Is Square HIPAA compliant?

Featured image

Share this article

Square logo on smart phone on a dark background.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that finding a BA to send or receive secure patient payments is fundamental to patient care.

This is especially true with the recent growth of telehealth and the need to receive payments electronically.

RELATED: Historic Expansions of Telehealth to Combat COVID-19

Today, we will determine if Square as a financial institution is HIPAA compliant or not.

RELATED: Guide to Online Payment Options & HIPAA Compliance

About Square

Square is a financial service and mobile payment company founded in 2009 and based in San Francisco, California.

The company is most known for its Square Reader which connects to a mobile device’s audio jack, transforming the device into a point-of-sale solution.

Since first created, the company has upgraded the Square Reader several times. Now, they have a version that creates a complete payment system and a device that accepts chip and contactless payments.

Square also allows for easy payments and/or money transfers via its app or website.

The business associate agreement and HIPAA compliance

A business associate (BA) is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a covered entity (CE).

Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA).

However, several exceptions were built into the privacy rule including one addressing financial institutions:

. . . a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

Nevertheless, for complete protection, a CE should utilize a financial institution that will offer and sign a BAA.

Square and the business associate agreement

Unlike other online payment platforms such as PayPal or Stripe, Square will enter into a BAA with a healthcare organization.

On its website, Square states:

If you are subject to HIPAA as a [CE] or [BA] (as defined in HIPAA) and use the Services in a manner that causes Square to create, receive, maintain, or transmit [PHI] on your behalf, then you agree to the HIPAA [BAA].

The only stipulation is that the Square users “are responsible for determining whether they are subject to HIPAA requirements and whether they intend to use the Services in connection with PHI.”

While the BAA is downloadable, there is nothing to sign by either party.

Square and PHI

According to HIPAA, any information that can identify a patient and is used or disclosed during care is considered PHI, including a patient’s name, which is used for financial transactions.

Within its BAA, Square states that it will use or disclose PHI to perform services provided that the company’s use or disclosure does not violate HIPAA.

Square further affirms that it will use appropriate cybersecurity safeguards (as specified in the HIPAA Security Rule) such as:

  • Encryption
  • Access controls
  • Patches and updates
  • Audit controls

And if either party terminates the relationship, the company also declares that it will return or destroy PHI as it is able.

Is Square HIPAA compliant?

The BAA is a key component of HIPAA compliance and Square offers a BAA to customers, though there is nothing to sign. Moreover, the CE must be self-aware of the BAA.

If a breach or HIPAA violation occurs while PHI is with or being used by Square, in most cases, Square is liable.

RELATED: Security flaws in mobile point-of-sale systems spell money trouble


Square is HIPAA compliant, but a healthcare organization should still safeguard its PHI with its own cybersecurity.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022