Stripe
Is Stripe HIPAA Compliant for Medical Clinics?
What medical clinics must understand about Stripe's HIPAA status, the PCI-DSS vs. HIPAA distinction, and how to use Stripe for billing without creating a PHI exposure.
Short answer
Stripe does not offer a HIPAA Business Associate Agreement. It is a PCI-DSS-certified payment processor, which addresses credit card data security — not patient health information. Clinics must not pass PHI through Stripe. Payment records, invoices, customer metadata, and any field in Stripe's system must contain zero patient health information. The PCI-DSS and HIPAA are separate compliance frameworks with separate requirements and separate vendor obligations.
Short answer
Is Stripe HIPAA compliant? No. Stripe does not offer a HIPAA Business Associate Agreement to medical clinics. Stripe is a PCI-DSS payment processor — that framework governs credit card data security, not patient health information. Clinics can use Stripe for billing, but must ensure zero PHI enters Stripe’s systems. If patient health information is stored in or transmitted through Stripe, the clinic has a HIPAA exposure with no contractual protection.
PCI-DSS vs. HIPAA: understanding the distinction
This is one of the most common misunderstandings in clinic billing operations. PCI-DSS (Payment Card Industry Data Security Standard) and HIPAA are two separate compliance frameworks governing two separate categories of sensitive data.
PCI-DSS covers payment card data — credit card numbers, CVV codes, cardholder names as they appear on cards, and related financial identifiers. Stripe is PCI-DSS Level 1 certified, the highest level. This means Stripe has controls in place to protect financial data from payment card breaches. It says nothing about health information.
HIPAA covers protected health information — any individually identifiable information relating to a person’s health condition, healthcare received, or payment for healthcare that could be used to identify the individual. HIPAA requires a BAA with any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
Stripe being PCI-DSS compliant does not make it HIPAA compliant. A clinic using Stripe has solved the payment card data problem; it has not solved the PHI problem.
What the clinic must do
The practical rule for using Stripe in a medical clinic context:
What you can put in Stripe:
- Patient name (as the billing contact)
- Email address and phone number (for receipts)
- Payment amount and date
- Generic service descriptions that do not reveal health information (“Office visit,” “Consultation fee,” “Lab services”)
What you must never put in Stripe:
- Diagnosis codes (ICD codes)
- Procedure codes (CPT codes) with patient-identifiable information
- Medication names or prescription details
- Treatment plan descriptions
- Insurance information combined with health details
- Any field value that reveals what condition a patient has or what care they received
The test: if a Stripe account were fully exposed in a data breach, could an attacker determine anything about a patient’s health status or treatment history from what is stored in Stripe? If yes, you have PHI in Stripe without a BAA.
The billing description problem
Many clinics use practice management systems that generate invoices with CPT or ICD codes embedded in the description field. If those invoices or metadata flow into Stripe — through an integration, a webhook, or manual data entry — PHI is entering an uncovered system.
Review every integration between your billing software and Stripe. Confirm exactly which fields pass through the integration. A common failure point: automated invoice descriptions that include procedure names (“Flu vaccination,” “Blood glucose test,” “Psychiatric evaluation”) combined with a patient name and date. That combination is PHI.
Work with your practice management vendor to ensure Stripe receives only the minimum information needed for payment processing — no clinical detail.
When to use a BAA-covered billing platform instead
Some billing workflows cannot be structured to keep PHI out of the payment system. If your billing operations inherently require health information to process payments — for example, if your insurance billing and patient billing are managed in the same system that also connects to Stripe — you may need to replace Stripe with a payment processor that offers a BAA.
Several practice management platforms and medical billing systems include integrated payment processing with a BAA. Evaluate these options if your current Stripe integration cannot be structured to exclude PHI.
Compliance operations for billing workflows
Billing is one of the highest-risk areas for PHI exposure in small clinics. The intersection of patient identity, health information, and payment data creates multiple points where PHI can inadvertently enter uncovered systems. A compliance program that includes billing workflow review — not just vendor BAA tracking — catches these problems before they become breach events.
PHIGuard commercial baseline
PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.
Sources
- Privacy Policy | Stripe
- Security at Stripe | Stripe
- Business Associates | HHS