Zelle is compliant with HIPAA for receiving patient payments, but not because it meets HIPAA security standards. It’s compliant because HIPAA explicitly exempts payment processors from its privacy rules. Section 1179 of the HIPAA Act excludes financial institutions from Privacy Rule standards when they are authorizing, processing, clearing, settling, or collecting payments related to healthcare. Since Zelle only processes payments and doesn’t store or manage health information, it falls squarely within that exemption.
Why Zelle Doesn’t Need a BAA
A Business Associate Agreement is the contract HIPAA requires between a healthcare provider and any outside company that handles protected health information on the provider’s behalf. Zelle does not sign BAAs, and it doesn’t need to. The company, operated by Early Warning Services, LLC, provides only payment transfer services. It doesn’t create, receive, maintain, or transmit health records. There are no circumstances under current Zelle services where the platform would qualify as a business associate.
This exemption isn’t a loophole. HIPAA was written with payment processors in mind. When a patient sends you $150 through Zelle for a therapy session, the transaction data (sender, recipient, amount, date) is financial information, not protected health information. Zelle doesn’t know what the payment is for unless someone types it into the memo field, and even then, it’s functioning as a payment conduit rather than a health data handler.
The Conduit Exception Explained
HIPAA recognizes a category called the “conduit exception” for services that only transmit information without storing it beyond what’s needed to complete the transmission. Think of it like the postal service delivering a sealed envelope containing medical records. The postal service isn’t a business associate because it’s just moving the envelope from point A to point B.
Zelle works the same way for payments. It moves money between bank accounts without maintaining health-related data. The U.S. Department of Health and Human Services has clarified that the conduit exception applies to transmission-only services where any access to protected information is “transient in nature.” A company that stores or processes health information more persistently, even if it can’t view that information because it’s encrypted, crosses the line into business associate territory. Zelle doesn’t cross that line.
Where It Gets Complicated
The exemption holds only as long as Zelle is doing pure payment processing. If a bank or financial institution starts performing functions beyond standard funds transfer on behalf of a healthcare provider, such as managing accounts receivable or generating billing reports tied to patient records, that institution could become a business associate and would need a BAA.
The practical risk with Zelle isn’t a HIPAA violation from using it as a payment tool. It’s what happens around the payment. If your office sends a Zelle payment request that includes a patient’s diagnosis, treatment details, or other health information in the memo or description field, you’ve just transmitted protected health information through a channel that isn’t designed to protect it. The HIPAA exemption covers the financial transaction itself, not the communication surrounding it. Keep payment requests and confirmations limited to the amount owed and basic identifying information like an invoice number.
Limitations for Healthcare Practices
Zelle was designed as a consumer peer-to-peer payment network, not a healthcare billing platform. It works fine for collecting straightforward patient copays or session fees, particularly for solo practitioners and small practices. But it lacks features that dedicated healthcare payment processors offer: automated billing, integration with electronic health records, itemized statements, and compliance documentation.
Zelle also provides no dispute resolution process comparable to credit card chargebacks, and transactions are typically irreversible once sent. For practices handling high volumes of patient payments or dealing with insurance-adjacent billing, these limitations matter more than HIPAA status. The compliance question is settled, but the operational fit depends on your practice size and workflow.
Alternatives That Offer BAAs
If your practice needs a payment processor that goes beyond simple funds transfer and touches patient data in any way, you’ll want a platform that signs a Business Associate Agreement. Several options are built specifically for healthcare:
- Rectangle Health: Designed for healthcare billing with HIPAA-compliant infrastructure.
- Ivy Pay: Built for therapists and mental health providers, with a focus on confidentiality.
- Jane: An all-in-one practice management platform with integrated payment processing, eliminating the need for a separate third-party system.
- Authorize.Net: A general-purpose payment gateway that supports BAAs for healthcare clients.
- Elavon: A global payment processor with documented HIPAA adherence.
The key distinction: if the platform only moves money, a BAA isn’t required. If it stores patient information, generates health-related reports, or integrates with your records system, it needs one. Before signing up with any processor, confirm in writing that they will execute a BAA. That single document is what creates legal accountability for protecting your patients’ data.

