Is Square HIPAA Compliant? Limitations and Alternatives

Square is not HIPAA compliant and does not sign Business Associate Agreements (BAAs), which means healthcare providers cannot use it as a fully HIPAA-covered payment solution. While Square holds strong security certifications for general payment processing, it was not designed to meet the specific requirements of healthcare data privacy law.

What Square’s Security Certifications Cover

Square is PCI compliant, meaning it meets the payment card industry’s standards for securely handling credit and debit card data. It also holds SOC 1, SOC 2, and ISO 27001 certifications, which are respected benchmarks for data security, operational controls, and information management. These certifications protect cardholder data and financial transactions, but they are not the same as HIPAA compliance.

PCI compliance and HIPAA compliance address different types of information. PCI protects payment card numbers during a transaction. HIPAA protects health information: diagnoses, treatment records, insurance details, and any data that links a patient’s identity to their healthcare. A platform can be excellent at one without covering the other.

Why the BAA Matters

Under HIPAA, any third-party vendor that handles protected health information (PHI) on behalf of a healthcare provider must sign a Business Associate Agreement. A BAA is a legal contract that holds the vendor accountable for safeguarding patient data, reporting breaches, and following HIPAA’s privacy and security rules. Without a signed BAA, a healthcare provider is technically in violation of HIPAA by sharing PHI with that vendor.

Square does not offer BAAs. This is the core issue. Even if the data Square processes during a payment is limited to a credit card number and a dollar amount, the problem arises when any health-related information travels alongside that transaction. If an invoice description includes a procedure name, or if appointment details are tied to a payment record, that combination can become PHI. Without a BAA in place, the provider bears full legal risk.

Where Square Can and Cannot Fit

Some healthcare practices do use Square for collecting copays or selling retail products like skincare items, supplements, or eyeglasses. In these cases, the transaction itself may not contain health information. A simple credit card charge for a flat dollar amount, with no description linking it to a medical service, generally does not create a HIPAA concern on its own.

The risk increases when Square is used for invoicing that describes medical services, when its appointment scheduling features are used to book patient visits, or when transaction records could be cross-referenced with patient charts. Any of these scenarios can turn routine payment data into protected health information. Without a BAA, there is no contractual obligation for Square to handle that data according to HIPAA standards, and no guarantee it will notify you of a breach the way HIPAA requires.

HIPAA-Friendly Alternatives

Several payment processors do sign BAAs and are built for healthcare environments. Options vary in features and pricing, but the key filter is simple: does the vendor offer a BAA? If the answer is no, it cannot be part of a HIPAA-compliant workflow that involves any patient health data.

Practice management platforms that include integrated payment processing often handle this automatically, bundling the BAA into the broader service agreement. If you already use an electronic health records (EHR) system, check whether it offers built-in payment tools covered under its existing BAA. This is typically the simplest path to compliant billing.

For practices that want a standalone card reader or point-of-sale system, look specifically for processors that advertise healthcare compliance and list BAA availability in their terms of service. Asking for the BAA before signing up, not after, saves the headache of migrating systems later.

The Bottom Line for Healthcare Providers

Square is a secure, well-certified payment platform for general retail and service businesses. Its PCI, SOC 1, SOC 2, and ISO 27001 certifications are legitimate and meaningful. But security certifications and HIPAA compliance are different obligations, and Square does not meet the HIPAA requirement that matters most to healthcare providers: a signed Business Associate Agreement. If your practice handles any health information that could intersect with payment processing, Square leaves a compliance gap that you, not Square, would be liable for in an audit or breach investigation.