[ANSWERED] Is Apple Pay HIPAA Compliant?

Out of all US mobile wallet transactions, 92% happen via Apple Pay.

80% of patients prefer to pay for their healthcare online.

Those two statistics combined tell us two things. First, patients want to pay their medical bills over the internet. Second, they would likely want to use Apple Pay as a payment option.

From your perspective as a healthcare provider, you want to make your patient payment options as convenient as possible.

After all, a satisfied billing experience leads to 75% of patients paying their bills in full.

If a satisfying billing experience can increase your chances of collection, most modern-day patients prefer making online payments and Apple Pay is the most used mobile wallet app, then why wouldn’t you want to accept that payment method at your practice?

Well, it’s never easy for a healthcare practice to follow technological trends. There are several massive regulations that medical organizations need to stay in compliance with in order to avoid massive fines.

Out of all of the different regulations out there, one of the most important is the Health Insurance Portability and Accountability Act (HIPAA). You see, HIPAA is a law that affects every operational aspect of healthcare organizations in the name of protecting the patient.

Patient payment happens to fall under that “operational” category.

Thus, you have no choice but to spend additional hours researching and vetting different sources regarding what payment methods you’re allowed to accept under HIPAA. 

One of the biggest questions that many healthcare practices end up asking themselves is, “Is Apple Pay HIPAA Compliant?” The short answer is no, but it doesn’t have to be.

Table of Contents

HIPAA Patient Payment Requirements

HIPAA existed before online payment was mainstream.

Back in 1999, people were more worried about what would happen to computers when the system’s dates descended from “99” to “00” with Y2K. If you told someone back then that they would be able to store their payment information in their phone and pay with it in twenty years, you probably would’ve caused even more panic.

Anyway, HIPAA doesn’t have any safeguards within it that strictly reference patient payment. Its requirements are broader.

More specifically, the regulation spells out two specific requirements that somewhat relate to patient payment…

  1. It needs to include administrative, technical and physical safeguards that protect ePHI.

  2. A business associate agreement (BAA) must exist between the vendor and the healthcare organization.

Apple Pay Information Safeguards

The screenshot above comes from Apple Pay’s webpage about user security and privacy.

Based on what’s highlighted, it’s clear that Apple Pay does have safeguards in place that are in line with HIPAA’s requirements.

But we’ve run into issues with giant technology companies taking advantage of their users' trust to siphon user data (I’m looking at you Facebook). So, can we trust Apple’s statement regarding the safety of its payment app?

The tech giant has made a push toward privacy on the hardware side for the past three years.

In 2019, the organization introduced the video encryption requirement for HomeKit among other privacy boosts with iOS 13.

In 2020, iOS 14 gave power to its users by requiring that websites and apps ask them permission before doing any tracking.

iOS 15 from 2021 introduced the infamous “Hide My Email” feature that allowed users to generate and use fake email addresses to protect their main one from spam.

Apple also produced and released several clever advertisements that emphasized the tech giant’s push toward better user privacy.

At the end of all this, everything points to Apple Pay achieving a level of privacy and security that’s in line with HIPAA’s requirements.

Does Apple Sign Business Associate Agreements?

Data privacy, check. Now all that’s left is to present a business associate agreement (BAA) to Apple and have them sign it.

Easy enough, right?

Well, not really. Although it sounds like a simple task, a business associate agreement isn’t something many businesses consider signing.

BAA’s are contracts that specify the responsibilities that each organization within the agreement has with regard to PHI.

It behooves each covered entity to seek out business associates who assure complete protection of PHI. If a breach happens that’s caused by the business associate, both organizations are liable.

You probably already knew all of that, but I needed to establish some common ground.

Now that we’re on the same page, let me pose a question to you. If over 90% of all mobile transactions come from Apple Pay, do you think Apple is willing to take on that much risk?

With statistics like that, Apple would have to sign a BAA with essentially every healthcare organization that exists.

From a business perspective, there’s definitely a strong argument regarding the revenue opportunity that exists.

However, signing a BAA opens up the door to increased liability and operating risk.

If Apple Pay experienced a breach it’s going to lead to serious consequences. However, if Apple Pay experienced a breach AND it affected PHI…the consequences would increase dramatically.

It ALSO puts another target on the tech giant’s back from a ransomware perspective based on the recent trends.

The answer to the question is no, Apple isn’t going to sign a business associate agreement (BAA). Thus, Apple Pay isn’t HIPAA compliant because it fails to meet that requirement.

Is Payment Information PHI?

Do you remember at the beginning of this blog post when I said that Apple Pay doesn’t have to be HIPAA compliant? That was pretty cryptic, wasn’t it?

Well, there’s a reason why I said that.

You see, if your patient paid you with Apple Pay, it isn’t performing a HIPAA-covered function. With transactions, Apple Pay doesn’t take in any of the information other than what’s required for processing purposes. There isn’t any PHI housed within those transactions. Thus, it isn’t acting as a business associate.

Since Apple Pay isn’t functioning as a business associate, it doesn’t need to be HIPAA compliant.

You read that right.

It’s a payment processor that’s providing its normal function via a transaction. In other words, it isn’t doing anything that’s a HIPAA-covered function or activity for, or on behalf of, the provider. That means its services fall outside of being a business associate of healthcare providers.

If Apple Pay was to provide additional services beyond its payment processing function, Apple would fall under the definition of a business associate. Which isn’t the case here.

A further point that’s worth mentioning is that if you accept Apple Pay and one of your clients uses it to pay their bill, they’re opting into using that service.

HIPAA Compliant Payment Processors

OK, so you technically can use and accept patient transactions with Apple Pay. But, Apple isn’t relieving any additional risk 

There are organizations out there that offer full-stack payment processing solutions (us) designed specifically for healthcare organizations (we have one). Those organizations likely also provide other solutions that classify as business associate activities (yep, still us) like revenue cycle management.

Those are the payment processing providers that you should seek out as a healthcare provider because they’re willing to sign a BAA with you. The BAA is an important piece of the patient payment puzzle because it holds the processor liable. Yet, only organizations who already work within the healthcare industry will sign it with you because they have necessary HIPAA standards in place.

That’s why you want to seek out payment processors who will sign BAAs.

In most cases, they’ll also still accept Apple Pay (we accept it).

Conclusion

As a healthcare provider, you don’t want to accept Apple Pay yourself. You’re potentially opening yourself up to a lot of liability because Apple isn’t going to sign a BAA with your organization.

Even though there is some gray area surrounding whether or not Apple Pay is HIPAA compliant, you don’t want to take any risks and handle that responsibility yourself.

Instead, seek out a payment processor who’s familiar with working within the healthcare space and, more importantly, will sign a BAA with you. That way, you’re not inheriting any additional risk while still being able to use one of the trendiest forms of payment.