HIPAA & BAA · Payments
Is Stripe HIPAA compliant?
No. Stripe does not sign a BAA and prohibits sending Protected Health Information to its systems; per Stripe's Services Agreement (Section 4.5), 'User must not provide Protected Health Information to Stripe.'
Key facts
- BAA available: No — vendor will not sign a BAA
- Official source: Stripe Services Agreement (Section 4.5) — https://stripe.com/legal/ssa (verified 2026-06)
What to do instead of Stripe
- Keep PHI out of Stripe entirely; processing card data alone generally falls under HIPAA's payment exemption.
- Do not put PHI in any Stripe field — metadata, descriptions, invoices, line items, receipts, or webhook payloads. Use opaque internal IDs instead of names plus diagnosis/treatment.
- Maintain the PHI-to-payment linkage in your own HIPAA-compliant system.
- If PHI must travel with payments, use a processor that signs a BAA (e.g., a HIPAA-focused billing platform).
Important caveats
- PCI DSS compliance is not HIPAA compliance — do not conflate the two.
- Card/payment data alone is generally not PHI under the HIPAA payment exemption; risk arises when health context is attached.
- Stripe's terms place liability for any PHI disclosure on the customer.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Stripe correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Stripe.
Frequently asked questions
Does Stripe sign a BAA?
No. Stripe does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is Stripe HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Stripe offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Stripe with PHI?
PCI DSS compliance is not HIPAA compliance — do not conflate the two.
