The HIPAA Guide - Celebrating Over 15 Years Online

Is Zelle HIPAA Compliant?

March 8, 2024HIPAA Advice Articles0

Is Zelle HIPAA Compliant? HIPAAGuide.net

Zelle is not HIPAA compliant, but does not have to be due to payment processors being exempted from complying with HIPAA in §1179 of the 1996 Act – an exemption  confirmed by the Department of Health and Human Services in the preamble to the Omnibus Final Rule in 2013.

According to Zellepay.com, over 100 million Americans have access to Zelle through an existing online banking app or via the Zelle app itself. With so many people using the app, it is not surprising that some may find it more convenient – and cheaper – to pay for healthcare or insurance using the app rather than a check, card, or wire transfer.

However, some healthcare and insurance providers are apparently reluctant to offer Zelle as a payment option due to compliance concerns – i.e., is Zelle HIPAA compliant? The answer to this question is that Zelle does not have to be HIPAA compliant for payment processing activities, but covered entities must still be careful how they use the fund transfer service.

HIPAA and Payment Processors

When HIPAA was enacted in 1996, it included a section on “Processing Payment Transactions by Financial Institutions” (§1179). The section states that a standard adopted under this part (the HIPAA Administrative Simplification Regulations) shall not apply to “an entity […] engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments”.

The exemption for payment processors was confirmed by the Department of Health and Human Services (HHS) in 2013 in the preamble to the Omnibus Final Rule. Responding to a comment asking whether payment processors were required to enter into Business Associate Agreements with covered entities, HHS wrote:

“This final rule is not intended to affect the status of financial institutions with respect to whether they are business associates. The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

This part of the preamble concludes by advising covered entities that, although payment processors are exempt from HIPAA for payment processing activities, they are not exempt for any secondary services that involve uses and disclosures of Protected Health Information (PHI). For example, if a payment service allows covered entities to create invoices, HIPAA applies to the invoice service if PHI is disclosed to the payment service.

Making the Use of Zelle HIPAA Compliant

Because Zelle is a payment processor that conducts fund transfers on behalf of account holders, it is exempt from complying with HIPAA for payment processing services. At present, Zelle does not support secondary services such as invoicing, so there are no circumstances in which Zelle would be a business associate to a covered entity and a Business Associate Agreement would be required.

However, it is still possible for covered entities to violate HIPAA when using Zelle if PHI is disclosed in the memo field when requesting a payment or sending a payment reminder through the Zelle app. This is because a risk assessment of providing Zelle as a payment option to patients and plan members should identify that Zelle shares data with affiliates – after which there is no control over what happens to it.

To prevent the risk of PHI being impermissibly disclosed, covered entities should make the use of Zelle HIPAA compliant by instructing members of the workforce not to enter PHI into the memo field. It is also recommended that patients and plan members who request Zelle as a payment option are advised not to enter health information into the memo field and that the app’s permissions are limited so Zelle cannot access the covered entity’s entire contacts list.

Is Zelle HIPAA Compliant? Conclusion

Zelle does not have to be HIPAA compliant in order for covered entities to accept payments from patients and plan members due to the exemption for payment processors. However, there may be risks to the privacy and security of PHI if procedures are not implemented to make the use of Zelle HIPAA compliant. Covered entities who have concerns over the compliant use of Zelle are advised to seek independent HIPAA compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement