Is Stripe HIPAA Compliant?
Stripe is not HIPAA compliant and – other than its payment processing services – should not be used by covered entities and business associates to create, collect, store, or transmit Protected Health Information (PHI). Stripe does not need to comply with HIPAA for payment processing services due to HIPAA exempting financial transactions from the requirements of the Administrative Simplification Regulations. Despite the exemption, businesses may be restricted in how they can use the payment processing services due to Stripe’s Terms and Conditions.
What is Stripe?
Stripe is primarily a payment processing platform that enables businesses to collect payments from a customer via a wide range of payment options (credit card, ACH transfer, Apple Pay, Bitcoin, etc.). Businesses can integrate the Stripe API into an online store or app, subscribe to a plan that supports in-person card processing, and/or purchase card readers with tap to pay capabilities.
As well as its payment processing activities, Stripe provides billing, identity verification, and fraud management services. The company also offers branded physical and virtual payment cards, and supports thousands of integrations with services such as DocuSign, QuickBooks, and HubSpot. However, if businesses in the healthcare sector want to use these services to create, collect, store, or transmit Protected Health Information (PHI), it is important Stripe is HIPAA compliant.
Is Stripe HIPAA Compliant?
At first glance, the answer to the question is Stripe HIPAA compliant would appear to be yes. Stripe complies with multiple US and International data privacy regulations (i.e., CCPA, GDPR, PIPEDA, EU-US Data Privacy Framework, etc.) and its services can be configured to comply with the Technical Safeguards of the Security Rule (access controls, event logs, encryption, etc.).
Explore Better
Payment Options
For Your Patients
Benefits Include:
• Reduced AR Rates
• Improved Cashflow
• Streamlined Operations
• Increased Patient Satisfaction
You will be contacted by our page sponsor Rectangle Health
Your Privacy Respected
HIPAA Journal Privacy Policy
However, Stripe is not HIPAA compliant because of the way it records personal data within transaction data and uses the combined data to help detect fraud. To help with the fraud detection process, Stripe shares the combined data with third party payment providers – some of whom have poor security records (i.e. Coinbase) or dubious privacy practices (i.e., PayPal).
Because companies such as Coinbase and PayPal will not enter into a Business Associate Agreement with Stripe, Stripe is unable to enter into Business Associate Agreements with HIPAA covered entities and business associates – a prerequisite before PHI is disclosed to any third party. Because Stripe is unable to enter into Business Associate Agreements, it is not HIPAA compliant itself.
The Payment Processing Exemption
The payment processing exemption (§1179 of the Social Security Act) was included in Title II of HIPAA in 1996 – the Administrative Simplification Regulations – because the objective of the Administrative Simplification Regulations is to increase the efficiency and effectiveness of the healthcare system. It was considered that applying the standards of the Privacy and Security Rules to payment processing – once the Rules were adopted – would undermine this objective.
In 2002, the Department of Health and Human Services (HHS) published guidance to confirm the exemption would apply “when a financial institution […] conducts any activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums”. HHS added, “when it conducts these activities, the financial institution is providing its normal banking […] services to customers. It is not performing a function or activity for, or on behalf of, a covered entity.”
The Department further confirmed the exemption did not apply to business associates in the preamble to the Final Omnibus Rule in 2013 – adding the caveat “A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.”
This exemption and the guidance that followed it means that it is permissible to disclose PHI in payment processing transactions, but not in any other activity without a Business Associate Agreement being in place. In the context of is Stripe HIPAA compliant, this means that Stripe can disclose PHI to (for example) Coinbase and PayPal to facilitate payment processing, but not to Coinbase and PayPal to facilitate fraud detection.
Stripe’s Payment Processing Restrictions
Because Stripe provides services around the globe, the payment processing platform has to comply with multiple consumer protection regulations and licensing requirements. In some cases, it is easier for Strips to restrict or prohibit all types of business activity than it is to comply with a diverse range of regulations and requirements or limit international payments for specific business activities.
Some of the activities Stripe restricts or prohibits may surprise businesses in the US. For example, the platform cannot be used to collect payments for insurance services that include medical benefit packages, for telemedicine and telehealth services, or prescription-only pharmaceuticals and regulated medical devices. The full list of prohibited and restricted business activities can be found here.
It is important to be aware that if a business violates Stripe’s Terms and Conditions (of which the restricted business list forms a part), Stripe can terminate access to the payment processing platform immediately. For this reason, if your business is considering using Stripe as a payment processor, it is advisable to thoroughly review the Terms and Conditions and any associated documentation to understand what your obligations are.
