Is PayPal HIPAA Compliant?
PayPal is exempt from compliance with HIPAA in respect of payment processing activities and covered entities can use the online payment system to collect payments from patients and plan members. However, covered entities should take care not to disclose Protected Health Information if using any of PayPalโs other business services.
In the context of answering the question is PayPal HIPAA compliant, it is important to be aware there is no such thing as a HIPAA compliant payment processing service. This is because when Congress enacted HIPAA in 1996, the text of the Act included a clause (ยง1179) which exempts ย โentities [โฆ] engaged in authorizing, processing, clearing, settling, transferring, reconciling, or collecting payments [โฆ] for health plan premiums or healthcare.โ
PayPal qualifies as an exempted entity for payment processing activities as its primary purpose is the transfer of funds. Because it is exempt, PayPal is neither a HIPAA compliant payment processing service nor a non-compliant payment processing service. It is just a payment processing service that can be used to collect payments for health insurance and healthcare without violating the HIPAA Administrative Simplification Regulations.
Considerations When Using PayPalโs Payment Services
While it is possible to use PayPalโs payment services to send and receive payments for health insurance and healthcare, it is necessary to consider PayPalโs Privacy Policy when doing so. PayPal’s Privacy Policy states PayPal can collect โsensitive personal informationโ, use the information in marketing activities, and share the information with third party service providers that include research, communications, and software development companies.
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
For this reason, it is not recommended that covered entities use PayPal to send payments to any recipient, even if (for example) a patient requests a refund of an overpayment via PayPal. A transaction from a healthcare provider to an individual implies a treatment relationship which, although not a violation of HIPAA, could result in a disclosure of sensitive personal information that โ if accessed improperly – could subsequently be used to commit fraud or identity theft.
From the patientโs perspective, although PayPal customers can control what third party service providers can access their account and what information is collected, many users do not know these privacy controls exist. Patients that want to pay for healthcare via PayPal should be advised that PayPal will collect and may use any sensitive personal information included in the transaction for purposes unrelated to the reason for the transaction.
Is PayPal HIPAA Compliant for Other Business Services?
In 2013, the Department of Health and Human Services (HHS) published the HIPAA Omnibus Final Rule. In the preamble to the Rule, HHS states โSection 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rulesโ and concludes by stating โa banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activitiesโ.
This means that if a covered entity uses or discloses Protected Health Information (PHI) to a financial institution for a service other than payment processing, the financial institution qualifies as a business associate of the covered entity. Not only must the financial institution comply with all applicable Security Rule standards, but it must also enter into a Business Associate Agreement assuring the covered entity of HIPAA compliance.
PayPal cannot assure a covered entity of HIPAA compliance as its privacy and security safeguards only meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). HIPAA has more stringent standards than PCI DSS; and because PayPal does not meet the HIPAA requirements, it will not enter into a Business Associate Agreement with covered entities. Therefore, PayPal is not HIPAA compliant for other business services.
Can Covered Entities Still Use PayPalโs Business Services?
Covered entities can still use PayPalโs business services, but โ because the business services do not support HIPAA compliance โ cannot disclosure PHI when doing so without first obtaining a HIPAA authorization from each affected individual. This is not a practical solution for making PayPal HIPAA compliant because โ when informed of the purpose of the authorization – individuals might be averse to PayPal collecting their sensitive information and not sign the authorization
This limitation means that PayPalโs transaction and analytic reports will be of little value to covered entities โ notwithstanding that the reports only display transactions conducted via PayPal. In most cases, these would only account for a small proportion of a covered entityโs income. For this reason, covered entities are advised to minimize their use of PayPal as a payment option and offer HIPAA compliant alternatives instead.
If PayPal is used in any capacity to send or receive payments, it is important members of the workforce involved in payment processing receive HIPAA training on how to use PayPal without violating HIPAA. It may also be necessary to provide additional security awareness training to mitigate the risk of PayPal credentials being disclosed via a phishing email or unsecure Internet connection. To help secure accounts, PayPal recommends multi-factor authentication is enabled.