Although processing payments through a credit-card processor generates PHI, Health and Human Services (HHS) has stated that this process is specifically excluded from certain HIPAA mandates, as well as BAA requirements as long as you limit your use of the payment service to only collecting payment. Anything "above and beyond" just taking payment makes them a business associate and a BAA is required.

Did this answer your question?