Does Square Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  4 min read

Does Healthcare Payment Processing Require a HIPAA BAA?

The answer depends on what data flows through your payment processor. There is an important distinction in HIPAA compliance:

• Pure financial data only: If a payment processor handles only a patient's name and credit card number for payment — with no connection to diagnoses, procedures, insurance IDs, or health status — a BAA may not be required. Payment card data is governed by PCI-DSS, not HIPAA.
• Financial data linked to clinical information: If the payment record in your system links the patient's name to a specific procedure code, diagnosis, or health service, the combination creates PHI. In this case, the payment processor that handles this data is a Business Associate.

In practice, most healthcare billing systems combine payment with clinical codes (CPT codes, ICD-10 codes, service descriptions), which means the payment processor does become a Business Associate. This is why dedicated healthcare payment processors — rather than general-purpose processors like Square — are commonly recommended for medical billing.

HIPAA-Compliant Payment Processor Alternatives to Square

Square for Healthcare: The Gray Area

Square markets "Square for Healthcare" as a product for health and wellness businesses — including massage therapists, chiropractors, fitness professionals, and similar providers. However, this product positioning does not automatically mean a HIPAA BAA is included.

If you are a HIPAA-covered entity (a licensed healthcare provider who conducts electronic health transactions) and you want to use Square, you must verify directly with Square's sales team whether BAA execution is available for your specific use case. Do not assume Square for Healthcare includes a BAA — the "for healthcare" branding does not equal HIPAA BAA coverage.

What to Do If You Are Currently Using Square

If your practice currently uses Square for patient payments, evaluate your risk:

• Does your Square account store or process any clinical PHI (procedure codes, diagnoses, health service descriptions)?
• Does your billing workflow link payment data to PHI in any downstream system?
• Are you a HIPAA-covered entity subject to BAA requirements?

If the answer to any of these is yes, consult with your compliance counsel about whether a BAA is required and whether Square can provide one. If Square cannot provide a BAA, transition to a dedicated healthcare payment processor before your next billing cycle.

Frequently Asked Questions

Does Square sign a HIPAA BAA?

No — not through its standard merchant agreement. Square for Healthcare is marketed to health businesses but BAA availability is not confirmed in standard terms. Contact Square's sales team if you believe you need a BAA.

Can I use Square for medical payments?

If your payment processing involves only payment card data with no clinical PHI linkage, a BAA may not be required. But most medical billing involves procedure codes that create PHI linkage — in which case Square's standard terms are likely insufficient. Consider dedicated healthcare payment processors.

What payment processors sign a HIPAA BAA?

Dedicated healthcare payment processors including Instamed (JPMorgan), Paya, and Rectangle Health offer HIPAA BAAs. Verify current BAA availability with any payment processor before using for healthcare billing involving PHI.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.