Skip to Content
Square
No items in your cart
Square
  • Business types
  • Products
  • What's new
Discover
Types
Capabilities
Discover
Types
Capabilities
Discover
Types
Capabilities
Discover
Types
Capabilities
Hardware
Discover
Discover
Discover
Discover
Discover
Editions
No items in your cart
Contact sales
Get started

General

HIPAA Business Associate Agreement

*Last updated: March 16, 2026

The HIPAA Business Associate Agreement (“HIPAA BAA”) is entered into between you (“you” or “your”) and Block, Inc. and its affiliates (“Square,” “we,” “our,” or “us”) and is incorporated into the terms governing your use of Square’s services (the “Agreement”). Together with the Agreement, this HIPAA BAA governs the use and protection of Protected Health Information created, received, maintained, or transmitted by Square in its capacity as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

1. Definitions

  • Capitalized terms not defined in this HIPAA BAA have the meanings set forth in HIPAA.

  • Protected Health Information” or “PHI” means “protected health information” as defined in 45 C.F.R. § 160.103, limited to information that Square creates, receives, maintains, or transmits on your behalf in connection with the Services. PHI excludes any information exempt from HIPAA under Section 1179 of the Social Security Act, 42 U.S.C. § 1320d-8 or otherwise not regulated under HIPAA.

  • Individual” will have the same meaning as the term “individual” in HIPAA, 45 C.F.R. § 160.103, and will include a person who qualifies as a personal representative in accordance with the HIPAA “Privacy Rule” as described in 45 C.F.R. § 164.502(g).

  • Services” means only those Square products, features, or configurations used by you in connection with your provision of health care services.

  • Square Buyer Services” means Square Services that are offered by Square directly to individuals, including but not limited to Square Go, Square Profile, Square Pay, and Square Local Offers.

2. Scope

(a) This HIPAA BAA applies only to the Services and configurations where Square is acting as your Business Associate, including when you use Square Appointments, Invoices, or other features that have been explicitly identified as HIPAA-enabled by Square. Whether a Service supports HIPAA compliance depends on how it is configured and used. Square may, but is not obligated to, identify particular products or configurations as HIPAA-enabled. Not all Services are HIPAA-enabled, and you are responsible for evaluating whether a particular Service or configuration is appropriate for your use with PHI.

(b) You acknowledge and agree that Square Buyer Services are designed for consumers and are not operated by Square on behalf of Covered Entity Sellers. Accordingly, any data that Square collects or processes from individuals through Square Buyer Services—whether related to appointment bookings, payment information, transaction history, or user preferences—is processed by Square as an independent controller, not as a Business Associate. Such data is governed by Square’s Privacy Notice for Buyer Features and Square Pay and is outside the scope of this HIPAA BAA. Use of Square Buyer Services by your customers does not create a Business Associate relationship between you and Square, and any information shared through those services is not subject to this HIPAA BAA.

Except as otherwise limited in this HIPAA BAA, we may:

  • Use or Disclose PHI in our possession to perform the Services, provided that such Use or Disclosure would not violate HIPAA if done by you;

  • Use PHI for our proper management and administration and to carry out any of our legal responsibilities;

  • Use PHI to create de-identified Health Information in accordance with the HIPAA “Privacy Rule” as described in 45 C.F.R. § 164.514(b);

  • Use PHI for Data Aggregation services related to your Health Care Operations; and

  • Disclose PHI in our possession to a third party for our proper management and administration or to fulfill any of our legal responsibilities, provided that: (i) the Disclosure is Required by Law; or (ii) we have received reasonable written assurances from the person to whom PHI will be disclosed that: (a) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed; and (b) we will be notified of any instances of which the person becomes aware that the confidentiality of the information has been breached.

3. Square’s Responsibilities

a. Compliance and Safeguards

We agree to: (i) not use or further disclose PHI other than as permitted or required by the HIPAA BAA or as required by law; (ii) implement administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule; (iii) comply with applicable requirements of the Security Rule with respect to Electronic PHI; (iv) report to you any Breach of Unsecured PHI or Security Incident involving PHI in accordance with 45 C.F.R. § 164.410; and (v) require subcontractors that create, receive, maintain, or transmit PHI on behalf of Square to agree to the same restrictions and conditions that apply to Square with respect to such PHI. To the extent Square is to carry out obligations on your behalf under HIPAA, Square will comply with the requirements of HIPAA that apply to you in the performance of such obligation.

b. Access to Records

We agree to make our internal practices, books, and records relating to the Use and Disclosure of PHI governed by this HIPAA BAA available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of determining your compliance with HIPAA. This obligation does not extend to data collected or processed through Square Buyer Services or any other service not subject to this HIPAA BAA. Nothing in this Section will be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.

c. Individual Privacy Rights

Upon your request, we will make PHI in a Designated Record Set governed by this HIPAA BAA available to you as necessary to allow you to comply with your obligations to provide access, amendment, and accounting of disclosures to Individuals of their health information as required by 45 C.F.R. § 164.524. Upon your request, we will make PHI in a Designated Record Set available to you and will incorporate any amendments to such information as instructed by you as necessary to allow you to comply with your amendment obligations as required by 45 C.F.R. § 164.526. We will maintain and, upon your request, provide you with the information necessary for you to provide an Individual with an accounting of Disclosures as required by 45 C.F.R. § 164.528. The foregoing does not apply to any Square Buyer Data or information collected through Square Buyer Services.

4. Your Responsibilities

a. Safeguards and Encryption

You will use appropriate safeguards to prevent unauthorized Use or Disclosure of PHI, consistent with this HIPAA BAA, and as required under the Security Rule. To the extent that you choose to use the Services to transmit PHI without encryption, you are responsible for documenting under the Security Rule that encryption is not reasonable and appropriate for such communications and implementing any equivalent alternative measures if reasonable and appropriate.

b. Use of Services with PHI

You are solely responsible for determining whether and how you use Square Services in connection with PHI, including features that collect Square Buyer Data and any services enabling communication with your customers.

c. Changes in Individual Permissions

You will provide us with any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, if such changes affect our permitted or required Uses or Disclosures of PHI under this HIPAA BAA. You will not agree to any request for a restriction that limits our permitted or required Uses or Disclosures of PHI under this HIPAA BAA unless required by law and you will promptly notify us if such a restriction is imposed. You will not request or cause us to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by you.

d. Notice of Privacy Practices

You will not include in your notice of privacy practices under HIPAA any limitation that limits our permitted or required Uses or Disclosures of PHI under this HIPAA BAA unless such a limit is required by law and you will notify us promptly if such a limitation is imposed.

5. Authority to Terminate for Breach

If you determine that we have violated a material term of this HIPAA BAA, you may terminate this HIPAA BAA and the Agreement in accordance with the Agreement.

6. Effect of Termination

Except as provided in this Section 6, upon termination of this HIPAA BAA for any reason, we will return or destroy all PHI to the extent feasible. We will not retain copies of the PHI. If we determine that returning or destroying the PHI is infeasible, then we will extend the protections of this HIPAA BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for as long as we maintain such PHI.

7. Interpretation

It is the parties’ intent that any ambiguity under this HIPAA BAA be interpreted consistently with the intent to comply with applicable laws.

8. No Third Party Beneficiaries

Nothing in this HIPAA BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

9. No Agency Relationship

Nothing in this HIPAA BAA is intended to create an agency relationship between the parties.

10. Entire Agreement

This HIPAA BAA supersedes any pre-existing agreements between the parties relating to HIPAA covering the Services. To the extent of any conflict or inconsistency between the terms of this HIPAA BAA and the remainder of the Agreement, the terms of this HIPAA BAA will govern. Except as expressly modified or amended under this HIPAA BAA, the terms of the Agreement remain in full force and effect.