Is PayPal HIPAA Compliant?

Is PayPal HIPAA Compliant? HIPAA Guide.net

PayPal is exempt from compliance with HIPAA in respect of payment processing activities and covered entities can use the online payment system to collect payments from patients and plan members. However, covered entities should take care not to disclose Protected Health Information if using any of PayPal’s other business services.

In the context of answering the question is PayPal HIPAA compliant, it is important to be aware there is no such thing as a HIPAA compliant payment processing service. This is because when Congress enacted HIPAA in 1996, the text of the Act included a clause (§1179) which exempts  “entities […] engaged in authorizing, processing, clearing, settling, transferring, reconciling, or collecting payments […] for health plan premiums or healthcare.”

PayPal qualifies as an exempted entity for payment processing activities as its primary purpose is the transfer of funds. Because it is exempt, PayPal is neither a HIPAA compliant payment processing service nor a non-compliant payment processing service. It is just a payment processing service that can be used to collect payments for health insurance and healthcare without violating the HIPAA Administrative Simplification Regulations.

Considerations When Using PayPal’s Payment Services

While it is possible to use PayPal’s payment services to send and receive payments for health insurance and healthcare, it is necessary to consider PayPal’s Privacy Policy when doing so. This is because the Privacy Policy states PayPal can collect “sensitive personal information”, use the information in marketing activities, and share the information with third party service providers that include research, communications, and software development companies.

For this reason, it is not recommended that covered entities use PayPal to send payments to any recipient, even if (for example) a patient requests a refund of an overpayment via PayPal. A transaction from a healthcare provider to an individual implies a treatment relationship which, although not a violation of HIPAA, could result in a disclosure of sensitive personal information that – if accessed improperly – could subsequently be used to commit fraud or identity theft.

From the patient’s perspective, although PayPal customers can control what third party service providers can access their account and what information is collected, many users do not know these privacy controls exist. Patients that want to pay for healthcare via PayPal should be advised that PayPal will collect and may use any sensitive personal information included in the transaction for purposes unrelated to the reason for the transaction.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Is PayPal HIPAA Compliant for Other Business Services?

In 2013, the Department of Health and Human Services (HHS) published the HIPAA Omnibus Final Rule. In the preamble to the Rule, HHS responds to a comment by stating “Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules” and concludes by stating “a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities”.

This means that if a covered entity uses or discloses Protected Health Information (PHI) to a financial institution for a service other than payment processing, the financial institution qualifies as a business associate of the covered entity. Not only must the financial institution comply with all applicable Security Rule standards, but it must also enter into a Business Associate Agreement assuring the covered entity of HIPAA compliance.

PayPal cannot assure a covered entity of HIPAA compliance as its privacy and security safeguards only meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). HIPAA has more stringent standards than PCI DSS; and because PayPal does not meet the HIPAA requirements, it will not enter into a Business Associate Agreement with covered entities. Therefore, PayPal is not HIPAA compliant for its other business services.

Can Covered Entities Still Use PayPal’s Business Services?

Covered entities can still use PayPal’s business services, but – because the business services do not support HIPAA compliance – cannot disclosure PHI when doing so. This limitation means that PayPal’s transaction and analytic reports will be of little value to covered entities – notwithstanding that the report only display transactions conducted via PayPal. In most cases, these would only account for a small proportion of a covered entity’s income.

Covered entities wanting to use these services would have to obtain a HIPAA authorization from each affected individual before doing so. As this is not a practical solution for making PayPal HIPAA compliant – and because individuals might be averse to PayPal collecting their sensitive information and not sign an authorization – covered entities are advised to minimize their use of PayPal as a payment option and offer HIPAA compliant alternatives.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/