Signed Business Associate Agreement (BAA), tokenized payment data segregated from PHI, audited infrastructure, and minimum-necessary data flows to your PMS — the compliance foundation a practice needs before accepting the first card.
What does HIPAA actually require of a payment processor?
If a processor handles any PHI alongside payment data (patient name + diagnosis, encounter details, account history), HIPAA classifies it as a Business Associate and requires a signed BAA. Most generic processors refuse to sign one — which makes their use a HIPAA violation, not a gray area.
How is PHI segregated from payment data?
Payment data (card number, bank account, billing address) lives in our PCI-DSS vault. PHI (diagnosis, procedure, encounter detail) never leaves your PMS. The bridge between the two passes only minimum-necessary identifiers — patient ID, encounter ID, amount, date — under the BAA.
What's in our BAA?
Standard HIPAA BAA terms: permitted uses, safeguards, breach notification within 60 days, subcontractor flow-down, audit cooperation, return/destruction at termination. Reviewed annually against current OCR guidance.
How does this interact with the rest of the stack?
Every other service — text-to-pay, statement automation, EHR integration — inherits the BAA. One signed agreement covers the full platform; no per-feature legal review.
Frequently asked questions
How fast can you get approved?
Most healthcare practices are approved within 24 hours of complete application submission. Specialty MIDs (dental DSO, behavioral health groups, DME) may take 48–72 hours while underwriting reviews trailing statements and licensure.
What does it cost?
Interchange-plus pricing — typically 2.4% + $0.10 per card transaction with no setup fee and no monthly minimum. ACH is 0.5–1.0%. You see interchange cost, assessments, and our markup on a single itemized statement.
Is the platform HIPAA-compliant?
Yes. We sign a BAA, tokenize all card and bank data before it touches your systems, and segregate PHI from payment metadata. EHR / PMS integrations move only the minimum necessary data for posting.