Is PayPal HIPAA Compliant?

Is PayPal HIPAA Compliant? HIPAA Guide.net

PayPal is exempt from compliance with HIPAA in respect of payment processing activities and covered entities can use the online payment system to collect payments from patients and plan members. However, covered entities should take care not to disclose Protected Health Information if using any of PayPalโ€™s other business services.

In the context of answering the question is PayPal HIPAA compliant, it is important to be aware there is no such thing as a HIPAA compliant payment processing service. This is because when Congress enacted HIPAA in 1996, the text of the Act included a clause (ยง1179) which exempts ย โ€œentities [โ€ฆ] engaged in authorizing, processing, clearing, settling, transferring, reconciling, or collecting payments [โ€ฆ] for health plan premiums or healthcare.โ€

PayPal qualifies as an exempted entity for payment processing activities as its primary purpose is the transfer of funds. Because it is exempt, PayPal is neither a HIPAA compliant payment processing service nor a non-compliant payment processing service. It is just a payment processing service that can be used to collect payments for health insurance and healthcare without violating the HIPAA Administrative Simplification Regulations.

Considerations When Using PayPalโ€™s Payment Services

While it is possible to use PayPalโ€™s payment services to send and receive payments for health insurance and healthcare, it is necessary to consider PayPalโ€™s Privacy Policy when doing so. PayPal’s Privacy Policy states PayPal can collect โ€œsensitive personal informationโ€, use the information in marketing activities, and share the information with third party service providers that include research, communications, and software development companies.

Get the FREE
HIPAA Compliance
Email Checklist

Learn How To Prevent All Email Related HIPAA Violations

Immediate Access

Privacy Policy

For this reason, it is not recommended that covered entities use PayPal to send payments to any recipient, even if (for example) a patient requests a refund of an overpayment via PayPal. A transaction from a healthcare provider to an individual implies a treatment relationship which, although not a violation of HIPAA, could result in a disclosure of sensitive personal information that โ€“ if accessed improperly – could subsequently be used to commit fraud or identity theft.

From the patientโ€™s perspective, although PayPal customers can control what third party service providers can access their account and what information is collected, many users do not know these privacy controls exist. Patients that want to pay for healthcare via PayPal should be advised that PayPal will collect and may use any sensitive personal information included in the transaction for purposes unrelated to the reason for the transaction.

Is PayPal HIPAA Compliant for Other Business Services?

In 2013, the Department of Health and Human Services (HHS) published the HIPAA Omnibus Final Rule. In the preamble to the Rule, HHS states โ€œSection 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rulesโ€ and concludes by stating โ€œa banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activitiesโ€.

This means that if a covered entity uses or discloses Protected Health Information (PHI) to a financial institution for a service other than payment processing, the financial institution qualifies as a business associate of the covered entity. Not only must the financial institution comply with all applicable Security Rule standards, but it must also enter into a Business Associate Agreement assuring the covered entity of HIPAA compliance.

PayPal cannot assure a covered entity of HIPAA compliance as its privacy and security safeguards only meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). HIPAA has more stringent standards than PCI DSS; and because PayPal does not meet the HIPAA requirements, it will not enter into a Business Associate Agreement with covered entities. Therefore, PayPal is not HIPAA compliant for other business services.

Can Covered Entities Still Use PayPalโ€™s Business Services?

Covered entities can still use PayPalโ€™s business services, but โ€“ because the business services do not support HIPAA compliance โ€“ cannot disclosure PHI when doing so without first obtaining a HIPAA authorization from each affected individual. This is not a practical solution for making PayPal HIPAA compliant because โ€“ when informed of the purpose of the authorization – individuals might be averse to PayPal collecting their sensitive information and not sign the authorization

This limitation means that PayPalโ€™s transaction and analytic reports will be of little value to covered entities โ€“ notwithstanding that the reports only display transactions conducted via PayPal. In most cases, these would only account for a small proportion of a covered entityโ€™s income. For this reason, covered entities are advised to minimize their use of PayPal as a payment option and offer HIPAA compliant alternatives instead.

If PayPal is used in any capacity to send or receive payments, it is important members of the workforce involved in payment processing receive HIPAA training on how to use PayPal without violating HIPAA. It may also be necessary to provide additional security awareness training to mitigate the risk of PayPal credentials being disclosed via a phishing email or unsecure Internet connection. To help secure accounts, PayPal recommends multi-factor authentication is enabled.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/