Is PayPal HIPAA Compliant?
PayPal is HIPAA compliant for collecting payment from patients and plan members because HIPAA exempts entities that facilitate payments for healthcare or health plan premiums – however, PayPal is not exempted from HIPAA compliance for any other services it offers. Because PayPal will not enter into a Business Associate Agreement, covered entities should not disclose PHI when using these other services.
In the text of the 1996 HIPAA Act, there is an administrative simplification provision relating to payment processing (§1179). This section states that the HIPAA Rules do not apply to banks and financial institutions when they are “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums”.
To eliminate questions about whether financial institutions qualify as business associates, the Department of Health and Human Services (HHS) later commented in the preamble to the Final Omnibus Rule that “the HIPAA Rules, including the business associate provisions, do not apply to financial institutions with respect to the payment processing activities identified in §1179 of HIPAA”.
Because it is regulated in the same way as other financial institutions, PayPal does not need to be HIPAA compliant in order for covered entities to accept payments from customers through PayPal´s money transfer services. However, the preamble continues: “A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is PayPal HIPAA Compliant for Other Business Services?
PayPal offers several other business services – some of which are limited to certain states because of licensing requirements. These include (but are not limited to) marketing tools, invoicing, account management, and dispute management. PayPal also offers businesses reporting and analytics services which include customer insights to help plan marketing campaigns.
While these services can be useful for many types of business, HIPAA covered entities and business associates should not use any of these services if their use involves the creation, receipt, storage, or transmission of Protected Health Information. This is because PayPal mines customer data to share with partners, and patient authorizations would – in theory – be required before PHI can be used for any PayPal service other than payment processing.
In addition, despite having robust security measures in place to prevent a data breach, should such an event occur, PayPal will not notify covered entities and individuals if unsecured PHI is exposed in a data breach in compliance with the HIPAA Breach Notification Rule. PayPal will not sign a Business Associate Agreement as required by 45 CFR §164.502(e) and 45 CFR §164.314(a) and so is not HIPAA compliant for other business services.
Some Covered Entities Already Accept PayPal Payments
In November 2020, it was announced that customers of CVS Pharmacy could pay for purchases via PayPal using a touch-free, point-of-sale scanner. The rollout of the QR code payment system was accelerated due to the COVID-19 pandemic, following research that showed the number of CVS customers using touch-free payment methods had increased 43% since the start of the pandemic.
However, while this appears to be an endorsement of PayPal as a payment processor, it may still be advantageous for covered entities to advise patients of the privacy risks associated with using PayPal, documenting the warning, and noting if – despite the warning – patients still wish to use PayPal as a payment options. This would be an especially appropriate course of action in locations where state laws have stricter privacy provisions than HIPAA.
