Is Ivy Pay HIPAA Compliant?

Is Ivy Pay HIPAA Compliant? HIPAAGuide.net

Ivy Pay is HIPAA compliant for licensed independent therapists and mental health professionals that qualify as covered or hybrid entities, or that provide services for or on behalf of a covered or hybrid entity as a business associate.

Healthcare providers do not qualify as HIPAA covered entities if they do not conduct electronic transactions for which the Department of Health and Human Services has published standards in Part 162 of the Administrative Simplification Regulations.

However, if healthcare providers conduct a mixture of covered and non-covered transactions – as many independent therapists and mental health professionals do – they have the option of becoming fully HIPAA compliant or operating as a hybrid entity.

Because of the challenges of operating as a hybrid entity, it is often simpler to become fully HIPAA compliant and apply the provisions of the Privacy and Security Rules to all individually identifiable health information maintained by the healthcare provider.

In such cases, an independent therapist or mental health professional that provides services for or on behalf of the healthcare provider must also comply with the applicable provisions of HIPAA and enter into a Business Associate Agreement with the healthcare provider.

Why Payment Processing Can be an Issue

Applying the provisions of the Privacy and Security Rules to all individually identifiable health information resolves the issue of applying one set of safeguards to the information of clients billed directly and another to Protected Health Information (PHI), but it can create an issue relating to payment processing.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Payment processors are exempted from complying with HIPAA by 42 USC §1320d-8. However, the exemption only applies to the payment processing element of the service provided to the covered entity. If the payment processor invoices a client as part of the service, the Privacy Rule applies to the use and disclosure of PHI.

This is not a problem for covered entities that only claim reimbursement from health plans or Medicare because these organizations also qualify as covered entities, and uses or disclosures of PHI are permitted in healthcare transactions. It would also not be a problem for healthcare providers that do not qualify as HIPAA covered entities.

However, when healthcare providers conduct both covered and non-covered healthcare transactions, care has to be taken to ensure PHI is not disclosed to payment processors for purposes other than payment processing without a Business Associate Agreement in place. This can limit the options for hybrid entities operating as “full” covered entities.

HIPAA Compliant Payment Processors

Payment processors willing to provide HIPAA compliant services beyond payment processing are quite hard to find. Some banks – i.e., Bank of America – will not provide payment and invoicing management services to customers when the service involves a use or disclosure of PHI. Others – i.e. Chase – require customers to subscribe to a third party service.

Popular online payment solutions such as PayPal lack the security controls required to support HIPAA compliance (but can still be used to process payments), while some payment solutions that offer both online and in-person payment processing charge a per transaction fee and charge for the hardware required to process the transaction in-person.

Independent therapists and mental health professionals that find the cost of premium subscription plans and payment processing hardware excessive have the option of signing up for services such as Ivy Pay – a HIPAA compliant payment processing solution that only charges per transaction fees, but which offers a host of additional services.

How is Ivy Pay HIPAA Compliant?

Ivy Pay supports HIPAA compliance inasmuch as the vendor has implemented controls to comply with the HIPAA Security Rule and will offer licensed therapists and mental health professionals a Business Associate Agreement. The Business Associate Agreement is standard among software providers and does not include any contentious clauses.

Therapist and mental health professionals do not have to take any further actions to make Ivy Pay HIPAA compliant, as the downloadable app and web portals are already configured to support HIPAA compliance. This means eligible healthcare professionals can use Ivy Pay from Day 1 for tasks such as client intake, appointment scheduling, and payment management.

The only downside of using Ivy Pay is the software does not integrate with other software. While this may not be an issues for sole trader therapists, larger practices that want to integrate payment processing software with practice management solutions and EHRs may have to look for a HIPAA compliant alternative to Ivy Pay.

Is Ivy Pay HIPAA Compliant? Summary

Although the only healthcare providers likely to require Ivy Pay to be HIPAA compliant are independent therapists and mental health professionals that conduct both covered and non-covered healthcare transactions, it is important to know is Ivy Pay HIPAA compliant before disclosing PHI for a transaction other than payment processing.

Ivy Pay is HIPAA compliant, and PHI can be disclosed to the payment processor provided healthcare providers enter into a Business Associate Agreement with the company. However, it is important to be aware that the Business Associate Agreement only makes Ivy Pay HIPAA compliant. It does not cover the Talk to Ivy service.

While it is difficult to conceive many scenarios in which PHI might be disclosed by a healthcare provider via the Talk to Ivy service, disclosures via the service would not only be a violation of HIPAA, but might also be a violation of a healthcare professional’s license. Independent therapists and mental health professionals unsure about what constitutes an impermissible disclosure of PHI are advised to seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/