Accepting payments in healthcare isn’t just a technical problem, it’s a compliance problem. Every payment transaction in a healthcare context touches protected health information (PHI), which means HIPAA applies alongside PCI DSS. Most generic payment processors don’t meet HIPAA requirements. This guide explains what HIPAA compliant payment processing actually requires, what to look for in a processor, and how to build a compliant payment stack for your healthcare organization’s WooCommerce site.
ConvesioPay is designed for healthcare compliance. As a certified Adyen partner built on Convesio’s HIPAA-compliant hosting infrastructure, ConvesioPay provides the payment layer for healthcare organizations that need both PCI DSS and HIPAA coverage. Talk to our team →
1. Does HIPAA Apply to Payment Processing?
Yes — if your organization is a covered entity (healthcare provider, health plan, or healthcare clearinghouse) and the payment transaction involves PHI, HIPAA applies. The question is what information moves through the payment transaction.
A payment transaction can involve PHI in several ways:
- Patient name + diagnosis or treatment type on an invoice
- Payment portals that display appointment history or account balances tied to medical records
- Email receipts that reference the service provided
- Payment forms on a patient portal that are pre-populated with healthcare data
A purely financial transaction — a credit card charge with no medical information attached — is technically not PHI. But in practice, healthcare payment systems almost always involve PHI in some form, making HIPAA compliance a requirement for the entire payment stack.
2. What HIPAA Compliant Payment Processing Requires
Business Associate Agreement (BAA)
Any vendor that handles PHI on behalf of a covered entity is a “business associate” under HIPAA. Your payment processor, if it touches PHI, must sign a BAA. This is a formal agreement establishing the processor’s obligations to protect PHI, report breaches, and comply with HIPAA requirements.
Most standard payment processors do not offer BAAs. Stripe, Square, and PayPal’s standard terms do not include BAA provisions. Some offer them under enterprise agreements, but this requires negotiation and typically higher tiers of service. A processor that won’t sign a BAA cannot be used for payments that involve PHI.
Encryption
HIPAA requires that PHI be encrypted both in transit (when transmitted over networks) and at rest (when stored). For payment systems, this means:
- TLS 1.2+ for all payment form transmissions
- Encrypted storage of any patient payment information
- Tokenization of card data so raw card numbers are never stored alongside PHI
Access Controls
HIPAA requires that access to PHI be limited to authorized individuals. For payment systems, this translates to role-based access controls on your payment portal, patients can access their own payment history, staff can access what their role requires, and no more.
Audit Trails
HIPAA requires audit logging, who accessed PHI, when, and what actions were taken. Your payment system should log all transactions, access events, and administrative actions in a tamper-evident audit trail.
Breach Notification
If your payment processor experiences a breach that exposes PHI, HIPAA requires notification to affected individuals and in some cases to HHS and the media. Your BAA should specify the processor’s obligations for breach notification and their response timelines.
3. PCI DSS and HIPAA: Two Separate Requirements
Healthcare organizations often assume that PCI DSS compliance covers their HIPAA payment obligations. It doesn’t — they have different scopes and requirements.
| PCI DSS | HIPAA | |
|---|---|---|
| What it protects | Cardholder data (card numbers, CVV, expiration) | Protected health information (PHI) |
| Who enforces it | Card brands / acquiring banks | HHS Office for Civil Rights |
| Who must comply | Any entity that processes card payments | Covered entities and business associates |
| Penalty for violation | Fines, processing suspension | Civil and criminal penalties up to $1.9M/year per violation category |
A processor can be fully PCI compliant and still not meet HIPAA requirements. Healthcare organizations need both. For a deeper dive on dual compliance, see HIPAA and PCI Compliance: Where Payment Security Meets Patient Privacy.
4. What to Look for in a HIPAA Compliant Payment Processor
When evaluating payment processors for healthcare use, check for:
| Requirement | What to ask |
|---|---|
| BAA availability | “Will you sign a HIPAA Business Associate Agreement?” |
| PHI handling policy | “How is patient data handled if it appears in transaction metadata?” |
| Data residency | “Where is payment data stored, and how long is it retained?” |
| Encryption standards | “What encryption is used for data in transit and at rest?” |
| Audit logging | “What audit logs are available, and what is the retention period?” |
| Breach response | “What is your breach notification process and timeline?” |
| Sub-processor disclosure | “What sub-processors handle transaction data, and are they also BAA-covered?” |
5. HSA and FSA Payment Acceptance
Healthcare practices accepting payments for eligible medical expenses should ensure their payment setup supports Health Savings Account (HSA) and Flexible Spending Account (FSA) cards. These are Visa or Mastercard debit cards with merchant category code (MCC) restrictions, they can only be used at merchants with eligible MCCs.
To accept HSA/FSA payments:
- Ensure your MCC is correctly coded for your healthcare service type
- Your payment processor must support these card types (most standard processors do)
- Itemized receipts showing eligible expenses help patients with their FSA documentation requirements
ConvesioPay supports HSA and FSA card acceptance for eligible healthcare merchants through the Adyen network.
6. Healthcare Payment Methods Beyond Cards
Healthcare patients have specific payment expectations that differ from retail customers:
- Payment plans — patients frequently need to pay large bills over time; your system should support installment billing natively
- ACH / bank transfer — common for larger healthcare payments; lower cost than cards and preferred for regular installment payments
- Recurring billing — membership-based practices (direct primary care, concierge medicine) need reliable recurring charge capability with proper dunning management
- Pre-authorization — capturing a pre-authorization before a visit and settling after is common in surgical and procedural settings
7. The Full HIPAA Compliant Stack for WooCommerce Healthcare Sites
HIPAA compliance in a WooCommerce environment requires addressing every layer of the stack, not just the payment processor:
| Layer | HIPAA requirement | Solution |
|---|---|---|
| Hosting | BAA, encrypted storage, access controls | Convesio HIPAA hosting |
| Payment processing | BAA, encrypted transactions, audit logging | ConvesioPay |
| Forms / intake | Encrypted submission, BAA with form provider | HIPAA-compliant form plugin + BAA |
| Encrypted transmission, no PHI in unencrypted email | HIPAA-compliant email provider | |
| Backups | Encrypted backup storage, access controls | Convesio automated encrypted backups |
Convesio’s HIPAA-compliant WordPress hosting combined with ConvesioPay provides the hosting and payment layers under a single provider relationship with BAAs covering both.
8. Common HIPAA Payment Compliance Mistakes
- Using a standard processor without a BAA — the most common mistake; a processor that won’t sign a BAA creates an unmanaged compliance risk
- Sending PHI in email receipts — a receipt that includes diagnosis codes or treatment descriptions sent via standard email may constitute a HIPAA violation
- Storing card data alongside medical records — increases breach risk and PCI scope simultaneously
- Assuming shared-responsibility hosting is HIPAA compliant — standard WooCommerce hosting (including shared hosting, many managed WordPress hosts) does not include BAAs or HIPAA-required security controls
- Not auditing third-party plugins — WooCommerce plugins that touch payment or patient data may themselves be business associates requiring BAAs
Ready to build a HIPAA compliant payment setup? ConvesioPay + Convesio HIPAA hosting provides the complete payment and infrastructure stack for healthcare organizations on WordPress — BAAs included. Talk to our team →