Vendor compliance profile
Is Square HIPAA compliant?
Square may support some HIPAA-regulated workflows only under Square's HIPAA Business Associate Agreement and the applicable Square services. Healthcare teams should verify BAA acceptance, service scope, payment fields, customer profiles, invoices, messages, Appointments, and staff access before PHI appears in Square.
HIPAA status signal
Conditional
BAA public signal
Square HIPAA BAA
SOC 2 evidence signal
Verify with vendor
PHI warning: Payment descriptions, invoices, appointments, customer profiles, intake notes, messages, receipts, loyalty data, staff notes, and integrations can reveal PHI.
HIPAA, BAA, and SOC 2 summary
| HIPAA | Square publishes a HIPAA Business Associate Agreement that governs PHI created, received, maintained, or transmitted by Square in its capacity as a business associate for covered services. |
|---|---|
| BAA | Square's public HIPAA BAA should be reviewed with the governing Square agreement and current services in scope. Confirm whether your exact product and workflow are covered. |
| SOC 2 | ComplySaaS did not confirm a current public Square SOC 2 report in this pass. Request current security evidence directly from Square or Block if required. |
| Category | HIPAA-Compliant Accounting and Payments Software |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Putting diagnosis, treatment, appointment reason, or patient status into item names, invoices, receipts, notes, messages, or customer profiles unless covered.
- Assuming all Square services and third-party integrations are covered by the HIPAA BAA.
- Using payment data as clinical or patient-record documentation.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
QuickBooks
HIPAA: Not HIPAA compliant | SOC 2: Verify with vendor
QuickBooks Desktop
HIPAA: Unable to confirm | SOC 2: Verify with vendor
Zelle
HIPAA: Unable to confirm | SOC 2: Verify with participating bank
Chime
HIPAA: Unable to confirm | SOC 2: Verify with vendor
Stripe
HIPAA: Unable to confirm | SOC 2: Public evidence
FAQ
Is Square HIPAA compliant?
Square may support some HIPAA-regulated workflows only under Square's HIPAA Business Associate Agreement and the applicable Square services. Healthcare teams should verify BAA acceptance, service scope, payment fields, customer profiles, invoices, messages, Appointments, and staff access before PHI appears in Square.
Will Square sign a BAA?
Square's public HIPAA BAA should be reviewed with the governing Square agreement and current services in scope. Confirm whether your exact product and workflow are covered.
Can Square be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- Medium
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- Square HIPAA BAA
- Square security