No other industry stacks as many overlapping compliance rules onto a simple card transaction as healthcare does. A patient pays twenty dollars for a copay, and that single payment touches HIPAA, PCI DSS, state laws, insurance regulations and potentially GDPR if the patient happens to be European. Running compliant healthcare payment systems is not about ticking one box, it is about keeping a whole stack of boxes ticked at once, all the time.
Here is what actually matters, how the different rules interact, and what a properly compliant setup looks like from a clinic’s point of view.
The two rulebooks that matter most
HIPAA and PCI DSS are the foundation every healthcare payment flow has to sit on. They cover different things and do not substitute for each other.
HIPAA (the Health Insurance Portability and Accountability Act) governs Protected Health Information. If any data ties a person to their health, PHI protections apply. That includes names, dates of birth, addresses, medical record numbers, insurance details and treatment information. Fines run up to $1.5 million per year per violation category, and reputational damage on top.
PCI DSS (the Payment Card Industry Data Security Standard) governs cardholder data. Every clinic that accepts card payments has to comply, though the compliance level (SAQ-A through SAQ-D) depends on volume and how the data flows through the clinic’s systems.
The trick is that a single payment often involves both. A receipt that lists a medication and the patient’s name is PHI and payment data at the same time. Working with compliant healthcare payment systems designed for healthcare means these overlaps are already handled architecturally, rather than left for the clinic to figure out.
Where HIPAA applies to payment flows
A pure card transaction, stripped of patient-identifying context, is usually HIPAA-exempt. The processor moves card data, not health data. The moment that transaction picks up additional context, however, HIPAA kicks in.
- Billing descriptors: If the descriptor on a patient’s statement identifies a procedure, it may be PHI. Generic descriptors (‘MEDICAL CLINIC’) are safer than specific ones (‘CARDIOLOGY CONSULT’).
- Receipts and invoices: Line items naming treatments, procedures or medications are PHI. These should be sent through secure channels, not plain email or SMS.
- Patient portals: Any portal showing balances alongside procedure details is handling PHI and needs HIPAA safeguards.
- Reporting and analytics: Dashboards that tie payments to specific patients or conditions need access controls, audit logs and encryption.
- Text-to-pay and email reminders: Must not include PHI in the message body. Links to secure portals are fine, message content with diagnoses is not.
Business Associate Agreements: when they are required
Under HIPAA, any third party that creates, receives, maintains or transmits PHI on behalf of a covered entity is a Business Associate. Business Associates have to sign a BAA, which legally commits them to HIPAA safeguards.
Pure card processors are usually exempt from HIPAA because they handle card data only. Practically, though, most healthcare payment providers bundle additional services (reporting, patient portals, invoice delivery) that do touch PHI. If a vendor offers any of these, a BAA is required. Popular consumer payment apps like Venmo, Zelle and PayPal are explicitly not HIPAA-compliant and should not be used for healthcare payments.
PCI DSS in practical terms
PCI DSS defines twelve requirement areas covering encryption, access control, vulnerability management, monitoring and policy. For most clinics, the realistic compliance path involves:
- Using a PCI Level 1 certified payment provider. This shifts the bulk of the technical compliance burden to the processor.
- Using tokenisation and point-to-point encryption. Card data is encrypted immediately at capture and replaced with tokens for any downstream use.
- Completing the right self-assessment questionnaire (SAQ). SAQ-A applies to clinics that outsource all card handling. SAQ-D covers clinics that store or process card data themselves.
- Keeping internal policies, training and access logs up to date. The technical side is easier if the processor handles it. The governance side stays with the clinic.
- Upgrading from magnetic stripe to EMV chip readers. Chip readers reduce counterfeit fraud significantly and are the baseline expectation for any modern terminal.
State-level rules that stack on top
Federal rules are only part of the picture. Individual US states add their own layers, and pharmacies or clinics operating internationally face additional frameworks.
California’s CMIA and CCPA add stronger patient privacy protections than HIPAA alone. New York’s SHIELD Act raises the bar on breach notification. Texas requires specific medical privacy protections through HB300. The No Surprises Act creates federal pricing transparency obligations with state-level enforcement variations. Price transparency rules under CMS require hospitals to publish standard charges for shoppable services. Each of these affects how payment flows are documented and communicated.
For clinics touching EU patients, GDPR applies to any PHI crossing EU borders. That introduces lawful basis requirements, data minimisation expectations, Standard Contractual Clauses for non-EU vendors, and a Data Protection Impact Assessment in some cases.
What a compliant setup actually looks like
In practice, clinics that handle compliance well share a few common characteristics.
- They use a healthcare-specific payment provider rather than a generic processor.
- They have a BAA in place with every vendor that could see PHI.
- Receipts and statements use generic descriptors to keep PHI separated from payment data.
- Staff are trained on HIPAA and PCI basics, with refresher sessions at least annually.
- Access to patient and payment systems is role-based and logged.
- Annual PCI self-assessments and HIPAA risk assessments are done on a calendar, not reactively.
- Breach notification procedures are documented and tested, not just written.
The cost of getting compliance wrong
HIPAA penalties range from $100 to $50,000 per violation with annual caps up to $1.5 million. PCI DSS violations can cost $5,000 to $100,000 per month and can ultimately cost a business its ability to process cards at all. Beyond direct fines, a breach causes reputational damage that can take years to recover from. Patients who lose trust in how a clinic handles their data rarely come back.
The upside is that compliance done well is more of a systems problem than a cost problem. A properly architected payment stack, built with healthcare requirements in mind from day one, handles most of the heavy lifting automatically. Vellis builds this kind of compliance-first infrastructure into its healthcare payment offering as a default rather than an add-on.
FAQs
Is my payment processor considered a Business Associate under HIPAA?
If they handle card data only, usually no. If they provide any additional service that touches PHI (reporting, patient portals, billing, appointment reminders), then yes and a BAA is required.
What is the difference between HIPAA and PCI DSS?
HIPAA protects health data. PCI DSS protects card data. Both apply to most healthcare payment flows, but they cover different things and neither substitutes for the other.
Can I use Stripe, Square or PayPal for my clinic?
Some of them offer healthcare-compatible setups with a signed BAA. Without a BAA, they should not be used for anything that touches PHI. Venmo and Zelle are not HIPAA-compliant under any circumstances.
How often should I do a HIPAA risk assessment?
At minimum annually, plus whenever something material changes in your systems, vendors or workflows.
What happens if I have a data breach?
Under HIPAA, you have 60 days to notify affected patients, HHS and (for breaches above 500 records) the media. Under PCI DSS, you have to notify your acquirer and may face forensic review. State breach notification laws may impose shorter deadlines.
References
EBizCharge. (2026). HIPAA-compliant payment processing: Everything you need to know. EBizCharge. https://ebizcharge.com/blog/hipaa-compliant-payments-everything-you-need-to-know/
HIPAA Vault. (2026). HIPAA compliant payment processing for healthcare clinics. HIPAA Vault. https://www.hipaavault.com/resources/hipaa-compliant-payment-processing/
Jotform. (2026). Payment processing that helps with HIPAA compliance for medical services. Jotform. https://www.jotform.com/blog/hipaa-compliant-medical-payment-processing/
Stax Payments. (2022). PCI and HIPAA compliance: Healthcare and payment processing. Stax Payments. https://staxpayments.com/blog/pci-and-hipaa-compliance-need-to-know/