosures of Protected Health Information, the financial entity does not qualify as a business associate and no Business Associate Agreement is necessary.
Using Zelle in Compliance with HIPAA
Although Zelle is not required to be HIPAA compliant, the fund transfer service takes data security seriously. As well as implementing measures to protect against the loss, misuse, unauthorized access, disclosure, or alteration of personal information, Zelle encrypts data at rest and in transit, uses information access authorization controls, and controls physical access to its data centers. Many of its security measures surpass what is required by HIPAA.
However, it also shares data for administrative and “everyday business” purposes – including with affiliates. Covered entities should be aware of this if they have conducted a thorough and comprehensive risk assessment before offering Zelle as a payment option (as required by §164.308) and should implement procedures to make the use of Zelle HIPAA compliant – for example, prohibiting members of the workforce from entering PHI in Zelle memo fields.
Is Zelle HIPAA Compliant? Considerations for Covered Entities
Zelle can be a convenient and inexpensive way for patients and plan members to pay for health care and health insurance. It can also improve covered entities’ cashflow positions due to the speed at which transactions are processed. However, it is important to be aware that limits apply to how much can be transferred in a single transaction and that fees for transactions may apply depending on the bank or financial institution providing the Zelle service.
In the context of answering the question is Zelle HIPAA compliant, the fund transfer service does not have to comply with HIPAA. However, because Zelle shares data with third parties, it is important that covered entities implement procedures to make the use of Zelle HIPAA compliant and alert patients and plan members to the risk of disclosing personal information in the memo field of the payment page. Covered entities unsure of whether to offer Zelle as a payment option are advised to seek professional compliance advice.