Stripe is not HIPAA compliant. The company does not sign Business Associate Agreements (BAAs), which are a legal prerequisite before any healthcare organization can share protected health information (PHI) with a third party. This means healthcare providers, health plans, and their business associates cannot use Stripe to create, collect, store, or transmit PHI.
That said, many healthcare businesses do use Stripe for payment processing. The key is understanding exactly where the compliance boundary sits and how to keep PHI out of Stripe’s systems entirely.
Why Stripe Cannot Sign a BAA
Under HIPAA, any vendor that handles PHI on behalf of a covered entity must sign a BAA. This agreement spells out the vendor’s obligations to protect that data, report breaches, and limit how the information is used. Without a signed BAA, sharing PHI with that vendor is a HIPAA violation, full stop.
Stripe does not offer a BAA for any of its payment products. The company does provide a Data Processing Agreement for general privacy frameworks, but that is a different document with a different legal purpose. It does not satisfy HIPAA’s requirements. Stripe’s upstream payment partners, including companies like PayPal and Coinbase, also decline to sign BAAs with Stripe, which means Stripe itself cannot extend that protection downstream to healthcare customers.
PCI Compliance Is Not the Same as HIPAA
Stripe is certified under PCI-DSS, the payment card industry’s security standard. It’s natural to assume that a platform secure enough to handle credit card numbers would also meet HIPAA’s bar, but the two frameworks protect entirely different types of data and require mostly different security procedures.
PCI-DSS is highly specific and technical. It includes detailed requirements for firewalls, encryption protocols, and access controls, all designed to prevent credit card fraud. HIPAA’s security rules are broader and more vague by design, covering everything from employee training to breach notification procedures to patient privacy rights. Of HIPAA’s 254 security rule validation points, only about 70 overlap with PCI requirements. And zero of HIPAA’s 281 breach and privacy rule validation points are addressed by PCI compliance at all. Being PCI compliant gives you no credit toward HIPAA compliance on the privacy side.
What Stripe Explicitly Prohibits
Stripe’s own documentation makes its position clear. Its identity verification product, Stripe Identity, explicitly prohibits the processing or storage of PHI by any HIPAA-covered entity. Stripe states that pharmaceuticals, medical devices, and telemedicine companies may use its identity product only if the data provided is not subject to HIPAA.
Stripe also maintains a restricted businesses list that flags several healthcare categories, including online pharmacies, card-not-present prescription products, regulated medical devices, prescription delivery services, and telemedicine or telehealth services. These restrictions don’t necessarily mean you can’t use Stripe at all in healthcare, but they signal that certain business models face additional scrutiny or outright prohibition.
How Healthcare Businesses Actually Use Stripe
Despite Stripe’s lack of HIPAA compliance, plenty of healthcare organizations process payments through it. The strategy is architectural: you keep PHI completely separated from anything Stripe touches.
A standard credit card transaction doesn’t inherently contain PHI. A charge of $150 to “Dr. Smith’s Office” on a patient’s credit card statement is financial data, not health information. The compliance risk arises when you start attaching medical details to Stripe transactions, such as storing diagnosis codes in metadata fields, including treatment descriptions in invoice line items, or linking patient health records to Stripe customer objects.
Third-party tools have emerged to bridge this gap. Platforms like HIPAAtizer, for example, let you embed a Stripe payment component inside a HIPAA-compliant form. The architecture works by isolating the Stripe payment fields from any section of the form that collects health information. The medical data gets encrypted and stored on HIPAA-compliant infrastructure, while the payment data flows through Stripe’s standard processing pipeline. The two streams never mix.
Keeping PHI Out of Stripe
If you run a healthcare business and want to use Stripe, the practical rules are straightforward. Never put patient diagnoses, treatment codes, medical record numbers, or health conditions into any Stripe field, including descriptions, metadata, notes, or custom fields. Your Stripe dashboard should look no different from a non-healthcare business’s dashboard. If someone at Stripe could look at your transaction data and learn anything about a patient’s health status, you have a compliance problem.
Your patient management system, electronic health records, and any forms collecting health information need to live on HIPAA-compliant infrastructure with a signed BAA from that vendor. The payment layer connects to Stripe. The health data layer connects to your compliant systems. You link them internally using your own identifiers, but the PHI never passes through Stripe’s servers.
This separation also applies to communications. Stripe can send payment receipts and invoices by email, but those messages should contain only financial details. If your workflow automatically appends appointment types or service descriptions that reveal health information, that’s a leak you need to close.
Alternatives if You Need a BAA
Some payment processors do sign BAAs and position themselves as HIPAA-compliant options for healthcare. If your business model makes it difficult to fully separate payment data from health data, or if you want the added legal protection of a BAA covering your payment processor, you’ll need to look beyond Stripe. Companies that specialize in healthcare payments typically offer BAAs as part of their standard onboarding.
For many healthcare businesses, though, the separation approach works well. Stripe’s developer tools, pricing, and reliability are hard to match, and as long as your integration keeps PHI entirely off Stripe’s platform, there is no HIPAA requirement that your payment processor sign a BAA. The obligation only kicks in when a vendor could access, store, or transmit protected health information. If Stripe never sees PHI, it’s not acting as a business associate.