Is Zelle HIPAA Compliant?
By default, Zelle is HIPAA compliant for receiving payments initiated by patients and plan members because payment processors are exempted from HIPAA compliance by Section 1179 of the HIPAA Act. However, there are concerns that users of this payment service have been targeted in phishing attacks, and it advisable to warn users of this threat.
Zelle is a person-to-person money transfer service – similar to PayPal or Venmo – that is only just starting to branch out into payment processing for businesses. The service enables businesses to accept payments via money transfer from any customer with a Zelle account or who has a Zelle payment option in their existing online banking app.
In the context of is Zelle HIPAA compliant, if a covered entity wants to offer the service as a payment option, HIPAA compliance is not a factor. HIPAA (section 1179) excludes financial institutions from Privacy Rule standards when “authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care”.
This exclusion was confirmed by the Department of Health and Human Services (HHS) in the preamble to the 2013 Final Omnibus Rule. HHS´ position is quite clear inasmuch as it states: “The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the statute.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, in the same preamble, HHS notes: “A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.”
Does Zelle Need To Be HIPAA Compliant?
At the present time, there are no services provided by Zelle beyond payment processing and no circumstances in which Zelle would qualify as a business associate. Due to the limited services, there are no circumstances in which Zelle needs to be HIPAA compliant or when a Business Associate Agreement needs to be in place before a covered entity can offer this payment option to patients.
Whether or not covered entities should offer this payment option is a different matter. Although Zelle has security measures in place to prevent data breaches, the service has in the past been exploited to conduct phishing attacks. Zelle doesn´t offer buyer purchase protection, so if a patient gets scammed by a third party, there is no way for the patient to recover what they have lost.
In the event that a patient gets scammed by a third party pretending to be their healthcare provider, it could reflect badly on the healthcare provider. Although covered entities are under no obligation to warn patients of payment risks, it may be beneficial to warn patients that risks exist, document the warnings, and note that – despite being warned – patients chose to use Zelle.
It is also the case that not all banks support Zelle payments for all types of business accounts. Typically, when Zelle is a payment option, limits apply on transaction amounts and how much can be received via the Zelle payment app. Because of these limits, Zelle is only a suitable payment option for private practices and small medical centers rather than large hospital groups.
Is Zelle HIPAA Compliant? Conclusion
As a payment processor, Zelle is not required to be HIPAA compliant. Nor is it necessary for a covered entity to enter into a Business Associate Agreement before offering Zelle as a payment option to patients. However – subject to the covered entity´s bank supporting Zelle payments and subject to what limits may be applied – covered entities should alert patients to the risk of using this service to pay for health care (indeed – to pay for anything!)
Finally, although Zell is a payments network rather than a financial institution, it is owned by seven U.S. banks which are subject to state and federal regulations for financial institutions. The actual payment processing services are provided by Fidelity Information Services (FIS) which is regulated by multiple federal banking agencies. If you are in any doubt about accepting payments through Zelle and being in compliance with HIPAA, you should seek professional compliance advice.
