It is not necessary for Zelle to be HIPAA compliant for a healthcare organization to accept patient-initiated payments because payment processing by financial institutions and related payment networks is generally outside the HIPAA Administrative Simplification Regulations, but the covered entity or business associate using Zelle remains responsible for preventing protected health information from being transmitted through Zelle and for applying HIPAA Security Rule safeguards to any protected health information it receives and maintains.
Zelle is a person-to-person bank payment service used to transfer funds between accounts. A covered entity can accept Zelle as a payment option without a business associate agreement when Zelle is used only to move funds and the transaction does not require Zelle to create, receive, maintain, or transmit protected health information on behalf of the covered entity. In that use case, Zelle functions as part of the financial transaction channel rather than as a HIPAA Business Associate.
HIPAA compliance risk increases when protected health information is inserted into the payment stream. If workforce members request payments through Zelle and include diagnosis information, procedure descriptions, patient status details, or other clinical content in notes or messages, the content becomes protected health information and may be exposed to systems and parties outside the covered entity’s HIPAA controls. HIPAA compliance risk also increases when Zelle is used as a communications tool for billing questions, payment disputes, or appointment related discussions that include protected health information.
Organizations that allow Zelle for collections should implement written restrictions that limit the channel to payment only and prohibit inclusion of protected health information in any free-text fields. Patient payment instructions should direct patients to avoid including any health information in payment notes. Workforce training should address permissible use, minimum necessary handling, and escalation procedures when protected health information is received through an unauthorized channel.
If an organization requires electronic payment services that transmit protected health information for payment operations beyond moving funds, the organization should use a vendor that can support HIPAA Security Rule safeguards and execute a business associate agreement when the service meets the HIPAA Business Associate definition.