Square and Information Protection
One of the key determinants on whether or not a service is HIPAA compliant is the security methods used to secure sensitive information transmitted through it. Providers or business associates using Square for payments will require users to provide financial information such as debit/credit cards or account numbers.
Under HIPAA, debit cards, credit cards, bank account numbers and all non-cash payment types are considered protected health information (PHI) when they are connected to treatment, payment, or healthcare operations. HIPAA requires organizations to implement security measures to ensure the confidentiality, integrity, and availability of PHI.
According to Square’s website, they implement data encryption within their card reader at the moment of swipe and around the clock monitoring by dedicated security staff to ensure the security of payments sent through their service. They are also PCI compliant.
So, Square meets HIPAA security requirements, but that is not the only determinant of a service’s HIPAA compliance. To be HIPAA compliant, a service provider must also sign business associate agreements with their users.