HIPAA Compliance on Shopify

  • Technology
  • May 19, 2020
  • by Alex O'Byrne
  • 4 minute read

HIPAA is an act in the United States that compels healthcare providers to safeguard patient data. If you sell certain products online, you may need to meet these standards. Here we'll explain how you can be HIPAA-compliant on Shopify.

What is HIPAA?

The purpose of the Health Insurance Portability and Accountability Act (HIPAA), introduced in 1996, is to protect healthcare coverage in the USA. However, part of the legislation compels US healthcare providers to become more efficient by digitizing patient data.

As you'd hope and expect, with the guidelines are a series of requirements for how to securely store, transmit and use patient data, also known as Protected Health Information (PHI).

What counts as Protected Health Information (PHI)?

The HIPAA journal publishes clear advice on this:

"diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information."

There is an exhaustive list in the link above.

Do I need to be HIPAA-compliant?

We can't tell you this - only a lawyer can. The most common example we've seen of e-commerce brands that need to be HIPAA compliant is prescription eyewear.

Is HIPAA linked to PCI, CCPA or GDPR?


PCI is a payment industry standard for when you process payments online.

CCPA and GDPR are data protection laws for California and the EU respectively and apply to any organisations storing data. So all of them.

How do you make a HIPAA compliant website on Shopify?

If you need to store PHI, you can't store it on Shopify. But, there is a way around this which means you can still use Shopify as your e-commerce platform of choice. Here's how.

Shopify’s servers are not currently HIPAA-certified, so you’ll need to ensure that customer medical data is stored elsewhere. We recommend a cloud instance on Microsoft Azure. Make sure that you provision HIPPA compliant instances, more on this below.

All PHI is stored on a HIPAA-compliant server in a private web service that conforms to the guidelines and processes for secure authentication and encryption. It is essential that data is encrypted when "in motion". HIPAA doesn't stipulate encryption at rest, but that's also a good idea.

In our HIPAA-compliant Shopify architecture, the customer interacts with the front-end of the Shopify store and when they fill out their PHI, and that form is connecting to the secure private web service on Azure. So no PHI ever goes in to Shopify. As an added bonus, there is no identifiable information transmitted and stored with the PHI.

Shopify stores the customer's personal information according to PCI Level 1 standards; a different but equally vigorous set of data protection standards set by the payment industry.

Who offers HIPPA-compliant hosting?

Firstly, you need a signed "Business Associate Agreement" (BAA) between your company and Microsoft. This stipulates a series of vendor responsibilities regarding security and privacy which is something Microsoft offer.

Amazon AWS also offer BAAs and HIPAA compliant instances.

A signed Business Associate Agreement is just the first requirement for HIPAA-compliant hosting though. It's necessary to securely configure the server and to ensure that the relevant auditing it active.

Is Microsoft Azure HIPAA-compliant?

You can use Microsoft Azure for HIPAA PHI yes, providing you have a signed "Business Associate Agreement" (BAA) between your company and Microsoft.

A note about other suppliers...

Such as your Shopify agency.

If your development agency/SI needs to see the medical data too, they will need to become a “business associate”, which is defined in HIPAA a subcontractor that "creates, receives, maintains, or transmits protected health information on behalf of another business associate."

The HIPAA Rules require healthcare companies enter into contracts with their business associates to ensure they protect health information to the standards set out by HIPAA.

This can be onerous for all parties involved. The safest and easiest way for everyone is for the agency not to see the patient data or have access to the production credentials.

For debugging and development, the agency should only ever work with dummy data.

A Shopify-HIPAA example in the wild

Check out the example we built recently for client, Revant Optics. Their slick new Shopify Plus website is conversion-boosting but also follows all the rules when it comes to HIPAA, PCI and everything else.

Revant Optics Shopify Store


Alex O'Byrne

Alex is Co-founder at We Make Websites, the go-to Shopify agency for global commerce. We Make Websites design, develop and optimise e-commerce websites for the fastest growing brands on the planet, with teams in London and New York. Alex is an international speaker on ecommerce, brand and business growth.

Recommended reading

09 October 2019


CCPA and Shopify: What it is and How it Affects my Store

03 April 2018


GDPR: Is Your Shopify Store Front-End Compliant?

Popular articles

31 January 2023


Shopify Commerce Components - The Future of Enterprise Retail?

15 December 2022


How to Increase Customer Lifetime Value on Shopify Plus

07 December 2022


12 of the Most Exciting E-Commerce Wine Brands

21 November 2022


Internationalization with Shopify Markets Pro

20 July 2020


How to Sell Internationally with Shopify

02 November 2020


Migrating from Magento to Shopify Plus

19 October 2021


Headless Commerce Using Shopify Plus

25 September 2020


Why Shopify Plus?

02 March 2020


Biggest Brands on Shopify

22 April 2020


35 Ways to Improve Your E‑Commerce Conversion Rate

01 March 2019


Shopify Plus: Multi-Store vs Multi-Currency

07 April 2022


Brands Selling Internationally on Shopify

09 October 2019


CCPA and Shopify: What it is and How it Affects my Store

14 August 2020


Everything you Need to Know About ADA and Shopify

21 July 2019


101 Best Shopify Stores for Design Inspiration

Be the first to hear about what’s hot in e‑commerce and Shopify Plus. Straight to your inbox.

By providing your email, you agree for us to contact you via email with e‑commerce advice. Your data is stored securely and we never pass it on to third parties.