Is PayPal HIPAA Compliant? Risks and Alternatives

PayPal is not HIPAA compliant, but healthcare providers can still use it to process payments in most situations. This distinction matters because PayPal falls under a specific legal exemption that separates payment processing from the broader handling of protected health information (PHI). The key is understanding exactly where that exemption begins and ends.

Why PayPal Doesn’t Need To Be HIPAA Compliant for Payments

HIPAA itself contains a carve-out for financial institutions. Section 1179 of the original 1996 law states that HIPAA rules do not apply to any entity engaged in “authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments” when those payments are for health care or health plan premiums. This applies regardless of how the payment is made: credit card, debit card, electronic funds transfer, or any other method.

The Department of Health and Human Services reinforced this in the preamble to the Final Omnibus Rule, explicitly confirming that “the HIPAA Rules, including the business associate provisions, do not apply to financial institutions with respect to the payment processing activities identified in §1179 of HIPAA.” Because PayPal is regulated as a financial institution, it qualifies for this exemption when it processes healthcare payments. A therapist collecting a copay through PayPal, for example, is not violating HIPAA simply by using the platform.

Where the Exemption Stops

The exemption covers payment processing only. It does not cover storing, transmitting, or managing protected health information through PayPal’s other services. PayPal will not sign a Business Associate Agreement (BAA), which is the contract HIPAA requires between a healthcare provider and any third party that handles PHI on their behalf.

This means you cannot use PayPal for anything beyond collecting money if patient health information is involved. Invoicing a patient with a description of their diagnosis, sending payment reminders that reference specific treatments, or using PayPal’s business tools to track which services each patient received all fall outside the payment processing exemption. Any of these activities could expose PHI through PayPal’s system, and without a BAA in place, your organization bears full liability for that exposure.

The Real Risk: Transaction Details

The practical danger is in what gets attached to a payment. When you send a PayPal invoice or enter a description in the payment memo field, that text becomes part of PayPal’s records. If you write “CBT session for anxiety” or “physical therapy, lumbar injury” in the transaction description, you’ve just transmitted PHI through a platform that has no obligation to protect it under HIPAA.

PayPal stores transaction data including names, email addresses, and any notes or descriptions tied to each payment. A 2025 security incident involving PayPal’s Working Capital service exposed customer data including names, email addresses, phone numbers, Social Security numbers, and dates of birth for affected users. While that breach was small in scale, it illustrates that PayPal’s data environment is not designed with HIPAA-grade protections. If health information is embedded in transaction records, it could be exposed in a similar event with no HIPAA enforcement mechanism to hold PayPal accountable.

The safe approach is straightforward: if you use PayPal, keep transaction descriptions generic. “Office visit” or “services rendered” with a date is fine. Anything that identifies a condition, treatment type, or clinical detail is not.

Payment Processors That Sign a BAA

If your practice needs a payment processor that takes on HIPAA obligations, several alternatives will sign a Business Associate Agreement. This is relevant if your payment workflows involve patient portals, automated billing systems, or any integration where health data and payment data overlap.

  • Square signs a BAA and is widely used by small healthcare practices.
  • Chase offers HIPAA-compliant payment processing with a signed BAA.
  • PaymentCloud markets itself specifically as a HIPAA-compliant merchant account provider.
  • Helcim provides a signed BAA along with transparent interchange-plus pricing and PCI compliance.
  • Jane Payments and Podium Payments also offer BAAs, with Jane being particularly popular among allied health providers.

A signed BAA means the processor accepts legal responsibility for safeguarding any PHI it handles. Without one, that responsibility stays entirely with your practice.

When PayPal Works Fine

For straightforward payment collection where no clinical details are attached to the transaction, PayPal is legally permissible. A patient paying a bill through PayPal’s standard checkout, with only the dollar amount and a generic description, falls squarely within the Section 1179 exemption. Many solo practitioners and small practices use PayPal this way without issue.

The line is simple: PayPal can move money for healthcare services, but it cannot touch health information. If your billing workflow keeps those two things separate, PayPal works. If your systems mix payment data with clinical data in any way, you need a processor that will sign a BAA.