Is Square HIPAA Compliant? Payment Processing Guide for Healthcare (2026)

Partially. Square (now Block, Inc.) will sign a Business Associate Agreement (BAA) — but the BAA covers payment processing only. Square Terminal, Square Register, and Square Online checkout are covered under the BAA for the payment transaction itself. That is the full extent of the coverage.

Square Appointments, Square Messages, Square Marketing, Square Invoices, and customer records stored in the Square Dashboard are not covered under the BAA. None of these products should be used to collect, store, or transmit protected health information (PHI). This distinction matters because many dental offices, medical practices, and therapy clinics use Square for far more than payment processing — and the moment PHI enters an uncovered Square product, you have a compliance gap.

What Square's BAA Covers

Square's BAA scope is narrow by design. It covers the payment transaction — card present, card not present, and online payments processed through Square's payment infrastructure.

Payment processing through Square Terminal and Square Register. When a patient swipes, taps, or inserts a card at the point of sale, that transaction is covered. The BAA applies to the payment data in transit and at rest within Square's payment processing systems.

Square Online checkout. Payments collected through Square's online checkout flow are covered under the BAA. This applies to the transaction itself — the card number, amount, and authorization — not to any additional information collected on the page.

The transaction, not the context. This is the critical distinction. The BAA covers the fact that a payment occurred, the amount, and the card data. It does not cover what the payment was for, who the patient is in a clinical sense, or any health information associated with that transaction.

Square's BAA is available by request. It is not automatic. You must contact Square, request the BAA, and execute it before processing any payments that could be associated with healthcare services.

What Square's BAA Does NOT Cover

Everything outside the payment transaction is excluded. These are the Square products that healthcare practices commonly use — and that create compliance exposure.

Square Appointments. Scheduling through Square Appointments allows you to add service types, staff assignments, and customer records. When those service types reference procedures — "root canal," "adjustment," "intake session" — the scheduling data becomes PHI. Square's BAA does not cover Appointments.

Square Messages. Two-way messaging between your practice and patients through Square is not covered under the BAA. Any communication that references treatment, symptoms, scheduling for specific procedures, or health conditions constitutes PHI on an uncovered platform.

Square Invoices. If an invoice contains a line item describing a healthcare service — "D2740 Porcelain Crown" or "90837 Psychotherapy 60 min" — it associates an identifiable patient with treatment. That is PHI. Square's BAA does not extend to invoicing.

Square Marketing. Email and text campaigns sent through Square Marketing are not covered. Marketing messages that reference health conditions, treatment history, or appointment types contain PHI and must be sent through a HIPAA-compliant platform with a BAA.

Customer notes and records in the Square Dashboard. The customer directory in Square lets you store notes, visit history, and preferences. Clinical notes, treatment summaries, or health-related observations entered here sit in a system with no HIPAA obligation.

The Healthcare Payment Processing Question

Payment processing occupies a specific position under HIPAA. The payment transaction itself — card authorization, settlement, and processing — has a partial exemption when the data involved is limited to financial information. But that exemption has limits.

A charge for "$250 — dental services" contains minimal clinical information. A charge for "$250 — root canal, tooth #14" associates an identifiable individual with a specific diagnosis and treatment. The second example is unambiguously PHI.

The distinction comes down to what information travels with the transaction. When you keep transaction descriptions generic — "professional services," "office visit," "dental services" — the payment data stays in the financial realm. When you attach procedure names, diagnostic codes, or treatment details to the charge, you have crossed the line into protected health information.

This is why Square's narrow BAA scope can work for healthcare practices — but only if you are disciplined about what information you attach to each transaction.

Common Mistakes Healthcare Practices Make with Square

These are the patterns that turn a compliant payment workflow into a HIPAA violation.

Adding treatment details to Square invoices. Line items that include procedure names, CDT codes, CPT codes, or treatment descriptions create PHI in a system without BAA coverage. Every invoice with clinical detail is a separate compliance gap.

Using Square Appointments with procedure types as service names. When your appointment types are named "Root Canal," "TMJ Evaluation," or "Psychiatric Assessment" instead of generic labels, the scheduling system associates patients with specific healthcare services.

Storing clinical notes in Square's customer directory. The notes field in Square's customer records is not covered under the BAA. Treatment observations, medication lists, allergies, or clinical reminders entered here are PHI on an uncovered platform.

Using Square Messages for patient communication about treatment. Confirming appointments is one thing. Discussing symptoms, treatment plans, medication changes, or lab results through Square Messages is transmitting PHI through an uncovered channel.

Assuming the BAA covers all Square products. This is the most dangerous mistake. Square's ecosystem is designed to be an all-in-one business platform — payments, scheduling, invoicing, marketing, messaging. The BAA covers only one of those functions. Practices that adopt the full Square suite without understanding the BAA scope create compliance exposure across every uncovered product.

How to Use Square Safely in Healthcare

Square can work in a healthcare practice — if you keep its role narrow.

Use Square exclusively for payment processing. Accept payments through Square Terminal, Square Register, or Square Online. Do not expand Square's role into scheduling, messaging, invoicing, or customer relationship management.

Strip treatment details from transaction descriptions. Use "Professional Services," "Office Visit," or "Dental Services" as line items. Never include procedure names, diagnostic codes, or treatment specifics in any Square transaction record.

Use your practice management system for everything else. Scheduling, clinical notes, patient communication, treatment-specific billing, and insurance claims belong in a HIPAA-compliant practice management platform with its own BAA. Square handles the card swipe. Your PMS handles the clinical context.

Execute the BAA before processing any payments. Contact Square and request the BAA. Do not process healthcare-related payments until the agreement is signed and in place.

Train your staff on the boundary. Every team member who touches Square needs to understand what goes into Square (payment amount and generic description) and what stays in the practice management system (everything clinical). One staff member entering "crown prep" in a Square invoice description creates a violation.

Frequently Asked Questions

Does Square sign a BAA?

Yes. Square (Block, Inc.) will sign a Business Associate Agreement, but it covers payment processing only — transactions through Square Terminal, Square Register, and Square Online checkout. The BAA must be requested directly from Square. It does not cover Square Appointments, Messages, Invoices, Marketing, or customer records.

Is Square Appointments HIPAA compliant?

No. Square Appointments is not covered under Square's BAA. If your appointment types or customer records contain information that associates a patient with a healthcare service, that data constitutes PHI on an uncovered platform. Use a HIPAA-compliant practice management system for scheduling.

Can I use Square for dental or medical billing?

You can use Square to process the payment itself — the card transaction. You should not use Square for detailed billing that includes procedure codes, treatment descriptions, or clinical line items. Clinical billing belongs in your practice management system. Square should see only the payment amount and a generic service description.

Is Square Terminal HIPAA compliant?

Square Terminal is covered under Square's BAA for payment processing. The device itself processes card transactions, and those transactions are within the BAA's scope. The compliance risk is not the terminal hardware — it is what information you associate with the transaction in Square's software.

What about Square for telehealth payments?

Square Online checkout can process telehealth payments under the BAA, provided the transaction description does not include treatment details. A charge labeled "Telehealth Visit — $150" is lower risk than "Telehealth — CBT Session, Anxiety Disorder." Keep descriptions generic and process the clinical billing through your practice management system.

Can I use Square and still be HIPAA compliant?

Yes — if you limit Square to payment processing, execute the BAA, and ensure no PHI enters any other Square product. The key is discipline: Square handles the payment, your practice management system handles everything clinical. Most compliance violations with Square happen not because the payment processing fails, but because practices expand Square's role beyond what the BAA covers.

---

Patient Protect tracks your full compliance posture, including vendor BAAs and payment processing configurations, starting at $39/month.