Healthcare providers who want to accept credit cards face a compliance question that most payment processors don’t answer clearly: does HIPAA apply to credit card transactions, and does your processor actually meet those requirements? The short answer is that most standard processors don’t, and providers often don’t find out until it matters. This guide explains what HIPAA-compliant credit card processing requires and what you need to verify before choosing a processor.
ConvesioPay provides HIPAA-compliant credit card processing for healthcare providers. BAA included, WooCommerce-native, built on Convesio’s HIPAA-compliant infrastructure. Talk to our team →
1. When Does HIPAA Apply to Credit Card Processing?
HIPAA applies when a credit card transaction involves Protected Health Information (PHI). The critical question is whether the payment transaction is associated with health information about the patient.
A credit card charge is likely subject to HIPAA when:
- The transaction is for a specific medical service (the service itself is PHI when linked to an identifiable patient)
- The billing system connects the payment to a patient’s medical record
- The payment portal displays account balances tied to medical services
- The receipt or confirmation includes clinical information
A purely financial transaction with no health information, for example, a generic charge with no service description might not involve PHI, but most healthcare billing systems associate payments with specific services, which brings HIPAA into scope.
2. What Most Standard Credit Card Processors Don’t Provide
Standard payment processors are designed for retail e-commerce. They provide PCI DSS compliance (protecting cardholder data) but typically don’t address HIPAA requirements:
| HIPAA requirement | Standard processors (Stripe, PayPal, Square) |
|---|---|
| Business Associate Agreement (BAA) | Not available on standard accounts |
| PHI handling policies | Not addressed in standard terms of service |
| HIPAA-specific audit logging | Transaction logs available, but not formatted for HIPAA audit requirements |
| Breach notification per HIPAA timelines | Not guaranteed in standard agreements |
| PHI encryption policies | Card data encrypted (PCI requirement), but PHI handling not specified |
This doesn’t mean standard processors are inherently insecure, it means they’re not designed or contracted for healthcare use. Using one for transactions that involve PHI creates a compliance gap.
3. The Business Associate Agreement
A Business Associate Agreement (BAA) is the foundational HIPAA document for third-party vendor relationships. If your payment processor touches PHI, they’re a Business Associate and you must have a BAA in place before allowing that relationship.
A BAA should specify:
- What PHI the business associate is permitted to use and disclose
- Requirements for safeguarding PHI
- Obligations to report any breach or security incident involving PHI
- What happens to PHI upon termination of the relationship
- Whether the business associate is permitted to use sub-contractors, and if so, what their BAA obligations are
HHS has published model BAA language. A BAA that only addresses payment card data (PCI scope) without specifically addressing PHI is insufficient for HIPAA purposes.
4. Documentation Requirements
HIPAA compliance isn’t a one-time event, it requires ongoing documentation. For payment processing specifically:
- BAA archive — maintain executed BAAs with all business associates for at least six years
- Risk assessment documentation — document your assessment of the risks associated with your payment processing setup
- Access log records — maintain audit logs of who accessed payment systems and patient financial data
- Incident response records — document any security incidents, even those that don’t rise to the level of a reportable breach
- Training records — staff who handle patient payments should receive HIPAA training; document it
5. HSA and FSA Card Considerations
Healthcare providers frequently accept HSA and FSA cards — Visa/Mastercard-network debit cards with MCC restrictions. These cards can only be used at merchants with eligible healthcare MCCs, so your practice’s MCC coding must be accurate.
For HSA/FSA acceptance to work correctly:
- Confirm your processor assigns the correct MCC at onboarding (consult with them before going live)
- Issue itemized receipts showing eligible expenses for patient FSA documentation
- Be aware that some services may be ineligible — cosmetic procedures, for example, are generally not HSA-eligible
6. Tokenization and Card Data Security in Healthcare
Healthcare organizations frequently store payment credentials for recurring billing — membership fees, installment plans, and follow-up charges. Proper card storage in a healthcare context requires:
- Processor-side tokenization — raw card numbers should never be stored on your servers. Your payment processor issues a token that represents the card; you store the token.
- Separation of card tokens from PHI — ideally, your card token database and your patient record database are separate systems with separate access controls
- Network tokenization — Visa and Mastercard network tokens update automatically when a patient’s card is reissued, reducing recurring billing failures
ConvesioPay uses Adyen’s tokenization infrastructure, which issues both merchant tokens (for recurring charges) and network tokens (for automatic card updates).
7. Choosing a HIPAA Compliant Credit Card Processor
When evaluating processors for healthcare credit card acceptance, verify:
| Requirement | How to verify |
|---|---|
| BAA availability | Ask directly: “Will you sign a HIPAA Business Associate Agreement for our account?” |
| PHI handling policy | Ask how transaction metadata is handled if it contains patient information |
| Sub-processor disclosure | Ask for a list of sub-processors that handle transaction data, and confirm they’re BAA-covered |
| Data retention and deletion | Ask how long transaction data is retained and how you can request deletion |
| Incident notification | Ask what their breach notification timeline is, and whether it meets HIPAA’s 60-day requirement |
ConvesioPay provides BAAs for healthcare accounts, operates on Adyen’s enterprise security infrastructure, and is deployed on Convesio’s HIPAA-compliant hosting environment. For detailed HIPAA compliance requirements, see HIPAA Compliant Payment Processing: The Complete Guide.
Healthcare providers need more than PCI compliance. ConvesioPay covers both — HIPAA-compliant credit card processing with a BAA included, WooCommerce-native integration, and Convesio’s HIPAA-compliant hosting underneath. Talk to our team →