HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Zelle HIPAA Compliant?

Is Zelle HIPAA Compliant?

Several sources discussing is Zelle HIPAA compliant appear to be under the impression that Covered Entities cannot use the money transfer service because Zelle will not enter into a Business Associate Agreement. However, it is not necessary to have a Business Associate Agreement in place before using the service to receive payments from patients.

Zelle is a person-to-person money transfer service – similar to PayPal or Venmo – that is only just starting to branch out into payment processing for businesses. The service enables businesses to accept payments via money transfer from any customer with a Zelle account or who has a Zelle payment option in their existing online banking app.

In the context of is Zelle HIPAA compliant, if a Covered Entity wants to offer the service as a payment option, HIPAA compliance is not a factor. HIPAA (section 1179) excludes financial institutions from Privacy Rule standards when “authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care”.

This exclusion was confirmed by the Department for Health and Human Services (HHS) in the preamble to the 2013 Final Omnibus Rule. HHS´ position is quite clear inasmuch as it states: “The HIPAA Rules, including the Business Associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the statute.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However, in the same preamble, HHS notes: “A banking or financial institution may be a Business Associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a Covered Entity, such as performing accounts receivable functions on behalf of a health care provider.”

Does Zelle Need To Be HIPAA Compliant?

At the present time, there are no services provided by Zelle beyond payment processing and therefore no circumstances in which Zelle would qualify as a Business Associate. Therefore, there are no circumstances in which Zelle needs to be HIPAA compliant or when a Business Associate Agreement needs to be in place before a Covered Entity can offer this payment option to patients.

Whether or not Covered Entities should offer this payment option is a different matter. Although Zelle has security measures in place to prevent data breaches, the service has in the past been exploited to conduct phishing attacks. Zelle doesn´t offer buyer purchase protection, so if a patient gets scammed by a third party, there is no way for the patient to recover what they have lost.

In the event that a patient gets scammed by a third party pretending to be their healthcare provider, it could reflect badly on the healthcare provider. Consequently, although Covered Entities are under no obligation to warn patients of payment risks, it may be beneficial to warn patients that risks exist, document the warnings, and note that – despite being warned – patients chose to use Zelle.

It is also the case that not all banks support Zelle payments for all types of business accounts. Typically, when Zelle is a payment option, limits apply on transaction amounts and how much can be received via the Zelle payment app. Consequently, if adopted as a payment option, Zelle is likely most suitable for private practices and small medical centers rather than large hospital groups.

Is Zelle HIPAA Compliant? Conclusion

As a payment processor, Zelle is not required to be HIPAA compliant. Nor is it necessary for a Covered Entity to enter into a Business Associate Agreement before offering Zelle as a payment option to patients. However – subject to the Covered Entity´s bank supporting Zelle payments and subject to what limits may be applied – Covered Entities should alert patients to the risk of using this service to pay for health care (indeed – to pay for anything!)

Finally, although Zell is a payments network rather than a financial institution, it is owned by seven U.S. banks which are subject to state and federal regulations for financial institutions. Furthermore, the actual payment processing services are provided by Fidelity Information Services (FIS) which is regulated by multiple federal banking agencies. If you are in any doubt about accepting payments through Zelle and being in compliance with HIPAA, you should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.