Venmo is not HIPAA compliant, mainly because it isn’t a business associate; it doesn’t offer a Business Associate Agreement (BAA). That being said, medical institutions shouldn’t expect HIPAA protection for sensitive information, and they should avoid using Venmo as a payment gateway.
Is Venmo HIPAA compliant? Can healthcare service providers use Venmo to collect their payments? Continue reading to find out the answer to that and more.
Venmo is one of the most versatile digital payment apps out there. You can use it for a range of personal and business purposes. Is Venmo HIPAA compliant, though? Can covered entities like healthcare service providers use Venmo?
Stick around to learn more about HIPAA and payment processing, HIPAA compliance, and the risks that come with healthcare providers using Venmo as a payment gateway.
HIPAA and Payment Processing
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), companies that are engaged only in authorizing, billing, processing, clearing, transferring, settling, collecting, or reconciling healthcare payments aren’t at all required to meet the act’s security and privacy standards.
What does all of this mean? It means that a Business Associate Agreement (BAA) isn’t required between a healthcare provider and a bank or a credit card company for payments to be processed. Similarly, digital payment apps like Venmo aren’t required to sign a BAA.
Does this mean that healthcare providers are free to use Venmo as a payment gateway? The answer is no. As covered entities, healthcare providers must comply with the HIPAA, meaning that they’re obligated to protect the security and privacy of their patients.
But digital payment solutions like Venmo collect and sell user information that the HIPAA classifies as “Protected Health Information (PHI).”
With that in mind, the use of Venmo by healthcare providers can compromise the security and privacy of patients, which is considered a violation of HIPAA.
Venmo and the Business Associate Agreement
Simply put, a Business Associate (BA) is an individual or entity that operates with the disclosure of Protected Health Information (PHI) on behalf of a covered entity.
According to the HIPAA’s privacy rule, covered entities are allowed to disclose Protected Health Information to a Business Associate as long as they have the assurance that the shared information is protected by the BAA with a few exceptions.
Nevertheless, for a covered entity to ensure complete protection, they have to deal with a financial institution that can offer a BAA, and Venmo isn’t one of these institutions.
Venmo’s Security and Privacy Policies
According to Venmo’s security and privacy policies, Venmo uses advanced encryption to secure user data and monitor account activity for unauthorized transfers. However, Venmo can’t guarantee complete security.
While Venmo doesn’t share user data with third parties, it shares it with its parent company, PayPal, and PayPal openly admits that they collect and sell consumer data for advertising purposes.
This practice is forbidden by the HIPAA, which is precisely why covered entities shouldn’t use Venmo as a payment gateway.
Can Covered Entities Use Apps Like Venmo?
There’s no denying that digital payment apps like Venmo are highly convenient and that the demand from patients to use such apps is constantly growing. So, should healthcare providers accommodate their patients’ needs?
If you’re a healthcare provider looking to utilize Venmo as a payment gateway, you must first discuss the possibility with your legal counsel.
Then, if your decision is approved, you have to carry out HIPAA’s three-step process so that you don’t violate its security and privacy standards. And the three steps are:
- Inform the patient: Before accepting Venmo as a payment gateway, you must inform the patient that Venmo isn’t HIPAA compliant and that it may share their information with other parties.
- Grant the patient permission to use Venmo: Having informed the patient about the risks associated with the use of Venmo as a payment gateway, you may allow the patient to use Venmo if they wish.
- Keep documents: You want to document the warning you’ve given the patient regarding the use of Venmo and the patient’s decision to use Venmo as a payment gateway.
The Risks of Accepting Venmo Payments
From a patient’s perspective, the risk associated with using Venmo as a payment gateway for medical services is having their Protected Health Information shared with third parties.
But from a healthcare provider’s perspective, accepting Venmo as a payment gateway runs the risk of a security breach that can potentially compromise patient privacy and security.
Since both the patient and the service provider might run serious risks by utilizing a digital payment app like Venmo, it’s best to opt for credit cards or bank-to-bank transfers, as they’re more secure.
If the patient insists on using Venmo, which is likely to happen considering the level of convenience that Venmo offers, you must confirm via documentation that the use of Venmo is the patient’s decision, and you must inform the patient of the risks associated with using Venmo.
Ultimately, is Venmo HIPAA compliant? No, it isn’t. Should covered entities use Venmo as a payment gateway, then? No. While Venmo isn’t required to comply with HIPAA standards, covered entities are. Instead, healthcare providers should opt for credit card payments and bank-to-bank transfers.
What if a patient insists on using Venmo? In this case, the healthcare provider has to refer to their legal counsel and go through HIPAA’s three-step process with the patient.
And the three-step process entails informing the patient of the risks associated with using Venmo for payments, approving the patient’s decision to use Venmo, and documenting your warning and the patient’s decision.
This procedure will help you avoid HIPAA violations as a service provider.
Hopefully, you find this article helpful? Let us know in the comments below!