It is necessary for Ivy Pay to be HIPAA compliant if a healthcare provider who qualifies as a HIPAA covered or hybrid entity wants to use the payment processing software for functions that involve uses and disclosures of Protected Health Information.
There is a number of factors to consider in the context of answering the question is it necessary for Ivy Pay to be HIPAA compliant. These include who is using the payment software, what are they using it for, and does the activity being performed involve a use or disclosure of Protected Health Information (PHI).
Who is Using Ivy Pay?
The reason who is using the payment software is important is because not all healthcare providers qualify as HIPAA covered entities. In cases in which healthcare providers do not qualify as covered entities (because they do not conduct electronic healthcare transactions for which standards exist in 45 CFR Part 162) it does not matter if Ivy Pay is HIPAA compliant.
Similarly, healthcare providers that operate as hybrid entities only need to comply with HIPAA for covered activities. In most cases this would mean not having to comply with HIPAA when clients are billed directly – although it will still be necessary to protect all client health information to comply with state licensing and breach notification laws.
The profession of the healthcare provider is also important. At present, Ivy Pay only accepts customers who are licensed therapists or mental health professionals. This is because Ivy Pay evolved as a payment service for providers registered with the Talk to Ivy service. This condition of use may change in the future, but at present it limits who can use Ivy Pay.
What is the Service Being Used For?
The Public Health and Welfare Code (§1320d-8) exempts payment processors from complying with the HIPAA Security and Privacy Rules when authorizing, clearing, settling, transferring, reconciling, or collecting healthcare-related payments. Due to this exemption, if only being used for payment processing, it is not necessary for Ivy Pay to be HIPAA compliant.
However, like many other types of payment management software, Ivy Pay supports other functions that are not exempted by §1320d-8 (i.e., invoicing). These functions can be conducted outside of the HIPAA regulations if they do not involve disclosures of PHI; but, once PHI is used or disclosed to Ivy Pay, it is necessary for Ivy Pay to be HIPAA compliant.
In addition, Ivy Pay has a number of non-financial functions that can only be used by disclosing PHI. These include client intake, appointment management, and profile maintenance. All these functions require Ivy Pay to be HIPAA compliant if a covered or hybrid entity is creating, receiving, storing, or transmitting PHI via the Ivy Pay software.
Is Ivy Pay HIPAA Compliant?
Ivy Pay has all the controls and safeguards required by the Security Rule to support HIPAA compliance. Ivy Pay also offers licensed therapists and mental health professionals who qualify as covered or hybrid entities under HIPAA a Business Associate Agreement. The Agreement explains Ivy Pay’s compliance obligations under both the Security and Privacy Rules.
Due to fulfilling all the requirements to be a HIPAA compliant business associate, Ivy Pay can be used by covered and hybrid entities for client management functions that involve uses and disclosures of PHI. Therapists and mental health professionals with questions about how to use Ivy Pay in compliance with HIPAA can speak with Ivy Pay directly or seek advice from a HIPAA compliance expert.