Vendor documentation review

Is Square HIPAA Compliant? (2026 Verdict)

Conditionally

Square provides a BAA for specified HIPAA-enabled seller services, but excluded Buyer Services and other products require a carefully limited payment workflow.

Last verified:

At a glance

BAA available
Yes
Plan required
Square account using services identified as HIPAA-enabled
Configuration required
Confirm covered services, minimize transaction details, restrict staff, and review Buyer Services, receipts, customer data, and integrations.
Category
Payments
Official site
Visit Square

What Square says officially

Square’s current Business Associate Agreement applies to covered entities and business associates using specified Square services with PHI. Its HIPAA help page explains that eligible sellers handling PHI agree to the BAA as part of the Square relationship.

The agreement is product-specific. It identifies HIPAA-enabled services and excludes Buyer Services and other situations where Square has an independent role. Square’s broader payment terms still govern transaction use. A Square account should therefore not be treated as a single undivided healthcare environment.

The published BAA supports a conditional verdict for the covered seller workflow. The exact services, data fields, customer-facing screens, and integrations must stay within that scope.

What this means for a medical practice

A payment can reveal healthcare information through item names, invoices, customer notes, receipts, statement text, appointment links, dispute evidence, and loyalty or marketing records. Staff may add a diagnosis for convenience even though a generic internal billing reference would be enough.

Buyer-facing features create another boundary. The practice needs to know which information is processed for it under the BAA and which information Square handles independently for the buyer. A product being accessible from the same dashboard does not settle that question.

Front-desk procedure can reduce exposure. Staff should select generic catalog items, avoid free-text medical notes, and know where to record clinically relevant billing context instead. Supervisors should periodically inspect receipts and exports for drift.

Payments on a HIPAAconscious medical website should avoid treatment details in URLs, analytics, checkout descriptions, and metadata. A well-designed patient selfscheduling flow passes only the minimum billing reference from scheduling into payment.

How to use it safely

  1. Compare every intended Square product and feature against the current BAA’s HIPAA-enabled service list and exclusions.
  2. Retain the agreement and document where the covered seller service ends and Buyer Services begin.
  3. Use practice-owned staff accounts, minimum permissions, strong authentication, and prompt offboarding.
  4. Use generic item, invoice, receipt, statement, and notification language. Keep diagnoses and treatment details out.
  5. Do not use customer notes, metadata, dispute evidence, support tickets, or exports as a clinical record.
  6. Review Appointments, Invoices, payment devices, Customer Directory, marketing, loyalty, payroll, banking, and other products separately.
  7. Evaluate EHR, accounting, scheduling, automation, and reporting integrations independently.
  8. Run fictional transactions through checkout, receipt, refund, dispute, reporting, export, and deletion.

Compliant alternatives

Stripe can be limited to a payment-only workflow that keeps PHI out of Third Party Data and transaction context, but it does not provide the same published BAA path in the sources reviewed. Square Appointments has its own page because scheduling adds notifications, buyer interactions, and appointment records beyond payment.

Document the selected Square services and review that list again before enabling any additional dashboard product or buyer feature.

Bottom line

Square publishes a BAA for specified HIPAA-enabled seller services. Use it conditionally and stay inside the named scope. Minimize transaction context, map excluded Buyer Services, and evaluate every additional Square product and integration rather than relying on the brand name alone.

Frequently asked questions

Does Square provide a Business Associate Agreement?

Yes. Square publishes a BAA that applies when eligible customers use specified Square services in a HIPAA-enabled manner.

Does the Square BAA cover every Square product?

No. The agreement identifies covered services and exclusions, including Buyer Services where Square acts independently.

Can a receipt include a diagnosis or treatment name?

Keep receipts, item names, notes, descriptors, and notifications to the minimum necessary because they can reveal health information outside the approved seller workflow.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review