From The HIPAA Journal, by Steve Adler:
- Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
- Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
- Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
- Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
- Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.