Is Stripe HIPAA compliant?
No BAANot for PHISOC 2 Type II
Will Stripe sign a HIPAA BAA?
No — Stripe does not sign a HIPAA Business Associate Agreement (BAA).
Stripe generally does not sign a BAA and does not act as a HIPAA Business Associate for its core payments platform; its docs state Stripe may not be used to process PHI by a covered entity.
PHI eligibility
PHI must not enter Stripe; use only under the HIPAA payment-processing exemption by keeping all PHI out of fields, metadata, invoices, and webhooks.
SOC 2
SOC 2 Type II
Trust center
Sub-processors
—
Notes
Stripe is PCI Level 1 (cardholder data), which is not a HIPAA substitute. Stripe does not publish an explicit BAA-refusal page; the 'no BAA' verdict is supported by its docs and restricted-business terms.
Get notified when this changes
We track Stripe's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.
How to request and sign a BAA with Stripe
No — Stripe does not sign a HIPAA Business Associate Agreement (BAA).
There is no BAA to request — Stripe will not sign one. Stripe generally does not sign a BAA and does not act as a HIPAA Business Associate for its core payments platform; its docs state Stripe may not be used to process PHI by a covered entity.
Need a vendor in this space that does? See which HIPAA compliant payments & billing software sign a BAA →
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Stripe before you rely on it. This is cited public information, not legal advice.
Frequently asked questions
Does Stripe sign a HIPAA Business Associate Agreement (BAA)?
No — Stripe does not sign a HIPAA Business Associate Agreement (BAA). Stripe generally does not sign a BAA and does not act as a HIPAA Business Associate for its core payments platform; its docs state Stripe may not be used to process PHI by a covered entity.
Is Stripe HIPAA compliant?
Stripe is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). PHI must not enter Stripe; use only under the HIPAA payment-processing exemption by keeping all PHI out of fields, metadata, invoices, and webhooks.
Can you store PHI (protected health information) in Stripe?
PHI must not enter Stripe; use only under the HIPAA payment-processing exemption by keeping all PHI out of fields, metadata, invoices, and webhooks.
Is Stripe SOC 2 certified?
Stripe reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from Stripe?
You can't — Stripe does not sign a HIPAA Business Associate Agreement. Stripe generally does not sign a BAA and does not act as a HIPAA Business Associate for its core payments platform; its docs state Stripe may not be used to process PHI by a covered entity.
What plan do I need to sign a BAA with Stripe?
Stripe does not offer a BAA on any plan, so no plan qualifies. Stripe generally does not sign a BAA and does not act as a HIPAA Business Associate for its core payments platform; its docs state Stripe may not be used to process PHI by a covered entity.
Sources
https://docs.stripe.com/security
https://stripe.com/legal/restricted-businesses
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Stripe before processing protected health information.
Check another vendor
See all HIPAA compliant payments & billing software →
Browse all 105 vendors by category →