What Square says officially
Square’s current Business Associate Agreement applies to covered entities and business associates using specified Square services with PHI. Its HIPAA help page explains that eligible sellers handling PHI agree to the BAA as part of the Square relationship.
The agreement is product-specific. It identifies HIPAA-enabled services and excludes Buyer Services and other situations where Square has an independent role. Square’s broader payment terms still govern transaction use. A Square account should therefore not be treated as a single undivided healthcare environment.
The published BAA supports a conditional verdict for the covered seller workflow. The exact services, data fields, customer-facing screens, and integrations must stay within that scope.
What this means for a medical practice
A payment can reveal healthcare information through item names, invoices, customer notes, receipts, statement text, appointment links, dispute evidence, and loyalty or marketing records. Staff may add a diagnosis for convenience even though a generic internal billing reference would be enough.
Buyer-facing features create another boundary. The practice needs to know which information is processed for it under the BAA and which information Square handles independently for the buyer. A product being accessible from the same dashboard does not settle that question.
Front-desk procedure can reduce exposure. Staff should select generic catalog items, avoid free-text medical notes, and know where to record clinically relevant billing context instead. Supervisors should periodically inspect receipts and exports for drift.
Payments on a HIPAAconscious medical website should avoid treatment details in URLs, analytics, checkout descriptions, and metadata. A well-designed patient selfscheduling flow passes only the minimum billing reference from scheduling into payment.
How to use it safely
- Compare every intended Square product and feature against the current BAA’s HIPAA-enabled service list and exclusions.
- Retain the agreement and document where the covered seller service ends and Buyer Services begin.
- Use practice-owned staff accounts, minimum permissions, strong authentication, and prompt offboarding.
- Use generic item, invoice, receipt, statement, and notification language. Keep diagnoses and treatment details out.
- Do not use customer notes, metadata, dispute evidence, support tickets, or exports as a clinical record.
- Review Appointments, Invoices, payment devices, Customer Directory, marketing, loyalty, payroll, banking, and other products separately.
- Evaluate EHR, accounting, scheduling, automation, and reporting integrations independently.
- Run fictional transactions through checkout, receipt, refund, dispute, reporting, export, and deletion.
Compliant alternatives
Stripe can be limited to a payment-only workflow that keeps PHI out of Third Party Data and transaction context, but it does not provide the same published BAA path in the sources reviewed. Square Appointments has its own page because scheduling adds notifications, buyer interactions, and appointment records beyond payment.
Document the selected Square services and review that list again before enabling any additional dashboard product or buyer feature.
Bottom line
Square publishes a BAA for specified HIPAA-enabled seller services. Use it conditionally and stay inside the named scope. Minimize transaction context, map excluded Buyer Services, and evaluate every additional Square product and integration rather than relying on the brand name alone.