Is it Necessary for Zelle to be HIPAA Compliant?

by

It is not necessary for Zelle to be HIPAA compliant in order for HIPAA covered entities to conduct financial transactions via the fund transfer service because payment processors are exempt from HIPAA under §1320d-8 of the Public Health and Welfare Code.

Considering that Zelle is a peer-to-peer funds transfer service similar to PayPal, there are a surprising number of sources asking is Zelle HIPAA compliant. Many of these sources provide an incorrect answer to their own question by stating Zelle is not HIPAA compliant because the company will not enter into a Business Associate Agreement as required by HIPAA.

However, HIPAA does not require payment processors to enter into Business Associate Agreements nor comply with any standards of the Privacy, Security, and Breach Notification Rules when Protected Health Information is disclosed for authorizing, clearing, settling, transferring, reconciling, or collecting healthcare-related payments (see §1320d-8).

Not only was this exemption included in the text of HIPAA in 1996 (see §1179), but when the Omnibus Final Rule was published in 2013, it included the following note: “The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in §1179 of the statute.”

Does Zelle Qualify as a Payment Processor?

One potential reason for some sources incorrectly answering the question is Zelle HIPAA compliant is because they do not recognize Zelle as a payment processor. However, Zelle meets all the required criteria to qualify as a payment processor by securely facilitating direct transfers between bank accounts. Indeed, Zelle is owned by a consortium of leading banks.

Not only does Zelle qualify as a payment processor, but it lacks any other functions that could possibly qualify it as needing to be HIPAA compliant. For example, it does not offer invoicing capabilities like PayPal, does not support patient scheduling like Square, and does not integrate with practice management and administration software like Stripe (via third party integrations).

What this means is that covered entities do not have to configure controls to make Zelle HIPAA compliant prior to accepting payments from patients and plan members. It is also not necessary to enter into a Business Associate Agreement with Zelle nor obtain the required assurances that Zelle will safeguard the privacy and security of Protected Health Information.

Best Practices for Making the Use of Zelle HIPAA Compliant

While it is not necessary for Zelle to be HIPAA compliant in order for covered entities to conduct financial transactions via the fund transfer service, it is important covered entities use Zelle in compliance with HIPAA. The reason for this is that, although data disclosed to the fund transfer service is encrypted at rest and in transit, Zelle holds the decryption key.

If the decryption key is hacked – or accessed without authorization – any Protected Health Information contained in the Memo fields of a transaction could be disclosed impermissibly. For this reason, the first best practice for making the use of Zelle HIPAA compliant is to refrain from including Protected Health Information in payment requests sent via Zelle.

The second best practice for making the use of Zelle HIPAA compliant is not to use the app for requesting payments so it does not have access to a contacts lists. While this may increase the administration of payment requests and reminders (which are best done through alternative channels), it will eliminate the risk of identifying information being accessed by the service.

Can Zelle be Used by Healthcare Providers? Conclusion

In conclusion, Zelle can be used by healthcare providers to accept and request payments. In the context of answering the question is Zelle HIPAA compliant, it is not necessary for Zelle to be HIPAA compliant because the fund transfer service is excluded by the Public Health and Welfare Code, by the text of HIPPA, and by the Department for Health and Human Services.

Accepting Zelle can increase covered entities’ cash flows as funds are usually transferred to recipients within hours. Zelle can also be a convenient ways for patients to pay for treatments and co-pays. However, before adopting Zelle as a payment option for patients and plan members, it is important to apply best practices for making the use of Zelle HIPAA compliant.   

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]