It’s no surprise that we live in quite a tech-savvy world. If there’s a way to make any action in this day and age simpler, someone will create a software solution that’s going to find a way to do so.

One area that we’re actively seeing advancements in is payments. Mobile payments more specifically.

This is happening globally. Internationally speaking, more than 2 billion people utilize mobile payment options.

It’s predicted that by 2025 mobile payments will make up 79% of all digital transactions. In 2021 this percentage was 71%. This is more than half of all digital transactions!

What classifies a digital transaction exactly? It's a paperless, or cashless, transaction made through an electronic device. No confusion here.

We have the ability today to buy products and or services at the tap of a button…literally. Mobile payments are such a popular option due to the quickness and convenience they offer to users.

Let’s hone in on the medical and or healthcare field. The preference for mobile payments is still visible.

80% of patients prefer to pay for their healthcare online. This is a huge percentage.

If you were or are a doctor looking to make payments easier on both you and your clients, you would be silly not to consider mobile payment options.

There are so many different mobile payments outlets on the market. In fact, it’s quite common for people to have more than one.

Both the waiting time and hassle of paying for medical services decrease by using mobile payments. It can’t possibly get any easier…right? (Don’t hold me to that.)

Clients or patients have the ability to make payments by scanning QR codes, tapping an NFC (Near Field Communication) terminal, or sending a text message.

Mobile payments also limit the usage of excessive amounts of paper bills, receipts and reminders.

Apple Pay is the most widely used mobile payment system in the United States. To catch up more on Apple Pay, check out one of our other blog posts.

Even still, 2 of the most popular money-transfer apps you may or may not be familiar with are Zelle and Venmo.

The main difference between these 2 is that Zelle transfers are instant and free while Venmo transfers take around 1-3 business days unless you pay a small transfer fee.

Why are Zelle transfers instant and free, unlike Venmo and another mobile payment service called Cash App?

Well, a private financial service company that owns many banks also runs Zelle. Not just any banks. It includes major banks such as Bank of America, Capital One, Citi, JPMorgan Chase, PNC Bank, and more. This is why it is able to work with over 1,800 U.S. banks and credit unions.

Going off of that, over 100 million people have access to Zelle directly through their banking app. Zelle describes itself as “a fast and easy way to send and receive money with friends.” This description hits the nail right on the head.

All you need is your recipient's email address or U.S. mobile phone number to make a transfer. After this providing this information, money transfers directly from your account to theirs in minutes. No waiting time here.

We can clearly see a trend from reading some of these statistics. From a business perspective, you want to offer payment options that make the transaction process between you and your clients as quick and effortless as they can be. Mobile payments are looking to be that option.

It sounds too good to be true…doesn’t it? Before we can hit the ground running with utilizing mobile payment systems, specifically Zelle in this blog, there are a few rules we need to cover.

We’re about to enter quite a gray area. In all honesty, researching information for this blog gave me a headache at times. Some resources say there’s a definite no to using Zelle as your payment method or provider while others give the green light.

What we can do is go over the facts. So buckle your seatbelt and get ready for this ride. Let’s find out for certain if Zelle is HIPAA compliant. 

• HIPAA Compliance Explanation

• Business Associate Agreements (BAA) & Zelle

• Other Options HIPAA Compliant Payment Options

• Conclusion

For starters, we need to know what HIPAA is.

HIPAA is short for the Health Insurance Portability and Accountability Act. HIPAA's purpose is to establish rules that protect patient information.

If you’re going to see a doctor, you probably don’t want your health records shared with just anyone. HIPAA essentially acts as an extra shield to ensure your privacy. It sets the standard for sharing and storing patient information.

What is patient information? Patient information is any information that makes a patient identifiable. It can also include any information concerning the patient’s health information or summaries of their treatments or conditions. From a technical perspective, the law defines patient information as protected health information (PHI).

Who must follow HIPAA laws? Any organization that has access to PHI must follow HIPAA laws.

There are 3 categories, or what HIPAA calls covered entities, that need to follow HIPAA laws.

These 3 categories are: 

1. Health plans

2. Healthcare clearinghouses

3. Healthcare providers 

Any third-party application you use to send and receive information about a client must follow and comply with HIPAA’s safeguards. This includes online banking or credit card payments.

Now there are no HIPAA laws directly related to mobile payments. The Health Insurance Portability and Accountability Act originally came out way back in 1996. During this time, mobile payments and ePHI weren’t HIPAA’s main concern. Frankly, people were probably not even thinking of making payments from a mobile device one day.

We can look at some regulations, 2 to be exact, that mobile payments fall under the scope of or you could apply them to.

1. It has to provide administrative, technical and physical safeguards that protect ePHI. 

• ePHI is electronically stored, protected health information. 

2. A Business Associate Agreement (BAA) has to exist between the vendor and the healthcare organization.

Again, I want to note that when HIPAA created these standards, mobile payments weren’t in mind. It was more so for sensitive patient information stored in electronic files, but we can apply these regulations to mobile payments in order to make decisions accordingly. 

While Zelle does implement their own safeguard standards to ensure patient privacy, there’s still a chance of a breach of information. If a breach were to occur with Zelle, it would fall under their liability.

In order to be HIPAA compliant, any payment provider that you use to collect payment from patients must be able and willing to sign a BAA with the organizations that handle PHI. 

What is a BAA? A Business Associate Agreement is an agreement between a healthcare provider and a third-party for the transfer of a client’s PHI.

In this case, you would be the healthcare provider and Zelle would be the third-party that you’re transferring your client’s PHI to.

To be clear, Zelle isn’t HIPAA compliant because Zelle doesn't sign BAAs. How come?

Zelle isn’t the only payment app that will not sign BAAs. Apple Pay, Paypal, and Venmo are some others just to name a few.

If Zelle were to be HIPAA compliant then that means that they would have to sign a BAA for EACH healthcare provider that they work with.

Signing a BAA makes them completely responsible for protecting patient PHI.

Using these third-party payment providers puts patients’ personal information at risk. In the case that an unfortunate or unforeseeable event occurs, such as a data breach or disclosure of PHI, they would be liable and there would be consequences to pay. 

Not to mention that BAA’s aren’t the easiest thing to attain either. It’s a commitment between the healthcare provider and the third-party. 

We don’t know the future and maybe down the road, it would be something for Zelle to consider. As of right now, Zelle doesn’t sign BAA’s.

Don’t close your tab yet! This is not the end of our story. Remember in the beginning when I said there are gray areas? Here is where it applies.

Now mobile payments don’t necessarily fall under the scope of BAAs. This means that technically you could use them. 

Mobile payments aren’t specifically addressed in HIPAA laws and regulations. If you have a client that is agreeing to use them as well that gives you the green light, or should I say yellow.  

Partnering with a payment processor such as Etactics that has access and the ability to sign BAAs allows you to work with mobile payment apps such as Zelle and Apple Pay.

There are some online payment methods that are 100% HIPAA compliant such as Stripe and Ivy Pay.

EHR systems, or electronic health records, are HIPAA compliant and allow you to bill and receive payments from clients. 

Etactics has a payment processing solution called PaymentHub and we will sign BAAs so you can use mobile payment apps such as Apple Pay (wink wink). 

While they may not be as technologically advanced, the old reliable are always there as well. Traditional payment methods such as credit cards, checks, and cash are other ways to collect patient payments.

ACH, or an automated clearinghouse, is another option that electronically transfers funds through a network used by banks and credit unions. 

All of these listed above are HIPAA compliant. They won’t keep you up worrying at night. 

While we want payment to be as quick and convenient as possible we also have to make sure that we’re protecting PHI.

Takeaways from this blog post are that mobile payment providers, such as Zelle, are not HIPAA compliant.

While they may have safeguards in place to protect user information, unforeseeable circumstances still do happen.

Zelle will not sign BAA’s. If they sign a BAA for one healthcare provider then that means that they have to sign them for all. This contract is a commitment that holds Zelle completely reliable for the protection of client PHI. That’s quite a heavy weight on the shoulders.

There are no specific HIPAA laws pertaining to mobile payments so technically Zelle does not have to be HIPAA compliant.

It is better to be safe than sorry. Make sure you as well as the third-party providers you work with are HIPAA compliant. This could potentially save you from trouble sooner or later down the road.

Do all that you can do and follow HIPAA guidelines to ensure PHI.

If you need a refresher or training on HIPAA, check out our K2 Akademy training modules to make sure you’re up to date on all things in regard to HIPAA!