Is Ivy Pay HIPAA Compliant?

by

Ivy Pay is HIPAA compliant for payment processing by qualified, licensed therapists when Ivy Pay executes a Business Associate Agreement and the service is used and administered to protect the confidentiality, integrity, and availability of Protected Health Information, including the platform’s required SMS text notifications to clients.

Ivy Pay is designed to reduce the disruption of end of session payments by having clients register a credit card with Ivy Pay and allowing the therapist to enter charges after a session through an app that connects to Ivy Pay’s servers. Ivy Pay charges the card, deducts a commission, deposits funds to the therapist’s bank account, and sends the client an SMS text message confirming the charge. Ivy Pay is available only to qualified, licensed therapists, so the service is not broadly available to other types of healthcare providers.

Because Ivy Pay maintains clients’ credit card information, transactions are not treated as exempt from the HIPAA Privacy Rule and HIPAA Security Rule under the payment processing exception in §1179 of the HIPAA Act. When a HIPAA Covered Entity or Business Associate uses Ivy Pay in connection with Protected Health Information, Ivy Pay functions as a business associate and the relationship requires a Business Associate Agreement under 45 CFR §164.502(e) and 45 CFR §164.314(a). Ivy Pay represents that it has security measures designed to safeguard Protected Health Information and is willing to enter into a Business Associate Agreement.

Accredited HIPAA Certification

A compliance constraint is created by confidential communications requirements under the HIPAA Privacy Rule. Clients have the right to request how they are contacted by covered entities and business associates, and Ivy Pay’s only client communication method is SMS text. When a client objects to SMS text contact, the therapist cannot use Ivy Pay for that client because the platform does not support an alternative communication option. The referenced analysis also reports no identified complaints in the HHS enforcement database related to the service.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]