Skip to main content
Cresora Commerce
Compliance

HIPAA Guidance

HIPAA considerations for healthcare ISVs using Cresora.

Cresora is HIPAA-aware and supports healthcare ISVs that process payments for covered entities (hospitals, clinics, providers) and their business associates.

🔒Not legal advice

This page provides general guidance for Cresora customers. Consult qualified HIPAA counsel for your specific compliance obligations. Cresora is not a legal advisor.

Is Cresora a Business Associate?

Under HIPAA, whether Cresora qualifies as a Business Associate (BA) depends on whether it receives, creates, or transmits Protected Health Information (PHI) on your behalf.

Payment processing alone — Cresora processes payment amounts, merchant IDs, and card data. This typically does not constitute PHI under the HIPAA definition, and payment processors are generally not considered BAs when operating under a carve-out.

If you include PHI in payment metadata (e.g., patient ID in metadata.patient_id) — you may be transmitting PHI to Cresora, which could trigger BA obligations. Consult counsel before including any PHI in API requests.

Best practices for healthcare ISVs

  1. Avoid PHI in payment metadata — don't include patient names, diagnoses, or identifiers in metadata fields
  2. Use reference IDs — use opaque internal IDs instead of PHI (metadata.account_id: "acct_12345" vs metadata.patient_name: "Jane Smith")
  3. Separate payment and clinical systems — keep payment processing and clinical workflows in separate systems
  4. Request a BAA if needed — if your legal counsel determines a BAA is required, contact your Cresora account manager

Business Associate Agreement

Cresora can provide a Business Associate Agreement for healthcare partners where required. Contact your Cresora account manager to initiate the BAA process.

Minimum necessary standard

Under HIPAA's minimum necessary standard, only include the minimum data necessary for payment processing in Cresora API calls. Payment processing requires:

  • Amount
  • Merchant ID
  • Payment method details
  • Idempotency key

No clinical or diagnostic information is necessary for payment processing.

SAQ Guidance

Which PCI Self-Assessment Questionnaire applies to your Cresora integration.

NACHA Compliance

NACHA operating rules for ACH payments processed through Cresora.

On this page

Is Cresora a Business Associate?Best practices for healthcare ISVsBusiness Associate AgreementMinimum necessary standard