{"id":27945,"date":"2025-09-15T10:00:00","date_gmt":"2025-09-15T10:00:00","guid":{"rendered":"https:\/\/spreecommerce.org\/?p=27945"},"modified":"2026-04-17T13:07:51","modified_gmt":"2026-04-17T13:07:51","slug":"hipaa-ecommerce-compliance","status":"publish","type":"post","link":"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/","title":{"rendered":"HIPAA-Compliant eCommerce: How to Build Health Commerce That Passes Audit"},"content":{"rendered":"\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What Does HIPAA Mean for eCommerce in 2026?<\/h2>\n\n\n\n<p><strong>The moment your eCommerce platform touches patient data, every vendor in your stack becomes a HIPAA liability.<\/strong> That single fact reshapes every platform decision in health commerce.<\/p>\n\n\n\r\n  <section  class=\"highlight-box-wrap alignstandard text-align-left\" style=\" \">\r\n    <div class=\"highlight-box highlight-box-green\">\r\n      <div class=\"icon\">\r\n                  <img decoding=\"async\" loading=\"lazy\" width=\"24\" height=\"24\" src=\"https:\/\/spreecommerce.org\/wp-content\/themes\/spree\/images\/bulb.svg\" alt=\"\">\r\n              <\/div><!-- \/.icon -->\r\n      <div class=\"desc\">\r\n        <h3>Key Takeaways<\/h3>\n<p><strong>Last verified:<\/strong> March 2026<\/p>\n<p><strong>Regulation:<\/strong> HIPAA requires AES-256 encryption at rest, TLS 1.2+ in transit, full audit trails, role-based access controls, and Business Associate Agreements with every vendor touching protected health information.<\/p>\n<p><strong>The SaaS problem:<\/strong> Most SaaS commerce platforms \u2014 including Shopify Plus, BigCommerce, and commercetools \u2014 are not HIPAA compliant and cannot sign BAAs for commerce workloads.<\/p>\n<p><strong>The solution:<\/strong> Only self-hosted, open source commerce platforms with enterprise security controls deliver the encryption, audit trails, and BAA capability HIPAA demands.<\/p>\n<p><strong>Penalties:<\/strong> Non-compliance carries fines from $100 to $50,000 per occurrence, up to $1.5 million annually per category, plus potential criminal prosecution.<\/p>\n      <\/div><!-- \/.desc -->\r\n    <\/div>\r\n  <\/section>\r\n\r\n\n\n\n\n\n<p><a href=\"https:\/\/www.hhs.gov\/hipaa\/index.html\">HIPAA (the Health Insurance Portability and Accountability Act)<\/a> is the federal law governing how organizations handle protected health information (PHI) in the United States. Its scope for eCommerce is broader than most commerce teams realize. The line between &#8220;health product&#8221; and &#8220;health data&#8221; is thinner than you&#8217;d expect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>An online pharmacy processing prescription orders handles PHI<\/li>\n\n\n\n<li>A medical device distributor linking purchase history to patient accounts handles PHI<\/li>\n\n\n\n<li>A telehealth supplement store connecting health assessments to product recommendations handles PHI<\/li>\n\n\n\n<li>A durable medical equipment (DME) supplier shipping CPAP machines to patients whose diagnoses appear in order records handles PHI<\/li>\n\n<\/ul>\n\n\n\n<p><strong>The enforcement environment has intensified.<\/strong> HHS Office for Civil Rights announced ten resolution agreements in just the first five months of 2025, with fines from $25,000 to $3 million. A single failure to conduct a proper risk analysis triggered several of these actions (HHS OCR, Enforcement Highlights 2025).<\/p>\n\n\n\n<p>Civil penalties reach $71,162 per violation, with annual caps between $25,000 and $2 million depending on severity tier (45 CFR \u00a7 160.404). Criminal penalties can reach $250,000 and ten years imprisonment. The US healthcare eCommerce market is projected to reach $1.44 trillion by 2032 (Grand View Research, 2024).<\/p>\n\n\n\n<p>For a full overview of US regulations affecting commerce, see <a href=\"\/us-regulated-commerce-2026\/\">US Regulated Commerce 2026: HIPAA, ITAR and FedRAMP Guide<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What Does HIPAA Require for eCommerce Platforms?<\/h2>\n\n\n\n<p><strong>Eight technical and administrative safeguards apply the moment your platform processes protected health information.<\/strong> These derive from the HIPAA Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule. They cover every system in the data flow, not just the commerce platform.<\/p>\n\n\n\n<p>HHS Security Rule guidance is explicit: &#8220;A covered entity must implement technical security measures to guard against unauthorized access to electronic protected health information&#8221; (HHS.gov, HIPAA Security Rule Summary).<\/p>\n\n\n\n<p><strong>That means your platform, hosting provider, payment processor, and every third-party integration handling PHI must independently meet these requirements.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\">\n<table style=\"border-collapse:collapse; width:100%; table-layout:fixed\">\n<thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Requirement<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">What It Means for Commerce<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Technical Implementation<\/th><\/tr><\/thead>\n<tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption at rest<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">All stored PHI \u2014 customer records, order data, health assessments \u2014 must be encrypted in your database, file storage, and backups<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">AES-256 encryption on all data stores, with organization-managed encryption keys<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption in transit<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">All data moving between your storefront, APIs, admin panels, and third-party integrations must be encrypted<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">TLS 1.2+ enforced on all endpoints \u2014 API calls, webhooks, admin interfaces, checkout flows<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Every access to PHI must be logged with who accessed it, when, what they viewed or changed, and from where<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Immutable audit log capturing user identity, timestamp, action type, and data accessed<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Role-based access controls<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Only authorized personnel can access PHI, following the minimum necessary standard<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Granular RBAC with least-privilege principle \u2014 different permissions for admin, warehouse, customer service, and vendor roles<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Business Associate Agreement (BAA)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Every vendor that touches PHI must sign a legally binding agreement to protect it<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">BAAs required with your platform vendor, hosting provider, payment processor, email service, analytics tools, and any integration handling PHI<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Breach notification<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">You must notify affected individuals within 60 days and report breaches of 500+ records to HHS<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Documented incident response plan with automated alerting, forensic capability, and notification workflows<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Risk analysis<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">You must conduct and document a thorough assessment of risks to PHI<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Regular security risk assessments covering your commerce platform, infrastructure, integrations, and vendor relationships<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Data backup and recovery<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">PHI must be recoverable in the event of a breach, system failure, or disaster<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encrypted backups with tested recovery procedures and defined recovery time objectives<\/td><\/tr><\/tbody>\n<\/table>\n<\/figure>\n\n\n\n<p>HIPAA compliance extends to every system and vendor in the data flow. Your commerce platform, hosting provider, payment processor, email service, and any third-party integration that touches PHI must each meet these requirements and sign a BAA.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Industries Affected by HIPAA<\/h2>\n\n\n\n<p><strong>Any eCommerce operation handling PHI must comply, regardless of whether the business considers itself a &#8220;healthcare company.&#8221;<\/strong> Three verticals face the most direct impact.<\/p>\n\n\n\n<p><strong>HealthTech and digital health<\/strong> is the most exposed sector. Online pharmacies, telehealth supplement stores, and digital therapeutics companies all handle PHI as a core part of their commerce workflow. You cannot &#8220;keep PHI off the platform&#8221; when the product itself is a health service. \u2192 See the <a href=\"\/healthtech-ecommerce\/\">HealthTech eCommerce compliance<\/a> guide.<\/p>\n\n\n\n<p><strong>Medical device distribution<\/strong> involves B2B and B2C commerce where patient data appears in orders, prescriptions, and insurance verification workflows. DME suppliers, surgical instrument distributors, and diagnostic device companies routinely handle PHI in their order management systems. \u2192 Read: HealthTech Commerce Deep Dive (coming soon)<\/p>\n\n\n\n<p><strong>Healthcare procurement marketplaces<\/strong> connect hospitals, clinics, and healthcare networks with suppliers. The platform operator becomes a business associate of every participating healthcare entity, creating HIPAA exposure at the marketplace level. \u2192 Read: How to Build a HIPAA-Compliant Medical Device Marketplace (coming soon)<\/p>\n\n\n\n<p>HIPAA compliance intersects with other US and international regulations. For federal healthcare systems and government contractors, <a href=\"\/fedramp-ecommerce-compliance\/\">FedRAMP eCommerce Compliance<\/a> is often required alongside HIPAA.<\/p>\n\n\n\n<p>Healthcare commerce serving international markets must address EU MDR for medical devices, MHRA requirements for UK health products, and <a href=\"\/gdpr-schrems-ii-ecommerce-compliance\/\">GDPR for any EU patient data<\/a>. EdTech platforms offering continuing medical education must address FERPA, HIPAA, and state-level student data protection simultaneously. See <a href=\"\/edtech-ecommerce\/\">EdTech FERPA-compliant commerce<\/a> for education-specific guidance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Why Can&#8217;t SaaS Commerce Platforms Meet HIPAA Requirements?<\/h2>\n\n\n\n<p><strong>Three structural limitations make SaaS platforms a poor fit for health commerce: no BAAs, shared infrastructure, and shallow audit trails.<\/strong><\/p>\n\n\n\n<p>Healthcare data breaches affected over 133 million records in 2023 alone, a record year, with third-party business associates involved in a significant share of incidents (HIPAA Journal, 2024). The common workaround of &#8220;keeping PHI off the platform&#8221; breaks down the moment PHI becomes part of the commerce workflow: prescription verification, patient-linked orders, insurance processing, or health assessment-driven recommendations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The BAA problem<\/h3>\n\n\n\n<p><strong>Without a signed BAA, processing PHI through a platform is a HIPAA violation, regardless of its security posture.<\/strong> A BAA is a legal prerequisite, not optional paperwork.<\/p>\n\n\n\n<p>Most SaaS platforms do not sign BAAs for commerce workloads. Shopify&#8217;s Acceptable Use Policy explicitly states that users may not use Shopify to collect, store, or process protected health information. Any workaround that routes PHI through the platform, even inadvertently, creates a compliance violation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The shared tenancy problem<\/h3>\n\n\n\n<p><strong>SaaS platforms run on shared infrastructure, and shared infrastructure means shared risk.<\/strong> Your store&#8217;s data sits alongside thousands of other merchants on the same servers, managed by the same teams.<\/p>\n\n\n\n<p>For HIPAA, this creates a fundamental tension. You have no independent control over who accesses the infrastructure where PHI resides. You have no way to implement your own encryption key management or configure audit logging granularity. You inherit the platform&#8217;s security posture. If that posture falls short of HIPAA&#8217;s safeguard requirements, you have no way to remediate it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The audit and access control problem<\/h3>\n\n\n\n<p><strong>HIPAA requires granular audit trails documenting every access to PHI: who accessed what, when, from where, and what they changed.<\/strong> It also requires role-based access controls following the minimum necessary standard.<\/p>\n\n\n\n<p>Most SaaS platforms offer limited activity logs (admin login times, order views) rather than the immutable, detailed audit trails HIPAA demands. You have no way to customize logging depth, retention period, or access control granularity beyond what the platform provides.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How SaaS platforms compare on HIPAA readiness<\/h3>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\">\n<table style=\"border-collapse:collapse; width:100%; table-layout:fixed\">\n<thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">HIPAA Capability<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Shopify Plus<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">BigCommerce<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Salesforce Commerce Cloud<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">commercetools<\/th><\/tr><\/thead>\n<tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Signs BAA for commerce<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Health Cloud is separate product<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Self-hosting option<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Custom encryption key management<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Platform-managed<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Platform-managed<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Limited (Shield add-on)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Platform-managed<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Limited activity logs<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Limited<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Good audit features<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f API-level logging only<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Granular RBAC<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Basic roles<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Basic roles<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Available<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Limited<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">SSO \/ SAML integration<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Available (Plus)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Available<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Available<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Enterprise tier<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Source code audit<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Proprietary<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Proprietary<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Proprietary<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Proprietary<\/td><\/tr><\/tbody>\n<\/table>\n<\/figure>\n\n\n\n<p><strong>SaaS commerce platforms are designed for general-purpose retail, not regulated health commerce.<\/strong> The &#8220;keep PHI off the platform&#8221; workaround works only when PHI is peripheral to the transaction. When PHI <em>is<\/em> the transaction (prescription orders, patient-linked procurement, health assessment commerce) a different architecture is required.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">How Self-Hosted Open Source Commerce Meets HIPAA Requirements<\/h2>\n\n\n\n<p><strong>Here&#8217;s what changes when you own your infrastructure: every HIPAA safeguard becomes a deployment decision instead of a vendor negotiation.<\/strong><\/p>\n\n\n\n<p>Your team controls the encryption standards, key management, access policies, audit logging, and breach response workflows. You are the data controller. Your security team sets the rules. Your compliance team owns the audit trail. No inherited security postures, no hoping your SaaS vendor has done enough.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\">\n<table style=\"border-collapse:collapse; width:100%; table-layout:fixed\">\n<thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">HIPAA Requirement<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">How Self-Hosted Commerce Meets It<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Spree Enterprise Feature<\/th><\/tr><\/thead>\n<tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption at rest<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Deploy on your own infrastructure with organization-managed encryption keys<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">AES-256 encryption at rest, integrated with AWS KMS, Azure Key Vault, or GCP Cloud KMS<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption in transit<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Configure TLS policies at the infrastructure level \u2014 enforce versions, cipher suites, certificate management<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">TLS 1.2+ enforced across all API endpoints, admin interfaces, and storefront connections<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Complete control over what is logged, how long it is retained, and who can access the logs<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Built-in audit trail logging every admin action, API call, data access, and configuration change \u2014 fully customizable retention<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Role-based access controls<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Implement your organization&#8217;s IAM policies directly on the platform<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Granular RBAC with SSO\/SAML\/OIDC integration \u2014 connect to Okta, Azure AD, PingFederate, or any enterprise identity provider<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">BAA coverage<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">You are the data processor. No SaaS vendor BAA required for the platform itself.<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Self-hosted eliminates one of the largest BAA dependencies. BAAs needed only for hosting provider and payment processor.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Data residency<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Host in any region, on any cloud, or on-prem<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Deploy on AWS (including GovCloud), GCP, Azure, or on-premise infrastructure \u2014 your choice<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Risk analysis<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full visibility into the platform&#8217;s codebase, dependencies, and security architecture<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Open source (BSD 3-Clause) \u2014 your security team can audit every line of code. No black boxes.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Breach response<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full control over incident detection, forensics, and notification workflows<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Self-hosted logging + infrastructure monitoring integration enables HIPAA&#8217;s 60-day breach notification requirement<\/td><\/tr><\/tbody>\n<\/table>\n<\/figure>\n\n\n\n<p>For healthcare commerce handling PHI at scale, a self-hosted open source platform with built-in compliance controls, such as Spree Enterprise, provides the strongest architectural fit.<\/p>\n\n\n\n<p><strong>The security capabilities are part of the platform&#8217;s enterprise module, not third-party plugins.<\/strong> AES-256 encryption, full audit trails, granular RBAC, and SSO\/SAML integration ship as one codebase maintained by one team. Your compliance team evaluates a single platform, not a patchwork of vendor plugins with independent security postures.<\/p>\n\n\n\n<p>The BSD 3-Clause open source license means your security team has full visibility into the source code. They can audit cryptographic implementations, review access control logic, and verify audit trail completeness before a single line of PHI enters the system.<\/p>\n\n\n\n<p><strong>You own the infrastructure, the code, the data, and the compliance posture.<\/strong> No shared tenancy surprises. No vendor-controlled patching schedules. No compliance gaps because a SaaS provider hasn&#8217;t certified yet.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture and Deployment for HIPAA-Compliant Commerce<\/h2>\n\n\n\n<p><strong>A compliant architecture has three non-negotiable layers: BAA-eligible hosting, network isolation, and enterprise identity management.<\/strong> Here&#8217;s what that looks like in practice.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hosting and infrastructure<\/h3>\n\n\n\n<p>Hosting must be on infrastructure where the provider signs a BAA. AWS, GCP, and Azure all offer BAA-eligible services. AWS is the most common choice, with specific HIPAA-eligible services documented in their shared responsibility model.<\/p>\n\n\n\n<p>For organizations that also need FedRAMP alignment (common in government healthcare), AWS GovCloud provides an isolated environment. Spree&#8217;s provider-agnostic architecture means you deploy on whichever provider your compliance team has already vetted.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network architecture<\/h3>\n\n\n\n<p>Isolate the commerce application within a private VPC with no direct public internet access to application servers or databases. Key requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Load balancer and WAF as the single entry point, with DDoS protection<\/li>\n\n\n\n<li>Database traffic restricted to the application layer only<\/li>\n\n\n\n<li>TLS encryption on all internal API calls between storefront, admin panel, and order management<\/li>\n\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access management<\/h3>\n\n\n\n<p><strong>Integrate Spree&#8217;s SSO\/SAML\/OIDC support with your organization&#8217;s identity provider.<\/strong> Admin users authenticate through the same system as the rest of your organization, with the same password policies, MFA requirements, and access review processes.<\/p>\n\n\n\n<p>For marketplace deployments, vendor accounts should be isolated with vendor-specific RBAC roles limiting access to their own orders, products, and customer interactions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Payment processing<\/h3>\n\n\n\n<p>HIPAA-compliant commerce also requires PCI DSS compliance. Spree works with any payment processor (Stripe, Adyen, Braintree, Authorize.net, or custom PSPs), so you can choose one that signs a BAA for health-related payments and meets PCI DSS requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Integration patterns<\/h3>\n\n\n\n<p>Healthcare commerce typically integrates with EHR\/EMR systems, insurance verification, pharmacy management, and supply chain platforms. Spree&#8217;s OpenAPI-documented API layer maintains access controls and audit trails across all integrations. Every API call is authenticated, authorized, and logged.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">HIPAA Compliance by Industry<\/h2>\n\n\n\n<p><strong>Each sector faces different PHI handling challenges, BAA structures, and multi-vendor data flows.<\/strong> The table below maps affected industries to their primary compliance challenges.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\">\n<table style=\"border-collapse:collapse; width:100%; table-layout:fixed\">\n<thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Industry<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Region<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Key Commerce Challenges<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Deep Dive<\/th><\/tr><\/thead>\n<tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">HealthTech and Digital Health<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">US<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">PHI embedded in transactions: prescriptions, telehealth, supplements tied to health data<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><a href=\"\/healthtech-ecommerce\/\">HealthTech eCommerce Compliance<\/a><\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Medical Devices and MedTech<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">US, EU, UK<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Multi-region compliance (HIPAA + EU MDR + MHRA), device traceability, procurement workflows<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Coming soon<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Healthcare Procurement Marketplaces<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">US<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Multi-vendor BAA complexity, hospital procurement compliance, insurance processing<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Coming soon<\/td><\/tr><\/tbody>\n<\/table>\n<\/figure>\n\n\n\n<p>Each sector handles PHI in different transaction flows. Compliance requirements vary based on whether patient data appears in transaction records, order management systems, or supply chain integrations. The guides above cover platform architecture, vendor selection, and deployment patterns specific to each industry vertical.<\/p>\n\n\n\n<p>HIPAA does not operate in isolation. Healthcare commerce platforms face overlapping requirements: <a href=\"\/fedramp-ecommerce-compliance\/\">FedRAMP for government healthcare systems<\/a>, <a href=\"\/gdpr-schrems-ii-ecommerce-compliance\/\">GDPR for EU patient data<\/a>, and state-level health privacy laws that sometimes exceed HIPAA&#8217;s protections (notably California&#8217;s CCPA\/CMIA).<\/p>\n\n\n\n<p>\u2192 <a href=\"\/us-regulated-commerce-2026\/\">US Regulated Commerce 2026: HIPAA, ITAR and FedRAMP Guide<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Build HIPAA-Compliant Commerce with Spree<\/h2>\n\n\n\n<p>Spree Enterprise gives your team full control over infrastructure, data, security, and compliance. HIPAA-ready capabilities are built in, not bolted on. You own the code, the deployment, and the compliance posture.<\/p>\n\n\n\n<p>Whether you&#8217;re building a healthcare marketplace, launching a medical device distribution platform, or migrating off a SaaS platform that fails HIPAA requirements, the Spree team can help you scope the right architecture.<\/p>\n\n\n\n<p><a href=\"https:\/\/spreecommerce.org\/get-started\/\"><strong>Talk to the Spree Team \u2192<\/strong><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/spreecommerce.org\/get-started\"><strong>Explore Spree Enterprise \u2192<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions<\/h2>\n\n\n\n<div class=\"wp-block-wpseopress-faq-block-v2 is-layout-flow wp-block-wpseopress-faq-block-v2-is-layout-flow\">\n<details id=\"is-shopify-hipaa-compliant\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Is Shopify HIPAA compliant?<\/strong><\/summary>\n<p>No. Shopify does not sign Business Associate Agreements for its commerce platform. Shopify&#8217;s Acceptable Use Policy states that users may not use Shopify to collect, store, or process protected health information. Healthcare businesses can use Shopify for general health-adjacent retail where PHI is not part of the transaction (selling vitamins, generic wellness products). But any workflow that involves PHI (prescription orders, patient-linked accounts, insurance verification) fails HIPAA on Shopify.<\/p>\n<\/details>\n\n\n<details id=\"what-ecommerce-platform-is-hipaa-compliant\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What ecommerce platform is HIPAA compliant?<\/strong><\/summary>\n<p>No eCommerce platform is HIPAA compliant out of the box. HIPAA compliance is an outcome of how a platform is deployed, configured, and operated, not a feature you toggle on. Self-hosted open source platforms with enterprise security controls, such as Spree Enterprise, can be configured to meet HIPAA&#8217;s technical safeguard requirements: AES-256 encryption, full audit trails, granular RBAC, and SSO integration. SaaS platforms generally lack the infrastructure-level control HIPAA demands.<\/p>\n<\/details>\n\n\n<details id=\"what-does-hipaa-require-for-online-stores\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What does HIPAA require for online stores?<\/strong><\/summary>\n<p>Any eCommerce operation handling PHI must implement six core safeguards: &#8211; Encryption at rest (AES-256) and in transit (TLS 1.2+) &#8211; Full audit trails documenting every access to PHI &#8211; Role-based access controls following the minimum necessary standard &#8211; Business Associate Agreements with every vendor touching PHI &#8211; A documented breach response plan with 60-day notification capability &#8211; Regular security risk analyses These requirements apply to the platform, hosting infrastructure, payment processor, and every third-party integration in the data flow.<\/p>\n<\/details>\n\n\n<details id=\"can-i-sell-medical-devices-online-under-hipaa\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Can I sell medical devices online under HIPAA?<\/strong><\/summary>\n<p>Yes, but your compliance obligations depend on whether the transaction involves PHI. Selling generic medical supplies (bandages, gloves, basic equipment) to anonymous buyers does not trigger HIPAA. HIPAA applies when orders link to patient records, insurance is billed, prescriptions are verified, or products must match a specific patient&#8217;s diagnosis. Most medical device B2B distributors and DME suppliers fall into this category. Medical device commerce must also comply with FDA regulations (21 CFR Part 11) and, for EU markets, the EU Medical Device Regulation.<\/p>\n<\/details>\n\n\n<details id=\"how-much-does-hipaa-compliant-ecommerce-cost\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>How much does HIPAA-compliant ecommerce cost?<\/strong><\/summary>\n<p>Self-hosted HIPAA-compliant commerce requires a higher upfront investment than SaaS. Expect $50K to $300K+ for the first year, covering platform licensing, infrastructure setup, security configuration, and compliance validation. The tradeoff: no recurring platform fees, no GMV cuts, no transaction surcharges. At scale, total cost of ownership is often lower because costs scale with infrastructure (which you control) rather than with revenue. SaaS platforms charge $24K to $300K+ per year in recurring fees and still lack the controls HIPAA requires.<\/p>\n<\/details>\n\n\n<details id=\"do-i-need-hipaa-compliance-if-i-only-sell-health-supplements\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Do I need HIPAA compliance if I only sell health supplements?<\/strong><\/summary>\n<p>It depends on how you sell them. Selling supplements as general consumer products (no health assessments, no prescription links, no patient records) does not trigger HIPAA. But if your store collects health questionnaires, links supplement purchases to patient records in an EHR, processes insurance, or operates under a practitioner dispensing model, then PHI is part of the transaction and HIPAA applies. Companies like Fullscript, which operate practitioner dispensing platforms, must be fully HIPAA compliant.<\/p>\n<\/details>\n\n\n<details id=\"can-a-marketplace-platform-be-hipaa-compliant\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Can a marketplace platform be HIPAA compliant?<\/strong><\/summary>\n<p>Yes, but the architecture is more demanding than a single-vendor store. In a multi-vendor healthcare marketplace, the platform operator becomes a business associate of every participating healthcare entity. Each vendor&#8217;s data must be fully isolated. One vendor&#8217;s PHI must not be visible to another vendor or to the marketplace operator beyond what order fulfillment requires. This demands native multi-vendor architecture with per-vendor data isolation, vendor-specific RBAC roles, and per-vendor audit trails. Spree Enterprise provides this architectural foundation with native marketplace functionality and granular access controls.<\/p>\n<\/details>\n\n<script type=\"application\/ld+json\">{\"@context\": \"https:\/\/schema.org\", \"@type\": \"FAQPage\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/\", \"@id\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/\", \"mainEntity\": [{\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#is-shopify-hipaa-compliant\", \"name\": \"Is Shopify HIPAA compliant?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>No. Shopify does not sign Business Associate Agreements for its commerce platform. Shopify's Acceptable Use Policy states that users may not use Shopify to collect, store, or process protected health information. Healthcare businesses can use Shopify for general health-adjacent retail where PHI is not part of the transaction (selling vitamins, generic wellness products). But any workflow that involves PHI (prescription orders, patient-linked accounts, insurance verification) fails HIPAA on Shopify.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#what-ecommerce-platform-is-hipaa-compliant\", \"name\": \"What ecommerce platform is HIPAA compliant?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>No eCommerce platform is HIPAA compliant out of the box. HIPAA compliance is an outcome of how a platform is deployed, configured, and operated, not a feature you toggle on. Self-hosted open source platforms with enterprise security controls, such as Spree Enterprise, can be configured to meet HIPAA's technical safeguard requirements: AES-256 encryption, full audit trails, granular RBAC, and SSO integration. SaaS platforms generally lack the infrastructure-level control HIPAA demands.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#what-does-hipaa-require-for-online-stores\", \"name\": \"What does HIPAA require for online stores?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>Any eCommerce operation handling PHI must implement six core safeguards: - Encryption at rest (AES-256) and in transit (TLS 1.2+) - Full audit trails documenting every access to PHI - Role-based access controls following the minimum necessary standard - Business Associate Agreements with every vendor touching PHI - A documented breach response plan with 60-day notification capability - Regular security risk analyses These requirements apply to the platform, hosting infrastructure, payment processor, and every third-party integration in the data flow.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#can-i-sell-medical-devices-online-under-hipaa\", \"name\": \"Can I sell medical devices online under HIPAA?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>Yes, but your compliance obligations depend on whether the transaction involves PHI. Selling generic medical supplies (bandages, gloves, basic equipment) to anonymous buyers does not trigger HIPAA. HIPAA applies when orders link to patient records, insurance is billed, prescriptions are verified, or products must match a specific patient's diagnosis. Most medical device B2B distributors and DME suppliers fall into this category. Medical device commerce must also comply with FDA regulations (21 CFR Part 11) and, for EU markets, the EU Medical Device Regulation.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#how-much-does-hipaa-compliant-ecommerce-cost\", \"name\": \"How much does HIPAA-compliant ecommerce cost?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>Self-hosted HIPAA-compliant commerce requires a higher upfront investment than SaaS. Expect $50K to $300K+ for the first year, covering platform licensing, infrastructure setup, security configuration, and compliance validation. The tradeoff: no recurring platform fees, no GMV cuts, no transaction surcharges. At scale, total cost of ownership is often lower because costs scale with infrastructure (which you control) rather than with revenue. SaaS platforms charge $24K to $300K+ per year in recurring fees and still lack the controls HIPAA requires.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#do-i-need-hipaa-compliance-if-i-only-sell-health-supplements\", \"name\": \"Do I need HIPAA compliance if I only sell health supplements?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>It depends on how you sell them. Selling supplements as general consumer products (no health assessments, no prescription links, no patient records) does not trigger HIPAA. But if your store collects health questionnaires, links supplement purchases to patient records in an EHR, processes insurance, or operates under a practitioner dispensing model, then PHI is part of the transaction and HIPAA applies. Companies like Fullscript, which operate practitioner dispensing platforms, must be fully HIPAA compliant.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/hipaa-ecommerce-compliance\/#can-a-marketplace-platform-be-hipaa-compliant\", \"name\": \"Can a marketplace platform be HIPAA compliant?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>Yes, but the architecture is more demanding than a single-vendor store. In a multi-vendor healthcare marketplace, the platform operator becomes a business associate of every participating healthcare entity. Each vendor's data must be fully isolated. One vendor's PHI must not be visible to another vendor or to the marketplace operator beyond what order fulfillment requires. This demands native multi-vendor architecture with per-vendor data isolation, vendor-specific RBAC roles, and per-vendor audit trails. Spree Enterprise provides this architectural foundation with native marketplace functionality and granular access controls.<\/p>\"}}]}<\/script><\/div>\n","protected":false},"excerpt":{"rendered":"<p>HIPAA requires encryption, audit trails, and access controls for health commerce. Here&#8217;s what platforms need \u2014 and which ones qualify. <\/p>\n","protected":false},"author":87,"featured_media":28199,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"none","_seopress_titles_title":"HIPAA-Compliant eCommerce: Build Health Commerce Right","_seopress_titles_desc":"Build HIPAA-compliant eCommerce with self-hosted open source. Learn audit requirements, BAA obligations, and why SaaS platforms create compliance gaps.","_seopress_robots_index":"","footnotes":""},"categories":[146],"tags":[1084,1082,1081,1083,1079],"class_list":["post-27945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-open-source-ecommerce","tag-baa-requirements","tag-health-ecommerce","tag-hipaa","tag-phi-compliance","tag-self-hosted-commerce"],"acf":[],"_links":{"self":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts\/27945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/users\/87"}],"replies":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/comments?post=27945"}],"version-history":[{"count":0,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts\/27945\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/media\/28199"}],"wp:attachment":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/media?parent=27945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/categories?post=27945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/tags?post=27945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}