Is Venmo HIPAA compliant?
Venmo is HIPAA compliant by default for receiving patient-originated payments due to an exemption for payment processors in the HIPAA Act, however, it should not be used for any other purposes due to privacy and security concerns. There are also other reasons why covered entities might want to avoid offering this payment option.
There is a common misconception among some sources that Venmo should not be used by covered entities to accept payments from patients because Venmo will not sign a Business Associate Agreement. However, there is nothing in HIPAA that prevents covered entities using any service to receive patient-originate payments and – under section 1179 of the Act – financial institutions are exempt from complying with the Privacy Rule when facilitating a financial transaction.
Due to the misconception about payment processors, the Department of Health and Human Services (HHS) clarified the position in the preamble to the 2013 Final Omnibus Rule. HHS stated: “The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute”.
However, the preamble continues: “A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity.” As a result, in the context of is Venmo HIPAA compliant, Venmo doesn´t need to be HIPAA compliant for payment processing services, but does for any other services performed on behalf of a covered entity or business associate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is Venmo HIPAA Compliant for Other Services?
Though Venmo implements security controls to protect user data, Venmo states in its Privacy Policy it “cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards”. Safeguarding the privacy and integrity of protected health information (PHI) is required by the HIPAA Security Rule. Due to lacking many of the required technical safeguards, Venmo does not comply with Security Rule standards.
Also of concern is that Venmo´s Privacy Policy mentions what the company will do in the event of a breach in which personal data is exposed. “If Venmo learns of a systems security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. […] Venmo may post a notice on the website or mobile application. We may also send an email to you at the email address you have provided to us. Depending on where you live, you may have a legal right to receive notice of a security breach in writing”. This appears like a failure to comply with the Breach Notification Rule waiting to happen.
Further Reasons Why Venmo is Not HIPAA Compliant
Venmo is owned by PayPal and shares the data it collects with PayPal. PayPal, in turn, sells data to advertisers to generate revenue. Even though Venmo does not directly disclose data to third parties, its parent company does. The HIPAA Privacy Rule stipulates how PHI can be used and disclosed, and selling PHI without prior written authorization of the patient is a HIPAA violation – rendering Venmo HIPAA non-compliant as a result.
Another factor leading to Venmo’s HIPAA non-compliance is the fact it will not enter into a Business Associate Agreement (BAA) with covered entities or business associates. BAAs are necessary to ensure both parties understand the intended use of the PHI, who can access it, how it will be protected, and what will happen to it once the BAA expires. Neither Venmo nor PayPal will enter into BAAs, meaning that the payment services cannot be used for non-payment processing activities.
Conclusion: Is Venmo HIPAA Compliant?
Because payment processors are exempted from the HIPAA Privacy Rule, covered entities and business associates can use Venmo to accept payments by default – but that is all it should be used for, if at all. Low transaction limits and transfer-to-bank limits make Venmo unsuitable for all but the smallest healthcare provider; and due to the terms of Venmo´s Privacy Policy it cannot be used for other services provided by the company such as payment requests or bookkeeping.
There are four main reasons why Venmo is not compliant with HIPAA. It cannot guarantee the security of any information uploaded onto its servers, it doesn´t comply with the Breach Notification Rule, it shares its data with third parties via PayPal, and it will not enter BAAs with HIPAA-covered entities. Covered entities should ensure that, if they do use Venmo, it should not be used for any other purpose than accepting patient-originated payments.
