From The HIPAA Journal, by Steve Alder:
- Apple Pay and HIPAA Compliance: Despite not being HIPAA compliant, Apple Pay can be used by healthcare providers and health plans to collect payments. The service is exempt from HIPAA under §1179 of the HIPAA Act, which applies to entities engaged in payment processing activities.
- How Apple Pay Works: Apple Pay is a mobile payment service that uses a unique Device Account Number for each card registered in the Apple Wallet app. The service facilitates online, in-app, and contactless payments without sharing the user’s credit or debit card details with the recipient.
- Privacy and Protected Health Information (PHI): Due to the unique way Apple Pay operates, neither the recipient nor Apple has access to information that could identify the user or their purchase details. As such, information sent through Apple Pay does not qualify as PHI.
- Exceptions and Limitations: The HIPAA exemption only applies to the payment facilitation aspect of Apple Pay. Covered entities and business associates should not store individually identifying health information in the Apple Wallet app, as Apple will not sign a Business Associate Agreement. Any third-party integrations with Apple Pay used for payment reconciliation must be HIPAA compliant.