HIPAA & BAA ยท Payments
Is PayPal HIPAA compliant?
No. PayPal does not sign HIPAA Business Associate Agreements; it relies on HIPAA's payment-processing exemption rather than acting as a business associate.
Key facts
- BAA available: No โ vendor will not sign a BAA
- Official source: PayPal User Agreement (no HIPAA BAA offered) โ https://www.paypal.com/us/legal/ua (verified 2026-06)
What to do instead of PayPal
- Do not rely on PayPal for any workflow where PHI beyond basic payment data is created, stored, or transmitted.
- Limit PayPal use to payment processing only, which is exempt under HIPAA Section 1179 (the exemption does not cover PHI added to notes, invoices, messages, or attachments).
- For PHI-handling payment needs, use a processor that will sign a BAA (e.g., Square, Stripe, or a HIPAA-focused billing platform).
- Avoid entering diagnoses, treatment, or other PHI into PayPal invoices, item descriptions, or messages.
Important caveats
- The Section 1179 payment-processing exemption is narrow; it does not make PayPal usable for general PHI workflows.
- PayPal's data practices (data sharing with partners) make it unsuitable for PHI beyond payment authorization.
- PayPal does not publish a dedicated HIPAA/BAA page; this status is based on the absence of a BAA offering and the payment exemption.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring PayPal correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with PayPal.
Frequently asked questions
Does PayPal sign a BAA?
No. PayPal does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is PayPal HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when PayPal offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using PayPal with PHI?
The Section 1179 payment-processing exemption is narrow; it does not make PayPal usable for general PHI workflows.
