Is PayPal HIPAA compliant? Revisiting PayPal for Therapists

At iCouch, we have strong opinions about PayPal as a payment option for mental health practitioners. Our system doesn’t support PayPal for some very good reasons — a primary reason being that PayPal is not HIPAA compliant and, in fact, it’s a serious danger to patient privacy. In our view, any US-based practitioner using PayPal for patient transactions is committing a gross violation of HIPAA. Pretty strong words, I know. The purpose of this post is to expand on our previous article PayPal for Therapists while addressing objections we’ve encountered from some mental health professionals with different views.

Delivering relevant offers and opportunities: By applying advanced analytics to big data, PayPal is able to present relevant offers from merchants to consumers – such as discounts when using PayPal as payment. These customized offers, based on algorithms using past-purchase history, are presented in-context, both online and in-app, driving higher transaction volume for merchants while enabling consumers to get more value from their purchase (like saving money!).

— Adam Christensen, Head of Data Technology at PayPal

Yes, PayPal actually said that. They present “customized offers” using past purchase history. If you’re a therapy client and you’re now getting customized PayPal offers based on your purchase of services from a mental health professions, that would represent a serious breach of both the letter and spirit of HIPAA.

The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

So if we break this down we arrive at a few indisputable truths:

  1. Payment for mental health services is, by definition, relating to the provision of health care to the individual.
  2. PayPal, by their own admission, uses past purchase history to “present relevant offers from merchants to consumers.”

Really, we could stop this article here and be done with it. The law is crystal clear and PayPal’s policies are also crystal clear — there is not an ounce of ambiguity in PayPal’s statement. However, in the interest of the conversation, let’s now look at some specific arguments that practitioners have offered in defense of PayPal.

“PayPal is considered a bank”

False. “We are not a bank and we have no aspirations to become a bank. We’re not looking to move into banking at all.” — Bill Ready, Chief Operating Officer at PayPal in an interview with The Street in April, 2018.

In fact, the financial products offered by PayPal are actually in partnership with actual banks. However, under the definitions of the Gramm-Leach-Bliley Act, PayPal could be considered a Financial Institution, but under that Act, the requirements are much different than HIPAA. For example, Financial institutions covered by the Gramm-Leach-Bliley Act must tell their customers about their information-sharing practices and explain to customers their right to “opt out” if they don’t want their information shared with certain third parties.

Under HIPAA, the sharing of Protected Health Information with third party is never opt-out. It’s always opt-in, requiring explicit, written consent. So even if we accept that PayPal is a financial institution, that in no way exempts it from the HIPAA privacy rule. In fact, under Gramm-Leach-Bliley, even a payday lender is considered a financial institution. Being a “financial institution” doesn’t provide any exception from HIPAA. All it does is add another layer of compliance specific to financial transactions. The fact that PayPal admits to and is proud of their ability to target users based on their purchase history — that’s in compliance with the Gramm-Leach-Bliley Act while being in breach of HIPAA.

“PayPal issues both debit and credit cards and therefore they are using the same clearingouse as any credit card company.”

This is false. PayPal doesn’t issue the cards, those cards are issued by Synchrony Bank (scroll to the very bottom of that page and read the fine print.) Suggesting that issuing a credit card is a mark of trust and security is a fallacy. Target has their own credit card as well — that doesn’t make them HIPAA compliant, or even trustworthy. And, as a point of fact, those companies aren’t issuing anything — they are co-branding the cards, much like United Airlines has a cobranded card with Chase. Any business can co-brand a card. If iCouch wanted to, we could have our own credit card as well.

“PayPal serves as a payment gateway just like other payment processors.”

Partially true. PayPal does serve as a payment gateway, however, that’s not all they do. They are not simply a gateway passing transactions from a website to a credit card network. When you complete a PayPal transaction, you are actually using PayPal’s website, not your own. Even if you embed a payment button, the actual PayPal transaction is not between “your website” and “the credit card networks.” A pure gateway connects your website to the credit card networks. However, PayPal connects your website to PayPal first, then they connect to the credit card network. It’s a very subtle nuance, but an important one — because one you click a PayPal payment button — as a customer, you are subject to PayPal’s terms, conditions and privacy practices. Meaning the actual transaction is between the customer and PayPal and not between the website owner and the customer. Look at a credit card statement for a transaction done through PayPal — PayPal is listed as the payee for the transaction. Any dispute of that transaction through the customer’s bank would be a dispute with PayPal, Inc. and not Some Merchant, Inc. The point is that while PayPal is a payment gateway — it’s its own payment gateway.

Still this issue is irrelevant — PayPal is not HIPAA compliant! They’ve said as much — they use past purchase history to target offers and advertising to users. Full stop. It doesn’t matter if PayPal is a payment gateway, a bank or any other sort of business, it’s an explicit violation of HIPAA to share protected health information without written consent. And, payment data for a therapy session is protected health information since that’s exactly what “provision of care” means. So using a patient’s purchase history of paying for mental health services to target advertising? How much more ridiculous could it get? That’s about last possible thing any patient would want, regardless of the fact that it’s a violation of the law. However, it isn’t PayPal that’s violating the law here — it’s the practitioner using PayPal. Since the practitioner doesn’t have a business associates agreement with PayPal, the practitioner is the one “on the hook.”

With iCouch, we provide upon request, a business associates agreement to our customers. What that means is that practitioners that use our system are indemnified from HIPAA violations that may occur on our system or by any of our downstream vendors (such as our payment gateways.) That’s one of our big advantages. If you use Gmail, PayPal, Skype or any number of third party services to run your therapy business, you are required to get a Business Associates agreement from each of those businesses, otherwise you are risking serious HIPAA liability if any of those services have a data breach. If you’re using PayPal and PayPal has a data breach — YOU are on the hook for each violation. So if you have 50 clients and you’re using PayPal and PayPal has a data breach and those 50 client’s information is released, then you have just committed 50 separate violations of HIPAA at a potential cost of $10,000 per violation. That means you are now subject to a $500,000 fine because of a failure of PayPal. Why? Because you didn’t get a business associates agreement, thus you assumed full liability. Don’t think such a breach can happen? Well it did, a PayPal subsidiary, TIO Networks, had a data breach that affected 1.6 million people. Even Equifax had a massive data breach affecting almost every American in the United States. There is a long history of big, “respectable” companies having bad security. Anthem health insurance for one. Here’s a complete list of well known data breaches.

We could easily go back and forth debating PayPal’s merits, but, unless you have a business associates agreement with them, the point it moot. PayPal harvests purchase data and uses it to target advertising to customers. There’s no disputing that. It’s a fact. It was stated clearly by a PayPal executive on PayPal’s website. Any US practitioner that continues to use PayPal is being negligent. Any US practitioner that has read this article and continues to use PayPal is now being grossly negligent. Why? Because we’ve provided clear, sourced, and unambiguous proof that PayPal uses payment history to target advertising. That is an indisputable violation of HIPAA.

How about trying this next time you want to use PayPal for your therapy practice payments:

As your client the following question:

“I use PayPal for my payments system, so when you make a payment for your therapy sessions, PayPal will use this information to target you with advertising relevant to your mental health issue. Are you ok with that?”

If you disclosed that to every single patient, you’d quickly learn that PayPal is not ok for mental health payments. If you aren’t disclosing PayPal’s data practices to your patients and you’re still using PayPal — then you’re being unethical along with willfully violating HIPAA.

Around iCouch, we try to be diplomatic and respect the choices of the practitioner community. We’re a part of that community — we want to be a good citizen and we recognize that not every practitioner wants to use something like iCouch. We’re aware that we aren’t the best system for everyone — and we respect the choices of the practitioner community. However, on the issue of PayPal, let’s just go out on a limb and say that we have zero tolerance for PayPal. Use any HIPAA compliant solution you want, but under no circumstances will we ever support or endorse PayPal for mental health payments. It’s the complete antithesis of everything for which we stand at iCouch. It would be at the same level as using Facebook as your practice management system.

Patient privacy is too important.

Published by Brian Dear

Brian is the cofounder and CEO of iCouch, Inc. He has an extensive background in software engineering, inbound marketing and mental health practice management.

Join the Conversation

3 Comments

  1. I believe that all credit card companies use customer data. Just buy something on Amazon with any CC and see how fast targeted ads come up. Also, if anyone is using Analytics to optimize their website or for doing digital marketing then they are using the data that we are so outraged about. I’ve learned a lot from Brian for sure. But, I still have issue about the fact that we’re all using Analytics that come from many sources. Most of PayPal’s information is not merely from the purchases customers make through their platform but they weave in the other data collected by cookies etc. Internet marketing relies on collecting customer information which is a HUGE stealth business that is only getting bigger by the minute. So, we can’t have it both ways. Everyone is collecting our data. It’s a very sophisticated process…algorithms right and left. We can’t really escape it. I don’t believe PayPal is doing anything differently than their competitors. I’m not making this up off the top of my head. I’ve been doing some homework. What I found was quite shocking. But, everybody is playing the same data collection and data selling game.

    1. Analytics from Google determining if you visited a website is much different than protected health information. Visiting a website (even iCouch,) isn’t protected health information, while a payment history for health appointments absolutely is protected health information. There is certainly valid concerns about data collection practices, but using Google Analytics in a discussion about HIPAA and PayPal is a bit of a straw man. Unless Google Analytics is collecting protected health information, their data collection is irrelevant when it comes to HIPAA. While payment information and the data collection around payment histories is absolutely relevant in the context of health care.

      In short, the difference is that Google Analytics isn’t trafficking in protected health information, while PayPay definitely is if one were to use it for health payments. Plenty of problems in the data-collection world, but that doesn’t mean that Google or Facebook’s data policies can be used as a justification to use PayPal for protected health transactions.

  2. Wow! Such an eye opening article. Thank you so much for the information you provide on all of the important issues in our field. God bless and please keep the info coming. I don’t have the energy or time to research the info that you present to us. I love your work, honesty, and integrity that you put forth. Again, thank you for helping us all keep it straight, and make informed decisions on how to continue our work in a safe environment.

Leave a comment

Your email address will not be published. Required fields are marked *