Is Square HIPAA Compliant? Payments vs. Scheduling vs. PHI

The short answer

Square is not HIPAA compliant in the way most healthcare practices need it to be. Square does not provide a Business Associate Agreement for standard accounts. That said, whether Square creates a HIPAA problem for your practice depends on exactly what you are using it for.

Payments: PCI DSS, not HIPAA

When a patient pays a copay at the front desk, that transaction involves a credit or debit card number. Card numbers are not protected health information under HIPAA. Payment card data is governed by PCI DSS — a separate compliance standard that applies to any business accepting card payments.

Processing a copay through Square is a PCI DSS question, not a HIPAA question. Most practices using Square for payment collection are not violating HIPAA by virtue of that payment processing alone.

Where it gets complicated

The line blurs when payment records include health service context.

If Square stores a transaction record as “Jane Doe — psychiatric evaluation — $150” and that data is accessible to Square, you now have a record that combines patient identity with health information. That combination qualifies as PHI under HIPAA. Without a BAA, storing that combination in Square is a compliance problem.

The same issue applies to Square’s CRM features. If you track patient information — names, visit history, appointment types — in Square’s customer database, and those records include details that reveal health conditions or treatment, you have PHI in a system without a BAA.

Square Appointments and scheduling

Square Appointments is where small medical practices run into the most concrete risk.

Scheduling a patient for a “physical therapy appointment” or a “mental health consultation” creates a record that links patient identity to health context. That is PHI. Square Appointments does not offer a BAA for standard accounts. Using it to schedule patients where appointment details reveal health information is a HIPAA violation.

This is not hypothetical. Practices set up Square Appointments during trial periods because it is easy to use, then continue using it after launch without examining what the appointment records contain.

What to do instead

For payment processing, Square may be fine — confirm with your compliance advisor that your transaction records do not contain health service context beyond what is necessary for billing.

For scheduling, use a platform that explicitly offers a HIPAA BAA for the tier you are on. Verify that appointment records and calendar data are covered under that BAA.

For task coordination and administrative workflows involving PHI, use a purpose-built tool. PHIGuard covers that layer at $20/month flat for up to 10 staff, with a BAA at every tier.

The honest answer

The answer to “is Square HIPAA compliant?” is: it depends on what you are doing with it, and Square itself does not help you answer that question by providing a BAA. When a vendor does not offer a BAA, the safest position is to keep PHI out of that system entirely. Talk to your compliance advisor about your specific Square workflows before assuming you are covered.

Like what you're reading?

Try PHIGuard free — no credit card required.

PCI DSS: Payment Card Industry Data Security Standard. The compliance framework governing how businesses store, process, and transmit credit and debit card data. Separate from HIPAA and applies to payment processing regardless of industry.

Protected Health Information (PHI): Any individually identifiable health information held or transmitted by a covered entity, including names, appointment details, diagnoses, and treatment records. Payment card numbers alone are not PHI.

Business Associate Agreement (BAA): A contract required by HIPAA between a covered entity (your practice) and any vendor who handles PHI on your behalf. Square does not provide BAAs for standard accounts.

Q&A

Is Square HIPAA compliant?

Square does not offer a BAA for standard accounts. Payment processing through Square is governed by PCI DSS, not HIPAA, and payment card numbers are not PHI. Using Square Appointments with health-related scheduling details — without a BAA — creates HIPAA exposure.

Q&A

Does processing patient payments through Square violate HIPAA?

Processing a payment card for a copay is generally outside HIPAA scope — the card number itself is not PHI and is covered by PCI DSS instead. The risk appears when payment records include health service context (patient name + appointment type that reveals a condition) and that data is stored without appropriate safeguards.

Q&A

Can a medical practice use Square Appointments?

Using Square Appointments for patient scheduling is a compliance problem if appointment details include health-related information and no BAA exists. Square does not provide BAAs for standard accounts. Practices should verify their specific workflow with a compliance advisor and seek a scheduling tool that offers a BAA.

Want to learn more?

Learn More

Is Square HIPAA compliant?

Square does not offer a BAA for standard accounts, which means it is not HIPAA compliant in the traditional sense. Payment processing alone falls under PCI DSS, not HIPAA. If you use Square Appointments with health-related scheduling details, you have a PHI exposure problem without a BAA.

Do I need HIPAA compliance for payment processing?

Payment card numbers are not protected health information under HIPAA — they are governed by PCI DSS. A medical practice processing a copay through Square is handling card data, not PHI. However, if the transaction record combines patient identity with health service context (e.g., 'Jane Doe — therapy session'), that combination can constitute PHI.

Can I use Square Appointments for patient scheduling?

Using Square Appointments for patient scheduling creates a HIPAA problem if appointment details include health-related information and Square has not signed a BAA with your practice. Square does not provide BAAs for standard Square Appointments accounts.

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) governs how businesses handle credit and debit card information. It is a separate compliance framework from HIPAA. Medical practices must comply with both — PCI DSS for payment card data and HIPAA for protected health information.

What should my practice use for HIPAA-compliant scheduling and task management?

Purpose-built healthcare tools provide BAAs and are designed to handle PHI appropriately. PHIGuard covers task coordination and compliance tracking at $20/month flat for up to 10 staff. For scheduling specifically, look for platforms that explicitly offer HIPAA BAAs.

Keep reading

What Is a HIPAA Covered Entity? Definition, Types, and Obligations

A HIPAA covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Learn which practices qualify and what compliance requires.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

10 HIPAA Violation Examples Small Practices Actually Encounter

Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.