The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Google Pay HIPAA Compliant?

Posted By on Jan 12, 2024

Google Pay does not have to be HIPAA compliant because the text of HIPAA exempts entities from HIPAA compliance if they engage in “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.” This exemption was confirmed by the Department of Health and Human Services in the preamble to the Final Omnibus Rule in 2013.

Because of the exemption, there is no requirement to make Google Pay HIPAA compliant or enter into a Business Associate Agreement with Google before the service can be used by covered entities and business associates to collect payments from patients and plan members. Covered entities and business associates can also use Google Pay to conduct B2B financial transactions.

What is Google Pay?

Google Pay is a digital payment facilitator. The service enables users to make payments from cards stored in their Google Wallet online, in app, or in-store from a mobile phone, tablet, or Smartwatch with Near-Field Communication (NFC) capabilities. Users can also use the service to send and receive peer-to-peer payments or to transfer money to or from a bank account similar to PayPal.

For businesses, Google Pay provides a convenient and secure way for customers to pay for goods and services. The Google Pay API can be used to set up an autofill checkout for websites and apps, while in-store NFC readers eliminate the necessity for customers to carry physical cards. They can simply tap an app on their phone, tablet, or Smartwatch to complete a payment within seconds.

Explore Better
Payment Options
For Your Patients

Benefits Include:
• Reduced AR Rates
• Improved Cashflow
• Streamlined Operations
• Increased Patient Satisfaction

You will be contacted by our page sponsor Rectangle Health

Your Privacy Respected

HIPAA Journal Privacy Policy

How Does Google Pay Work?

A further reason why it is not necessary to make Google Pay HIPAA compliant is the way the service “tokenizes” card information stored in a Google Wallet. When a user adds a card to their Google Wallet, Google Pay creates a unique Dynamic Primary Account Number (DPAN) and it is this number – rather than the card number – that is transmitted during a payment transaction.

Although the last four numbers of each payment card are visible in the Google Wallet, Google Pay does not transmit any information that could be used to identify a customer. For this reason, Google would not qualify as a business associate even if the service was not exempted by HIPAA – because the payment part of the service does not create, receive, store, or transmit Protected Health Information.

What Does HIPAA Say about Payment Facilitators?

Payment facilitators such as Google Pay are not referenced in HIPAA because they did not exist at the time. However, §1179 of the Act exempts payment processing and associated transactions from HIPAA compliance – an exemption that was confirmed in the preamble to the Final Omnibus Rule in 2013, which states:

“The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer.”

However, while the processing element of a financial transaction is exempt from HIPAA, any PHI maintained to support, manage, or reconcile payments is still subject to the HIPAA’s privacy and security standards. Due to this requirement, covered entities and business associates that conduct B2B financial transactions using Google Pay must not store PHI in a Google Wallet.

Is Google Pay HIPAA Compliant? Conclusion

Google Pay is not HIPAA compliant, but it does not need to be. The service does not communicate any individually identifiable health information or – because of the tokenization process – any information that could be used to identify an individual. In addition, the service is exempted from HIPAA compliance by the HIPAA Act, so there is no need to make Google Pay HIPAA compliant.

What covered entities and business associates need to be aware of is potential compatibility issues with any devices or systems Google Pay is integrated with, the compliance of third party integrations (where necessary), and security awareness among workforce members, patients, and plan members to ensure PHI is not disclosed impermissibly or without authorization during financial transactions.

It is also important that covered entities and business associates conducting B2B financial transactions via Google Pay do not store PHI in a Google Wallet as Google Wallet is not HIPAA compliant. Covered entities and business associates that are uncertain about integrations with Google Pay, third party vetting, or security awareness should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist