paypal hipaa compliant

Is PayPal HIPAA Compliant?

The first to initiate peer-to-peer mobile transfers, PayPal has long been the go-to payment option for professionals and businesses. It existed even before the rise of digital wallets like Venmo and Zelle. In fact, this popular payment service appears as a primary option in many of today’s leading e-commerce platforms.

Still, using PayPal to access and process payments related to healthcare requires due compliance with relevant regulations. You also need to look into its HIPAA compliance status and ask questions like, Is PayPal HIPAA compliant?

Is PayPal HIPAA Compliant?

Why HIPAA-Compliant Payment Methods Matter

Collecting payments for healthcare services rendered also involves handling sensitive patient information. It starts with sending out invoices or bills to patients, which may include details like the patient’s name, social security number, and home address. This makes the healthcare provider responsible and accountable for keeping a patient’s critical data safe from security threats.

By choosing a payment method that is HIPAA compliant, the covered entity can attest to its commitment and capability to safeguard protected health information (PHI). Given the stringent requirements set by HIPAA to protect patient privacy, achieving compliance will take a lot of work. Even more so for payment services that lack the required technical and administrative safeguards

As for PayPal and HIPAA compliance, using the service to accept payments for rendered healthcare services could pose potential risks and challenges.

Here’s why:

is paypal hipaa compliant

Is PayPal HIPAA Compliant?

No, PayPal is not HIPAA compliant. First, it does not enter into a Business Associate Agreement (BAA), a key component for meeting the Health Insurance Portability and Accountability Act requirements. Many covered entities use the payment service for healthcare transactions covering PHI-related information. Without a signed BAA, PayPal cannot be fully held liable in case of a breach.

Second, the gold standard for safeguarding sensitive data at rest and in transit is 256-bit AES encryption. However, PayPal only uses a secure socket layer (SSL) protocol with 128-bit encryption. Moreover, it sends data over the Internet using an HTTPS connection with a Transport Layer Security (TLS) configuration. For secure user access, it enables a 2-step verification using an authenticator app, or a code is sent to the user’s phone number to validate the request to log in.

Despite having security features like encrypted website payment buttons and authentication keys, it’s worth noting that PayPal utilizes collected data for various purposes. As per HIPAA, audit logs are necessary to monitor PHI access. While PayPal provides audit reports, it only includes specific transactions such as money movements and funding instruments. Lastly, it only conducts risk assessments for fraudulent financial activities, not incidents involving a PHI breach.

Benefits and Risks of Using PayPal in Healthcare


PayPal is not HIPAA compliant, but using it still offers several advantages, including:

  • Automated payment processes: Sending payments online via PayPal helps providers collect funds quickly. You can send your patient’s billing statements and wait for their fund transfer.
  • Reduced administrative burden: Automating payment processing in healthcare eliminates the need for manual auditing. You can easily monitor payment histories and get confirmation upon sending or receiving funds.
  • Multiple payment options: PayPal provides different ways to add balance to your account. You can transfer money from your bank or use PayPal credit if applicable.

Is PayPal HIPAA Compliant?


Generally speaking, PayPal is a safe and secure payment platform. Still, like other online services, it also comes with risks, like:

  • Potential regulation violations: Healthcare providers must strictly abide by federal regulations like HIPAA. Non-compliant payment apps like PayPal can subject your organization to hefty penalties and legal punishments.
  • Phishing and identity fraud: PayPal scams are prevalent nowadays. Some users may receive emails with malicious links to infect their devices or ask them to log in and share their personal information.
  • Data breach: Hackers can view your payment history and access your PHI-related data once they take over your PayPal. For instance, they can see your previous transactions with specific hospitals and exploit them to commit theft and fraud.

Alternatives to PayPal for Secure Healthcare Payments

Besides PayPal, there are various ways you can pay your medical bills online using the following alternatives:

1. Ivy Pay

Ivy Pay is initially designed for therapists and offers hassle-free and secure healthcare payment processing. Medical providers can even request a Business Associate Agreement (BAA) upon request. This payment service also uses HIPAA-compliant measures such as strong TLS encryption and validation certificates.

2. Square

Square is a widely used e-commerce tool for processing healthcare payments. It is also HIPAA-compliant and willing to enter into a BAA upon request. With Square, you can customize payment forms and secure patient data.

3. HealthPay24

Another reliable and HIPAA-compliant payment platform is HealthPay24, which helps medical providers collect self-payments from patients. Best of all, it uses PCI-validated point-to-point encryption to protect sensitive health information.

Securing Healthcare Transactions With Online Payments

Given where the world is heading, there’s no doubt that digital wallets are here to stay. So, it’s best to adapt to these growing payment trends without risking the security and confidentiality of medical data. For safer healthcare transactions, choose apps and software that follow the industry’s stringent regulations, specifically HIPAA.

Before using any payment gateway, look into its security features and compliance status first. The last thing you would want is to encounter problems involving the safety and confidentiality of PHI.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
Is Zoho HIPAA-Compliant?
Is Zoho HIPAA-Compliant?

Zoho can help healthcare organizations streamline their operations. However, before using it, it's crucial to ask: Is Zoho HIPAA-compliant?

Read Story
hipaa-compliant phone and fax solutions
5 Best HIPAA-Compliant Phone and Fax Solutions

This list features the best HIPAA-compliant phone and fax solutions, suitable for healthcare organizations and other businesses that handle PHI.

Read Story
5 Best HIPAA-Compliant Text Messaging Applications
5 Best HIPAA-Compliant Text Messaging Applications

With features like end-to-end encryption, these five HIPAA-compliant text messaging tools prioritize patient privacy and compliance with healthcare regulations.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.