Medical practices collecting patient payments online face a specific intersection of security, compliance, and patient experience requirements. Standard e-commerce payment setups don’t cover all of them. This guide walks through what medical payment processing requires and how to build a secure, HIPAA-compliant patient checkout on WooCommerce.
ConvesioPay + Convesio HIPAA hosting — the complete WordPress stack for medical practices accepting patient payments online. BAAs included, WooCommerce-native. Get started →
1. What “Secure” Means in a Medical Payment Context
In retail e-commerce, “secure payments” means PCI DSS compliance, protecting cardholder data. In medical contexts, security has an additional dimension: HIPAA compliance, which protects Protected Health Information (PHI).
PHI in payment contexts includes:
- Patient name combined with a diagnosis, treatment code, or service date
- Account balances tied to specific medical services
- Payment history associated with medical records
- Any demographic information (address, DOB, account number) linked to health information
A patient checkout that displays “Balance due for your January 15 orthopedic consultation” is processing PHI. That requires HIPAA-compliant infrastructure, not just PCI-compliant infrastructure.
2. The Business Associate Agreement (BAA) Requirement
Before your medical practice can use any payment processor, hosting provider, or software vendor that handles PHI, that vendor must sign a Business Associate Agreement (BAA). This is a legal document establishing the vendor’s HIPAA obligations.
Critical point: most standard payment processors do not sign BAAs.
| Processor | BAA available? |
|---|---|
| Stripe (standard) | No |
| PayPal (standard) | No |
| Square (standard) | No |
| Authorize.net (standard) | Limited — covers payment data only, not PHI |
| ConvesioPay | Yes — BAA included for healthcare merchants |
Operating without a BAA with your payment processor when PHI is involved is a HIPAA violation, regardless of whether a breach occurs. The BAA is a baseline compliance requirement, not an optional protection.
3. Patient Portal Payment Architecture
The most effective medical payment collection model uses a patient portal, a secure, authenticated web interface where patients can view their balance, review service details, and pay. On WooCommerce, this can be built using a combination of:
- WooCommerce My Account — the native customer account system, customizable to display patient balance and payment history
- A compatible payment processor — one that supports stored card credentials for returning patients and recurring installment billing
- Access controls — patients should only see their own records; this requires careful setup of WooCommerce account access rules
- HIPAA-compliant hosting — the server environment must meet HIPAA technical safeguard requirements
Convesio’s HIPAA-compliant WordPress hosting provides the infrastructure layer. ConvesioPay provides the payment layer. Together they form the technical foundation for a compliant patient payment portal.
4. Recurring Billing for Medical Memberships
Direct Primary Care, concierge medicine, subscription wellness programs, and other membership-based models require robust recurring billing. The infrastructure needed:
- Reliable card-on-file charging — charges must succeed consistently each billing period
- Network tokenization — tokens issued by Visa/Mastercard that update automatically when a patient gets a new card, preventing renewal failures
- Dunning management — automated notification and retry when a charge fails, with configurable retry schedule and patient communication
- Proration — mid-cycle enrollment requires calculating the first partial period charge accurately
- Pause and resume — patient circumstances change; your billing system should support temporary suspension without cancellation
ConvesioPay supports recurring billing natively on WooCommerce, with Adyen’s network tokenization ensuring low involuntary churn rates for membership practices.
5. Checkout Form Security
The payment form patients use to submit card data must be designed to minimize both PCI scope and HIPAA risk:
- Use hosted or embedded card fields — card data should be captured and tokenized by the payment processor’s infrastructure, never transmitted through your server
- Don’t pre-populate PHI in URL parameters — passing patient information in query strings exposes it in server logs and browser history
- Avoid storing card data locally — use processor tokenization for all stored payment credentials
- Session timeout — patient portal sessions should timeout after inactivity to prevent unauthorized access
- Enforce HTTPS throughout — every page in the checkout flow must use TLS encryption
ConvesioPay’s checkout widget uses embedded hosted fields, ensuring card data is captured on Adyen’s servers and never passes through your WooCommerce installation.
6. Receipt and Confirmation Security
Post-payment communications are a common source of HIPAA risk:
- Email receipts — should not include diagnosis codes, procedure names, or other clinical PHI in the email body (which is transmitted unencrypted by default). A receipt that says “Payment of $250 received” is fine; one that says “Payment for your colonoscopy on 3/15” may not be.
- SMS confirmations — same principle applies; keep to financial confirmation without clinical details
- Portal receipts — can include more detail since they’re behind authentication on an encrypted connection
7. The Complete HIPAA-Compliant Medical Payment Stack
| Component | Requirement | Solution |
|---|---|---|
| Hosting | HIPAA BAA, encrypted storage, audit logging | Convesio HIPAA hosting |
| Payment processor | HIPAA BAA, PCI DSS Level 1, tokenization | ConvesioPay |
| Patient portal | Authentication, access controls, session management | WooCommerce My Account (configured) |
| Forms | HIPAA BAA with form provider, encrypted submission | HIPAA-compliant form plugin |
| No PHI in unencrypted messages; HIPAA-compliant provider for clinical communications | HIPAA email provider |
For more detail on the compliance requirements, see HIPAA Compliant Payment Processing: The Complete Guide. For form-specific compliance, see HIPAA Compliant Forms: Secure Data Collection for Healthcare Websites.
Medical practices trust Convesio for HIPAA-compliant WordPress hosting and payments. ConvesioPay provides the patient payment layer; Convesio provides the infrastructure — BAAs for both. Talk to our team →