Vendor BAA Guide

Does Square Sign a HIPAA Business Associate Agreement?

Q: Can I use Square for medical payments?

Square's general payment processing does not require a BAA if it only processes payment card data (name and credit card) without additional clinical PHI. However, if payment data is linked to diagnoses, procedures, or other health information that creates a HIPAA-covered record, Square's terms need to be carefully evaluated. Many healthcare providers use dedicated healthcare payment processors (Instamed, Paya, Rectangle Health) that explicitly include HIPAA BAAs.

Q: What payment processors sign a HIPAA BAA?

Payment processors that offer HIPAA BAAs for healthcare include: Instamed (now part of JPMorgan), Paya (healthcare division), Rectangle Health, and Stripe (for qualifying enterprise customers, verify current status). Many EHR-integrated payment solutions also provide BAAs as part of the integrated offering.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✗ No — Square does not sign a standard HIPAA BAA for typical healthcare payment processing
✓ Pure payment card processing (name + credit card only, no clinical PHI) may not require a BAA
✓ If payment data is linked to diagnoses or procedures, Square is likely not appropriate
✓ Alternatives: Instamed, Paya, Rectangle Health, or EHR-integrated payment solutions with BAAs

Direct answer: No — Square does not sign a standard HIPAA BAA for typical healthcare payment processing. Square's standard merchant agreement does not include BAA provisions. If your payment processing is linked to clinical PHI, you should use a dedicated healthcare payment processor. Verify with Square's sales team whether BAA execution is available for your specific use case.

Does Healthcare Payment Processing Require a HIPAA BAA?

The answer depends on what data flows through your payment processor. There is an important distinction in HIPAA compliance:

Pure financial data only: If a payment processor handles only a patient's name and credit card number for payment — with no connection to diagnoses, procedures, insurance IDs, or health status — a BAA may not be required. Payment card data is governed by PCI-DSS, not HIPAA.
Financial data linked to clinical information: If the payment record in your system links the patient's name to a specific procedure code, diagnosis, or health service, the combination creates PHI. In this case, the payment processor that handles this data is a Business Associate.

In practice, most healthcare billing systems combine payment with clinical codes (CPT codes, ICD-10 codes, service descriptions), which means the payment processor does become a Business Associate. This is why dedicated healthcare payment processors — rather than general-purpose processors like Square — are commonly recommended for medical billing.

HIPAA-Compliant Payment Processor Alternatives to Square

Payment Processor	HIPAA BAA Available?	Notes
Instamed (JPMorgan)	Yes	Healthcare-specific; BAA standard in contract
Paya (Healthcare)	Yes	Healthcare payment processing with HIPAA BAA
Rectangle Health	Yes	Built for healthcare practices; BAA included
Stripe (Enterprise)	Verify with Stripe	Stripe has offered BAAs for some enterprise customers; verify current status
Square	No (standard)	Standard agreement lacks BAA; Square for Healthcare — verify with sales

Square for Healthcare: The Gray Area

Square markets "Square for Healthcare" as a product for health and wellness businesses — including massage therapists, chiropractors, fitness professionals, and similar providers. However, this product positioning does not automatically mean a HIPAA BAA is included.

If you are a HIPAA-covered entity (a licensed healthcare provider who conducts electronic health transactions) and you want to use Square, you must verify directly with Square's sales team whether BAA execution is available for your specific use case. Do not assume Square for Healthcare includes a BAA — the "for healthcare" branding does not equal HIPAA BAA coverage.

What to Do If You Are Currently Using Square

If your practice currently uses Square for patient payments, evaluate your risk:

Does your Square account store or process any clinical PHI (procedure codes, diagnoses, health service descriptions)?
Does your billing workflow link payment data to PHI in any downstream system?
Are you a HIPAA-covered entity subject to BAA requirements?

If the answer to any of these is yes, consult with your compliance counsel about whether a BAA is required and whether Square can provide one. If Square cannot provide a BAA, transition to a dedicated healthcare payment processor before your next billing cycle.

Frequently Asked Questions

Does Square sign a HIPAA BAA?

No — not through its standard merchant agreement. Square for Healthcare is marketed to health businesses but BAA availability is not confirmed in standard terms. Contact Square's sales team if you believe you need a BAA.

Can I use Square for medical payments?

If your payment processing involves only payment card data with no clinical PHI linkage, a BAA may not be required. But most medical billing involves procedure codes that create PHI linkage — in which case Square's standard terms are likely insufficient. Consider dedicated healthcare payment processors.

What payment processors sign a HIPAA BAA?

Dedicated healthcare payment processors including Instamed (JPMorgan), Paya, and Rectangle Health offer HIPAA BAAs. Verify current BAA availability with any payment processor before using for healthcare billing involving PHI.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Note: Vendor BAA policies change. Verify current terms directly with Square before making compliance decisions.

Need to generate a BAA for a vendor that does sign?

When you work with vendors who require you to provide the BAA, generate a compliant document in minutes.

Generate BAA for Free →