Zelle helps private medical practices and small medical centers process digital payments efficiently. You can use the payment processor to send and receive money in minutes.
Using Zelle is convenient but can spark concerns, especially among healthcare businesses and professionals. Questions such as “Is Zelle HIPAA compliant?” arise since using the app could lead to violations, potentially risking the reputation of covered entities.
Table of Contents
Zelle HIPAA Compliance
Like many digital payment processors, Zelle is not HIPAA compliant.
The popular money transfer app is exempt from following HIPAA and is not required to be HIPAA-compliant. Like other payment processing services, Zelle doesn’t store protected health information (PHI), so it doesn’t need to follow HIPAA rules. Since the app is exempted from following HIPAA, it doesn’t need to provide a business associate agreement (BAA) or follow specific physical, technical, and administrative safeguards.
Suppose the payment app provides other services involving the use and disclosure of PHI. In that case, its liabilities will change. Under HIPAA rules, handling PHI on behalf of a covered entity would make the app a business associate. Thankfully, that isn’t the case.
Why Is Zelle Exempted from HIPAA Compliance?
Under Section 1179 of the HIPAA Act, payment processors are exempted from complying with HIPAA and are not considered business associates. This means payment processing platforms like Zelle, like PayPal or Venmo, are not conducting HIPAA-related activities. Zelle only provides financial transaction services to a healthcare provider, which is not considered a HIPAA-covered function.
Here’s a quote from the 2013 Final Omnibus Rule:
The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer. Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules, to the extent that these activities constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.
However, please be aware of this important caveat. If the payment processor provides other services that involve the use and disclosure of PHI, then it should offer a BAA and follow HIPAA standards. For example, an electronic health records (EHR) system or practice management platform that creates invoices, submits healthcare claims or conducts eligibility verification for health plan coverage is considered a business associate under HIPAA.
Here’s the quote from the 2013 Final Omnibus Rule:
However, a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.
As of this writing, you cannot use Zelle for HIPAA-related functions, so you don’t need a BAA when using the service. While the app in its current form may not need to comply with HIPAA regulations, it’s still crucial for healthcare providers to exercise caution when integrating payment options into their practice. Choose payment processing apps with strong security measures and PCI DSS certification to protect financial transactions online.
Using Zelle in Healthcare
You can still use Zelle for financial transactions in healthcare, such as processing payments between patients and healthcare entities. In fact, Becker’s Hospital Review shows that the majority of healthcare companies already use Zelle and Venmo.
While Zelle’s HIPAA compliance shouldn’t be an issue, it’s still important to be mindful of its limitations. Use it appropriately and in accordance with its intended purpose as a payment processing service. Handle PHI separately and use HIPAA-compliant methods for managing sensitive patient information.
HIPAA-Compliant Alternatives to Zelle
Here are some of the best options for HIPAA-compliant payment processing:
Square
Square is a widely used platform for handling payments. It provides healthcare providers with payment processing services that adhere to HIPAA regulations. Square offers diverse features, including secure payment processing, chargeback safeguards, and customized payment forms. You can integrate it with EHR systems like Remedly and Dr. Chrono.
Ivy Pay
Ivy Pay is a HIPAA-compliant payment processing app for therapists that allows you to put a card on file. You can use it to charge your patient’s debit, credit, HSA, or FSA card. You don’t need a card reader for payment transactions. You only need to download the free Android or iOS app and push a button to get paid.
InstaMed
InstaMed is dedicated to making healthcare payments more efficient, secure, and convenient for patients and providers alike. With its cutting-edge technology and strict adherence to industry standards, you can trust that it will deliver a seamless and HIPAA-compliant payment experience.
These alternatives provide healthcare providers with many secure and compliant options for payment processing without the risk of facing potential HIPAA violations and fines.