It is not necessary to make PayPal HIPAA compliant before accepting payments from patients because payment processors such as PayPal are exempt from complying with the HIPAA regulations for payment processing activities. However, it is not possible to use any other of PayPal’s services in compliance with HIPAA.
When HIPAA was passed in 1996, it included a clause (§1179) exempting financial institutions that authorize, clear, collect, process, reconcile, settle, or transfer payments related to health care and health insurance. Covered entities and business associates were reminded of the clause in the preamble to the HIPAA Omnibus Final Rule in 2013, in which HHS wrote:
“The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in §1179 of the HIPAA statute.”
However, HHS closed this section of the preamble by stating: “a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.”
In the context of accepting PayPal payments from patients, this means it is not necessary to make PayPal HIPAA compliant if the payment relates to health care or health insurance. However, it would be necessary for PayPal to be HIPAA compliant for any other transaction or activity if Protected Health Information is used or disclosed in the transaction or activity.
Is PayPal HIPAA Compliant for Other Activities?
PayPal is not HIPAA compliant for other activities because it collects sensitive personal information from customers and shares it with third party service providers. In addition, although PayPal complies with the Payment Card Industry Data Security Standard (PCI DSS), its security safeguards do not meet the more stringent requirements of the Security Rule.
Because of concerns about how PayPal shares sensitive personal information, covered entities should advise patients and plan members that want to make a payment via PayPal to limit the amount of personal information included in the payment. It is recommended that the provision of advice is documented and the documentation retained.
With regards to using PayPal’s business services (i.e., reporting, analytics, etc.) this is permitted by HIPAA provided no PHI is disclosed to PayPal by the covered entity. However, if using PayPal’s business services, members of the workforce should be trained on how to use PayPal in compliance with HIPAA to prevent unintentional violations.
Covered entities who need further advice about the payment processor exemption, the use of secondary services, or training members of the workforce how to accept payments from patients in compliance with HIPAA should speak with an independent compliance professional.