Is Ivy Pay HIPAA Compliant?


Ivy Pay is a HIPAA compliant payment management system that enables therapists to collect payments with little or no disruption to clients. The payment processing capabilities mean clients do not have to focus on a financial transaction at the end of a session, while the system simplifies billing and payment activities for therapists.

Ivy Pay is a simple-to-use smartphone app, onto which therapists can load clients’ credit, debit, FSA, or HSA cards prior to a session, and take payment for the session once it has ended with a tap of a screen. The process eliminates the disruption of a financial transaction at the end of a session, helping clients obtain the maximum benefit from therapy.

The system also includes capabilities to respond to client enquiries via the Talk to Ivy service and schedule appointments. It can be used to invoice clients if the card pre-loading option is not suitable for clients and to send SMS text messages when payment is received. For most independent therapists, Ivy Pay covers all their client management needs.

Payment Processors and HIPAA Compliance

Under §1320d-8 of the Public Health and Welfare Code, payment processors do not have to comply with HIPAA for payment processing activities. This means Protected Health Information (PHI) can be used and disclosed by a payment processor to authorize, clear, settle, transfer, reconcile, or collect a healthcare-related payment.

However, the exemption only applies to payment processing activities. If a payment processor also offers (for example) invoicing and management services, the applicable standards of HIPAA would apply. As well as implementing measures to be HIPAA compliant, the payment processor would have to enter into a Business Associate Agreement with each therapist.

It is for this reason that some payment processors – i.e., Bank of America – can be used for processing payments but not for payment management services, while other payment processors – i.e., Chase – require healthcare providers to subscribe to a third party service before allowing providers to use the processor’s payment management services.      

HIPAA Compliance and Independent Therapists

The requirement to comply with HIPAA does not apply to all independent therapists. HIPAA only applies to therapists who qualify as covered or hybrid entities by conducting electronic healthcare transactions for which the Secretary for Health and Human Services (HHS) has published standards in Part 162 of the Administrative Simplification Regulations.

In addition, if an independent therapist or a therapy practice that does not qualify as a covered or hybrid entity provides services to or on behalf of a covered entity as a HIPAA business associate, they are required to comply with all applicable HIPAA standards – even if they are not responsible for invoicing clients or accepting payments.

While this means that the compliance features of a client payment and management system may not be a concern to all independent therapists, it can nonetheless be beneficial to implement a system that complies with HIPAA in order to support compliance with state and professional regulations relating to the privacy and security of individually identifiable health information. So, is Ivy Pay HIPAA compliant?

Is Ivy Pay HIPAA Compliant?

Ivy Pay supports HIPAA compliance “out of the box”. No additional configuration is required to make Ivy Pay HIPAA compliant. Therapists only need to verify their licenses to practice, agree to the terms of Ivy Pay’s Business Associate Agreement, and implement internal controls (assign user credentials, provide HIPAA training, etc.) to start using Ivy Pay.

Disappointingly, Ivy Pay provides little in the way on online guidance about how to make the best use of the client payment and management system although it does provide support via email. Therapists unsure about whether they qualify as covered or hybrid entities – or as business associates when they provide services for other therapists – are advised to seek professional compliance advice.