Is Ivy Pay HIPAA Compliant?
Ivy Pay is a HIPAA compliant payment processing service for therapists that eliminates the “interruption” of a financial transaction at the end of a therapy session so clients get the maximum benefit from the therapy session. At the present time, Ivy Pay is only available for qualified, licensed therapists and is not a service every healthcare provider can take advantage of.
Ivy Pay is a payment processing service that evolved from what was effectively a search engine through which clients could reach therapists and “try before you buy”. The service works in a slightly different way from most payment processing services inasmuch as it has been designed to save therapists time and not distract clients from the benefits of therapy at the end of each session.
The payment process consists of a client registering their credit card with Ivy Pay. Then, when a session is finished, rather than the client having to initiate a payment transaction, their therapist enters the charge into an app which connects with Ivy Pay´s servers. Ivy Pay charges the credit card, deducts a small commission, sends the payment to the therapist’s bank account, and advises the client by SMS text that a charge against their card has been made.
Because Ivy Pay maintains the client´s credit card information, the transaction is not exempted from the HIPAA Privacy and Security Rules under §1179 of the HIPAA Act. However, Ivy Pay has the necessary security measures in place to ensure the confidentiality, integrity, and availability of Protected Health Information, and is willing to enter into a Business Associate Agreement as required by 45 CFR §164.502(e) and 45 CFR §164.314(a).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Only One Potential Issue with Ivy Pay
There is only one potential issue with Ivy Pay and that is that clients have the right to request how they are contacted by covered entities and business associates (see “Confidential Communications Requirements” in HHS´ Summary of the Privacy Rule). If a client objects to being contacted via SMS text, therapists are unable to use Ivy Pay because that is the only communication option.
Other than that, there is nothing in the Terms of Service or Privacy Policy that might create cause for concern, and we have been unable to find any complaints relating to the service in HHS´ enforcement database. In our opinion, not only is Ivy Pay HIPAA compliant, but it is also a shame the service is not available to more healthcare providers than just therapists. Maybe this will change in time.
