Stax Payments is a credit payment facility that provides seamless payments options to its users. Stax Payments claims HIPAA compliance, citing the credit card processing exemption as the reason they do not sign a business associate agreement (BAA).
Stax is a comprehensive payment processing platform designed for healthcare providers and businesses looking to streamline their financial operations. It offers a range of features, including contactless payment options, customizable billing and invoicing, payment processing, and the ability to manage patient billing efficiently. Stax assures the highest level of data protection and encryption, making it a popular choice for healthcare businesses aiming to secure patient data while offering flexible payment solutions.
See also: Is IBM cloud HIPAA compliant?
Under HIPAA, a business associate agreement (BAA) is a document that outlines the responsibilities of third-party vendors when handling protected health information (PHI). Any software or service that stores, processes, or transmits PHI on behalf of a healthcare entity is considered a business associate and should, therefore, sign a BAA.
Stax, as secure payment processing for healthcare providers, does not handle the storage or transmission of PHI if used correctly. Therefore, they may not need to sign a business associate agreement.
Upon reviewing Stax's privacy policy, they explicitly state that they do not need to sign a BAA.
Stax payments general terms of conditions state: "When used as intended the Service does not require to enter into a formal Business Associate Agreement between the service and covered entities and other business associates as excluded by "45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)". The service is not intended as an electronic medical records (EMR) system, and should only be used as intended."
See also: Is using Gmail a HIPAA violation?
Stax Payments states, "The exemption for HIPAA and credit card processing only applies to the actual credit card processing services. Therefore, Stax merchant services should not be used by healthcare professionals to store health records (e.g., entering medical procedure information in invoice line items or in the comment sections of transactions)."
Stax claims they are HIPAA compliant despite not signing a BAA due to the credit card processing exemption. However, we recommend to avoid including any PHI in transaction materials.
See also: HIPAA Compliant Email: The Definitive Guide