HIPAA-Compliant Payment Processing & Patient Billing (2026)
When patients pay for healthcare services, their payment record can include PHI if it references the service rendered. Payment processing in healthcare therefore sits at the intersection of HIPAA and PCI DSS. This guide compares processors that sign BAAs alongside standard PCI controls.
Skip the manual work — generate your HIPAA pack in 15 minutes
PoliWriter generates all the policies, mappings, and audit-ready artifacts referenced in this guide — customized to your AWS / GitHub / Okta stack. 60+ integrations, continuous monitoring, evidence collection — at a fraction of Vanta's price.
Monthly billing · cancel anytime · 30-day money-back guarantee
Stripe and Square both offer HIPAA-eligible terms for healthcare customers on request. Authorize.Net (Visa) offers BAA for Healthcare. InstaMed (JPMorgan) is purpose-built for healthcare payments with BAA included. Standard merchant accounts at most processors do NOT include a BAA by default.
Compliance Assessment
Stripe offers a HIPAA-eligible BAA for healthcare customers on request. Covers Stripe Payments and selected Stripe products. Standard self-serve Stripe accounts do not include the BAA — you must request it.
Square offers HIPAA-eligible terms for healthcare merchants. BAA available on request. Covers Square POS, Square Online, and Invoices.
Visa's Authorize.Net offers a BAA for healthcare merchants. Long-standing presence in medical billing; integrates with many practice management systems.
Purpose-built healthcare payments platform. BAA included by default. Handles patient billing, payment plans, and integrates with major EHRs.
BAA available on Enterprise contracts. Requires direct contract negotiation through PayPal's healthcare team.
No BAA available. Personal-account payment products are not HIPAA eligible. Do not direct patients to PayPal.Me, Venmo, or Cash App for healthcare payments.
Business Associate Agreement (BAA)
Stripe and Square HIPAA BAAs are NOT automatic — they must be explicitly requested through their respective sales/compliance teams. Authorize.Net offers BAA for healthcare merchants. InstaMed BAA is included by default. Braintree BAA requires Enterprise contract negotiation.
How to Make HIPAA-Compliant Payment Processing & Patient Billing HIPAA Compliant
Sign the BAA before linking the payment processor to any system that contains PHI.
Minimize PHI in payment descriptors — use procedure codes or anonymized identifiers rather than diagnoses.
Verify the processor's PCI DSS Level 1 attestation as a complement to the HIPAA BAA.
Use vault tokenization to keep PAN out of your systems entirely.
Enable detailed transaction audit logging; retain logs ≥ 6 years per HIPAA.
For patient-portal payment links, host the payment form on the processor's HIPAA-eligible infrastructure (Stripe Checkout, Square Online) rather than embedding raw card fields.
Limitations
- Standard self-serve accounts at most processors do NOT include the BAA — you must explicitly request HIPAA terms.
- Reporting dashboards that display patient names alongside service descriptions may inadvertently expose PHI; restrict access.
- Recurring billing notes / invoice memos can contain PHI if poorly configured; review templates regularly.
- Marketplace integrations (Stripe Apps, Square App Marketplace) may not be HIPAA covered; audit each app.
Alternative Tools & Related Assessments
Frequently Asked Questions
Is Stripe HIPAA compliant?
Stripe offers a HIPAA-eligible Business Associate Agreement on request — it is not enabled by default on self-serve Stripe accounts. You must contact Stripe sales / compliance and explicitly request the BAA, then enable HIPAA-aware configuration on your account.
Is Square HIPAA compliant?
Square offers HIPAA-eligible terms for healthcare merchants on request. The standard Square merchant account is PCI compliant but does not include a HIPAA BAA — you must request it through their healthcare team.
Can I use Venmo for patient payments?
No. Venmo does not offer a BAA. Patient payments through Venmo (and PayPal personal accounts) violate HIPAA when the payment record contains identifying healthcare information. Use a HIPAA-eligible processor instead.
What is the difference between HIPAA compliance and PCI compliance for payment processors?
PCI DSS controls how payment card data is handled (PAN, CVV, etc.). HIPAA controls how protected health information is handled. A healthcare payment record sits at the intersection — you need both. Most major processors are PCI Level 1 by default, but HIPAA terms require an explicit BAA.
Is InstaMed worth the premium?
InstaMed (JPMorgan) is purpose-built for healthcare and includes the BAA by default — no separate request needed. It also handles patient payment plans, eligibility verification, and EHR integration out of the box. The premium is justified for mid-market healthcare; smaller practices often pick Stripe or Square with HIPAA terms for simplicity.
Do I need a BAA if I only collect copays in person at a card terminal?
Yes — if the transaction record contains any PHI (patient name + service descriptor, etc.). The payment processor handles a record that includes a protected element. Sign the BAA even for in-person POS systems.
Generate your full HIPAA pack with PoliWriter
PoliWriter generates all the policies, mappings, and audit-ready artifacts referenced in this guide — customized to your AWS / GitHub / Okta stack. 60+ integrations, continuous monitoring, evidence collection — at a fraction of Vanta's price.
Generate HIPAA policies for your stack
PoliWriter creates all the HIPAA policies you need, customized to tools like HIPAA-Compliant Payment Processing & Patient Billing and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free