Venmo is not HIPAA compliant. It does not offer a Business Associate Agreement (BAA), which is the legal contract required before any third-party service can handle protected health information. Healthcare providers who accept payments through Venmo risk exposing patient data and facing significant federal penalties.
Why Venmo Fails HIPAA Requirements
HIPAA requires that any company handling protected health information (PHI) on behalf of a healthcare provider sign a BAA. This contract legally binds the company to safeguard patient data, limit how it’s used, and report any breaches. Venmo does not sign BAAs with healthcare providers, which means it cannot legally process payments that involve PHI.
The problem goes deeper than paperwork. Venmo was designed as a social payment app, and several of its core features directly conflict with HIPAA’s privacy requirements:
- Social feed: Venmo transactions can appear on a public or friends-only feed by default. Even though users can switch individual payments to “Private,” the default setting must be changed manually in the app’s privacy settings. A single overlooked transaction labeled something like “therapy session” or “counseling copay” becomes a public disclosure of health information.
- Transaction descriptions: Venmo encourages users to add notes or emojis to payments. Any description that links a patient’s name to a healthcare service creates PHI that Venmo has no obligation to protect.
- No encryption standards for PHI: While Venmo uses standard financial encryption, it does not meet the specific technical safeguards HIPAA requires for health data, including access controls, audit logs, and breach notification protocols tailored to PHI.
Venmo does allow users to adjust privacy settings so future payments default to private rather than public. The app will also apply the more restrictive privacy setting between two payment partners. But these are user-controlled features, not organizational safeguards. HIPAA compliance requires the platform itself to guarantee protections, not rely on individual users to toggle the right settings.
What Happens If a Provider Uses Venmo
Using Venmo to collect patient payments puts the healthcare provider, not the patient, at legal risk. Under HIPAA, the covered entity (the therapist, doctor, or practice) is responsible for ensuring every vendor that touches PHI has a signed BAA in place. Using a platform without one is a compliance violation regardless of whether a breach actually occurs.
The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA. To date, OCR has settled or imposed penalties in 152 cases totaling nearly $145 million. Penalties are tiered based on the level of negligence, ranging from $100 per violation for unknowing infractions up to $50,000 or more per violation for willful neglect. A single unprotected transaction could count as a violation, and patterns of using non-compliant tools could multiply penalties quickly.
Beyond fines, OCR has investigated and resolved over 31,000 cases by requiring corrective action plans. These plans can mandate changes to a practice’s entire privacy infrastructure, staff retraining, and ongoing monitoring. For a solo practitioner or small practice, the cost and disruption of a corrective action plan can be as burdensome as the financial penalty itself.
Payment Apps That Offer BAAs
Several payment platforms are built specifically for healthcare providers or offer BAAs that make them HIPAA-eligible. The distinction matters: a platform is only compliant when it signs a BAA and the provider configures it according to HIPAA standards.
Ivy Pay is a popular choice among therapists and solo practitioners. It charges no setup fee, no monthly fee, and no cancellation fee, making it accessible for smaller practices. SimplePractice and TherapyNotes are electronic health record (EHR) platforms that include HIPAA-compliant payment processing as a built-in feature, which can simplify billing by keeping clinical records and payments in one system.
Square is an interesting case. It is not HIPAA compliant by default, but it will sign a BAA with healthcare providers, which makes compliant use possible when configured correctly. Stripe, on the other hand, is commonly used as the backend processor for many HIPAA-compliant EHR platforms, but Stripe on its own does not offer a BAA. Using Stripe directly without an EHR intermediary that holds the BAA leaves the provider exposed.
What Counts as Protected Health Information in a Payment
A common misconception is that a simple payment doesn’t involve health information. But PHI is broadly defined under HIPAA. It includes any information that connects an identifiable person to a healthcare service. A Venmo payment from “Jane Smith” with a memo that says “Tuesday appointment” or even just “copay” links a named individual to a healthcare encounter. That’s PHI.
Even without a memo, the transaction itself can be revealing. If a provider’s Venmo account is identifiable as a therapy practice or medical office, every incoming payment effectively discloses that the sender is a patient. On a platform where transactions can be visible to friends or the public, this is a privacy risk that no amount of careful wording can eliminate.
The safest approach is to use a payment processor that was designed with healthcare privacy in mind, signs a BAA, and keeps transaction data within a protected system rather than a social platform.

