HIPAA & BAA ยท Payments
Is Square HIPAA compliant?
Yes. Square (Block, Inc.) makes a HIPAA Business Associate Agreement available to sellers who use Square to create, receive, maintain, or transmit PHI on their behalf.
Key facts
- BAA available: Yes โ with a signed BAA
- What it takes: Any Square account; BAA is incorporated into the seller terms
- Official source: Square HIPAA Business Associate Agreement โ https://squareup.com/us/en/legal/general/hipaa (verified 2026-06)
How to use Square in a HIPAA-compliant way
- Determine whether you are a Covered Entity or Business Associate subject to HIPAA (Square notes sellers are responsible for this).
- Review Square's HIPAA BAA at squareup.com/us/en/legal/general/hipaa.
- Use Square services in a way that causes Square to handle PHI on your behalf; by doing so you agree to the incorporated HIPAA BAA.
- Implement your own administrative, physical, and technical safeguards as required of a covered entity.
- Confirm scope with Square support if using a specific product (e.g., Appointments, Invoices).
Important caveats
- The BAA is auto-incorporated by reference rather than separately negotiated; review it carefully to confirm it fits your use.
- Card/payment data itself is governed by PCI, not HIPAA; the BAA matters when other PHI (e.g., appointment or service notes) is involved.
- Square remains a business associate only for in-scope PHI it processes; you are still responsible for your own HIPAA program.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Square correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Square.
Frequently asked questions
Does Square sign a BAA?
Yes. Any Square account; BAA is incorporated into the seller terms A signed BAA is required before any PHI is involved.
Is Square HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Square offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Square with PHI?
The BAA is auto-incorporated by reference rather than separately negotiated; review it carefully to confirm it fits your use.