HIPAA-Compliant eCommerce: How to Build Health Commerce That Passes Audit
Key Takeaways
Last verified: March 2026
Regulation: HIPAA requires AES-256 encryption at rest, TLS 1.2+ in transit, full audit trails, role-based access controls, and Business Associate Agreements with every vendor touching protected health information.
The SaaS problem: Most SaaS commerce platforms — including Shopify Plus, BigCommerce, and commercetools — are not HIPAA compliant and cannot sign BAAs for commerce workloads.
The solution: Only self-hosted, open source commerce platforms with enterprise security controls deliver the encryption, audit trails, and BAA capability HIPAA demands.
Penalties: Non-compliance carries fines from $100 to $50,000 per occurrence, up to $1.5 million annually per category, plus potential criminal prosecution.
What Does HIPAA Mean for eCommerce in 2026?
The moment your eCommerce platform touches patient data, every vendor in your stack becomes a HIPAA liability. That single fact reshapes every platform decision in health commerce.
HIPAA (the Health Insurance Portability and Accountability Act) is the federal law governing how organizations handle protected health information (PHI) in the United States. Its scope for eCommerce is broader than most commerce teams realize. The line between “health product” and “health data” is thinner than you’d expect:
- An online pharmacy processing prescription orders handles PHI
- A medical device distributor linking purchase history to patient accounts handles PHI
- A telehealth supplement store connecting health assessments to product recommendations handles PHI
- A durable medical equipment (DME) supplier shipping CPAP machines to patients whose diagnoses appear in order records handles PHI
The enforcement environment has intensified. HHS Office for Civil Rights announced ten resolution agreements in just the first five months of 2025, with fines from $25,000 to $3 million. A single failure to conduct a proper risk analysis triggered several of these actions (HHS OCR, Enforcement Highlights 2025).
Civil penalties reach $71,162 per violation, with annual caps between $25,000 and $2 million depending on severity tier (45 CFR § 160.404). Criminal penalties can reach $250,000 and ten years imprisonment. The US healthcare eCommerce market is projected to reach $1.44 trillion by 2032 (Grand View Research, 2024).
For a full overview of US regulations affecting commerce, see our US Regulated Industries Commerce Guide (coming soon).
What Does HIPAA Require for eCommerce Platforms?
Eight technical and administrative safeguards apply the moment your platform processes protected health information. These derive from the HIPAA Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule. They cover every system in the data flow, not just the commerce platform.
HHS Security Rule guidance is explicit: “A covered entity must implement technical security measures to guard against unauthorized access to electronic protected health information” (HHS.gov, HIPAA Security Rule Summary).
That means your platform, hosting provider, payment processor, and every third-party integration handling PHI must independently meet these requirements.
| Requirement | What It Means for Commerce | Technical Implementation |
|---|---|---|
| Encryption at rest | All stored PHI — customer records, order data, health assessments — must be encrypted in your database, file storage, and backups | AES-256 encryption on all data stores, with organization-managed encryption keys |
| Encryption in transit | All data moving between your storefront, APIs, admin panels, and third-party integrations must be encrypted | TLS 1.2+ enforced on all endpoints — API calls, webhooks, admin interfaces, checkout flows |
| Full audit trail | Every access to PHI must be logged with who accessed it, when, what they viewed or changed, and from where | Immutable audit log capturing user identity, timestamp, action type, and data accessed |
| Role-based access controls | Only authorized personnel can access PHI, following the minimum necessary standard | Granular RBAC with least-privilege principle — different permissions for admin, warehouse, customer service, and vendor roles |
| Business Associate Agreement (BAA) | Every vendor that touches PHI must sign a legally binding agreement to protect it | BAAs required with your platform vendor, hosting provider, payment processor, email service, analytics tools, and any integration handling PHI |
| Breach notification | You must notify affected individuals within 60 days and report breaches of 500+ records to HHS | Documented incident response plan with automated alerting, forensic capability, and notification workflows |
| Risk analysis | You must conduct and document a thorough assessment of risks to PHI | Regular security risk assessments covering your commerce platform, infrastructure, integrations, and vendor relationships |
| Data backup and recovery | PHI must be recoverable in the event of a breach, system failure, or disaster | Encrypted backups with tested recovery procedures and defined recovery time objectives |
HIPAA compliance extends to every system and vendor in the data flow. Your commerce platform, hosting provider, payment processor, email service, and any third-party integration that touches PHI must each meet these requirements and sign a BAA.
Industries Affected by HIPAA
Any eCommerce operation handling PHI must comply, regardless of whether the business considers itself a “healthcare company.” Three verticals face the most direct impact.
HealthTech and digital health is the most exposed sector. Online pharmacies, telehealth supplement stores, and digital therapeutics companies all handle PHI as a core part of their commerce workflow. You cannot “keep PHI off the platform” when the product itself is a health service. → See the HealthTech eCommerce compliance guide.
Medical device distribution involves B2B and B2C commerce where patient data appears in orders, prescriptions, and insurance verification workflows. DME suppliers, surgical instrument distributors, and diagnostic device companies routinely handle PHI in their order management systems. → Read: HealthTech Commerce Deep Dive (coming soon)
Healthcare procurement marketplaces connect hospitals, clinics, and healthcare networks with suppliers. The platform operator becomes a business associate of every participating healthcare entity, creating HIPAA exposure at the marketplace level. → Read: How to Build a HIPAA-Compliant Medical Device Marketplace (coming soon)
HIPAA compliance intersects with other US and international regulations. For federal healthcare systems and government contractors, FedRAMP eCommerce compliance (coming soon) is often required alongside HIPAA.
Healthcare commerce serving international markets must address EU MDR for medical devices, MHRA requirements for UK health products, and GDPR for any EU patient data. EdTech platforms offering continuing medical education must address FERPA, HIPAA, and state-level student data protection simultaneously. See EdTech FERPA-compliant commerce for education-specific guidance.
Why Can’t SaaS Commerce Platforms Meet HIPAA Requirements?
Three structural limitations make SaaS platforms a poor fit for health commerce: no BAAs, shared infrastructure, and shallow audit trails.
Healthcare data breaches affected over 133 million records in 2023 alone, a record year, with third-party business associates involved in a significant share of incidents (HIPAA Journal, 2024). The common workaround of “keeping PHI off the platform” breaks down the moment PHI becomes part of the commerce workflow: prescription verification, patient-linked orders, insurance processing, or health assessment-driven recommendations.
The BAA problem
Without a signed BAA, processing PHI through a platform is a HIPAA violation, regardless of its security posture. A BAA is a legal prerequisite, not optional paperwork.
Most SaaS platforms do not sign BAAs for commerce workloads. Shopify’s Acceptable Use Policy explicitly states that users may not use Shopify to collect, store, or process protected health information. Any workaround that routes PHI through the platform, even inadvertently, creates a compliance violation.
The shared tenancy problem
SaaS platforms run on shared infrastructure, and shared infrastructure means shared risk. Your store’s data sits alongside thousands of other merchants on the same servers, managed by the same teams.
For HIPAA, this creates a fundamental tension. You have no independent control over who accesses the infrastructure where PHI resides. You have no way to implement your own encryption key management or configure audit logging granularity. You inherit the platform’s security posture. If that posture falls short of HIPAA’s safeguard requirements, you have no way to remediate it.
The audit and access control problem
HIPAA requires granular audit trails documenting every access to PHI: who accessed what, when, from where, and what they changed. It also requires role-based access controls following the minimum necessary standard.
Most SaaS platforms offer limited activity logs (admin login times, order views) rather than the immutable, detailed audit trails HIPAA demands. You have no way to customize logging depth, retention period, or access control granularity beyond what the platform provides.
How SaaS platforms compare on HIPAA readiness
| HIPAA Capability | Shopify Plus | BigCommerce | Salesforce Commerce Cloud | commercetools |
|---|---|---|---|---|
| Signs BAA for commerce | ❌ No | ❌ No | ⚠️ Health Cloud is separate product | ❌ No |
| Self-hosting option | ❌ SaaS only | ❌ SaaS only | ❌ SaaS only | ❌ SaaS only |
| Custom encryption key management | ❌ Platform-managed | ❌ Platform-managed | ⚠️ Limited (Shield add-on) | ❌ Platform-managed |
| Full audit trail | ⚠️ Limited activity logs | ⚠️ Limited | ✅ Good audit features | ⚠️ API-level logging only |
| Granular RBAC | ⚠️ Basic roles | ⚠️ Basic roles | ✅ Available | ⚠️ Limited |
| SSO / SAML integration | ✅ Available (Plus) | ✅ Available | ✅ Available | ✅ Enterprise tier |
| Source code audit | ❌ Proprietary | ❌ Proprietary | ❌ Proprietary | ❌ Proprietary |
SaaS commerce platforms are designed for general-purpose retail, not regulated health commerce. The “keep PHI off the platform” workaround works only when PHI is peripheral to the transaction. When PHI is the transaction (prescription orders, patient-linked procurement, health assessment commerce) a different architecture is required.
How Self-Hosted Open Source Commerce Meets HIPAA Requirements
Here’s what changes when you own your infrastructure: every HIPAA safeguard becomes a deployment decision instead of a vendor negotiation.
Your team controls the encryption standards, key management, access policies, audit logging, and breach response workflows. You are the data controller. Your security team sets the rules. Your compliance team owns the audit trail. No inherited security postures, no hoping your SaaS vendor has done enough.
| HIPAA Requirement | How Self-Hosted Commerce Meets It | Spree Enterprise Feature |
|---|---|---|
| Encryption at rest | Deploy on your own infrastructure with organization-managed encryption keys | AES-256 encryption at rest, integrated with AWS KMS, Azure Key Vault, or GCP Cloud KMS |
| Encryption in transit | Configure TLS policies at the infrastructure level — enforce versions, cipher suites, certificate management | TLS 1.2+ enforced across all API endpoints, admin interfaces, and storefront connections |
| Full audit trail | Complete control over what is logged, how long it is retained, and who can access the logs | Built-in audit trail logging every admin action, API call, data access, and configuration change — fully customizable retention |
| Role-based access controls | Implement your organization’s IAM policies directly on the platform | Granular RBAC with SSO/SAML/OIDC integration — connect to Okta, Azure AD, PingFederate, or any enterprise identity provider |
| BAA coverage | You are the data processor. No SaaS vendor BAA required for the platform itself. | Self-hosted eliminates one of the largest BAA dependencies. BAAs needed only for hosting provider and payment processor. |
| Data residency | Host in any region, on any cloud, or on-prem | Deploy on AWS (including GovCloud), GCP, Azure, or on-premise infrastructure — your choice |
| Risk analysis | Full visibility into the platform’s codebase, dependencies, and security architecture | Open source (BSD 3-Clause) — your security team can audit every line of code. No black boxes. |
| Breach response | Full control over incident detection, forensics, and notification workflows | Self-hosted logging + infrastructure monitoring integration enables HIPAA’s 60-day breach notification requirement |
For healthcare commerce handling PHI at scale, a self-hosted open source platform with built-in compliance controls, such as Spree Enterprise, provides the strongest architectural fit.
The security capabilities are part of the platform’s enterprise module, not third-party plugins. AES-256 encryption, full audit trails, granular RBAC, and SSO/SAML integration ship as one codebase maintained by one team. Your compliance team evaluates a single platform, not a patchwork of vendor plugins with independent security postures.
The BSD 3-Clause open source license means your security team has full visibility into the source code. They can audit cryptographic implementations, review access control logic, and verify audit trail completeness before a single line of PHI enters the system.
You own the infrastructure, the code, the data, and the compliance posture. No shared tenancy surprises. No vendor-controlled patching schedules. No compliance gaps because a SaaS provider hasn’t certified yet.
Architecture and Deployment for HIPAA-Compliant Commerce
A compliant architecture has three non-negotiable layers: BAA-eligible hosting, network isolation, and enterprise identity management. Here’s what that looks like in practice.
Hosting and infrastructure
Hosting must be on infrastructure where the provider signs a BAA. AWS, GCP, and Azure all offer BAA-eligible services. AWS is the most common choice, with specific HIPAA-eligible services documented in their shared responsibility model.
For organizations that also need FedRAMP alignment (common in government healthcare), AWS GovCloud provides an isolated environment. Spree’s provider-agnostic architecture means you deploy on whichever provider your compliance team has already vetted.
Network architecture
Isolate the commerce application within a private VPC with no direct public internet access to application servers or databases. Key requirements:
- Load balancer and WAF as the single entry point, with DDoS protection
- Database traffic restricted to the application layer only
- TLS encryption on all internal API calls between storefront, admin panel, and order management
Identity and access management
Integrate Spree’s SSO/SAML/OIDC support with your organization’s identity provider. Admin users authenticate through the same system as the rest of your organization, with the same password policies, MFA requirements, and access review processes.
For marketplace deployments, vendor accounts should be isolated with vendor-specific RBAC roles limiting access to their own orders, products, and customer interactions.
Payment processing
HIPAA-compliant commerce also requires PCI DSS compliance. Spree works with any payment processor (Stripe, Adyen, Braintree, Authorize.net, or custom PSPs), so you can choose one that signs a BAA for health-related payments and meets PCI DSS requirements.
Integration patterns
Healthcare commerce typically integrates with EHR/EMR systems, insurance verification, pharmacy management, and supply chain platforms. Spree’s OpenAPI-documented API layer maintains access controls and audit trails across all integrations. Every API call is authenticated, authorized, and logged.
HIPAA Compliance by Industry
Each sector faces different PHI handling challenges, BAA structures, and multi-vendor data flows. The table below maps affected industries to their primary compliance challenges.
| Industry | Region | Key Commerce Challenges | Deep Dive |
|---|---|---|---|
| HealthTech and Digital Health | US | PHI embedded in transactions: prescriptions, telehealth, supplements tied to health data | HealthTech eCommerce Compliance |
| Medical Devices and MedTech | US, EU, UK | Multi-region compliance (HIPAA + EU MDR + MHRA), device traceability, procurement workflows | Coming soon |
| Healthcare Procurement Marketplaces | US | Multi-vendor BAA complexity, hospital procurement compliance, insurance processing | Coming soon |
Each sector handles PHI in different transaction flows. Compliance requirements vary based on whether patient data appears in transaction records, order management systems, or supply chain integrations. The guides above cover platform architecture, vendor selection, and deployment patterns specific to each industry vertical.
HIPAA does not operate in isolation. Healthcare commerce platforms face overlapping requirements: FedRAMP for government healthcare systems (coming soon), GDPR for EU patient data, and state-level health privacy laws that sometimes exceed HIPAA’s protections (notably California’s CCPA/CMIA).
→ US Regulated Industries Commerce Guide (coming soon)
Build HIPAA-Compliant Commerce with Spree
Spree Enterprise gives your team full control over infrastructure, data, security, and compliance. HIPAA-ready capabilities are built in, not bolted on. You own the code, the deployment, and the compliance posture.
Whether you’re building a healthcare marketplace, launching a medical device distribution platform, or migrating off a SaaS platform that fails HIPAA requirements, the Spree team can help you scope the right architecture.
Frequently Asked Questions
Is Shopify HIPAA compliant?
No. Shopify does not sign Business Associate Agreements for its commerce platform. Shopify’s Acceptable Use Policy states that users may not use Shopify to collect, store, or process protected health information. Healthcare businesses can use Shopify for general health-adjacent retail where PHI is not part of the transaction (selling vitamins, generic wellness products). But any workflow that involves PHI (prescription orders, patient-linked accounts, insurance verification) fails HIPAA on Shopify.
What ecommerce platform is HIPAA compliant?
No eCommerce platform is HIPAA compliant out of the box. HIPAA compliance is an outcome of how a platform is deployed, configured, and operated, not a feature you toggle on. Self-hosted open source platforms with enterprise security controls, such as Spree Enterprise, can be configured to meet HIPAA’s technical safeguard requirements: AES-256 encryption, full audit trails, granular RBAC, and SSO integration. SaaS platforms generally lack the infrastructure-level control HIPAA demands.
What does HIPAA require for online stores?
Any eCommerce operation handling PHI must implement six core safeguards: – Encryption at rest (AES-256) and in transit (TLS 1.2+) – Full audit trails documenting every access to PHI – Role-based access controls following the minimum necessary standard – Business Associate Agreements with every vendor touching PHI – A documented breach response plan with 60-day notification capability – Regular security risk analyses These requirements apply to the platform, hosting infrastructure, payment processor, and every third-party integration in the data flow.
Can I sell medical devices online under HIPAA?
Yes, but your compliance obligations depend on whether the transaction involves PHI. Selling generic medical supplies (bandages, gloves, basic equipment) to anonymous buyers does not trigger HIPAA. HIPAA applies when orders link to patient records, insurance is billed, prescriptions are verified, or products must match a specific patient’s diagnosis. Most medical device B2B distributors and DME suppliers fall into this category. Medical device commerce must also comply with FDA regulations (21 CFR Part 11) and, for EU markets, the EU Medical Device Regulation.
How much does HIPAA-compliant ecommerce cost?
Self-hosted HIPAA-compliant commerce requires a higher upfront investment than SaaS. Expect $50K to $300K+ for the first year, covering platform licensing, infrastructure setup, security configuration, and compliance validation. The tradeoff: no recurring platform fees, no GMV cuts, no transaction surcharges. At scale, total cost of ownership is often lower because costs scale with infrastructure (which you control) rather than with revenue. SaaS platforms charge $24K to $300K+ per year in recurring fees and still lack the controls HIPAA requires.
Do I need HIPAA compliance if I only sell health supplements?
It depends on how you sell them. Selling supplements as general consumer products (no health assessments, no prescription links, no patient records) does not trigger HIPAA. But if your store collects health questionnaires, links supplement purchases to patient records in an EHR, processes insurance, or operates under a practitioner dispensing model, then PHI is part of the transaction and HIPAA applies. Companies like Fullscript, which operate practitioner dispensing platforms, must be fully HIPAA compliant.
Can a marketplace platform be HIPAA compliant?
Yes, but the architecture is more demanding than a single-vendor store. In a multi-vendor healthcare marketplace, the platform operator becomes a business associate of every participating healthcare entity. Each vendor’s data must be fully isolated. One vendor’s PHI must not be visible to another vendor or to the marketplace operator beyond what order fulfillment requires. This demands native multi-vendor architecture with per-vendor data isolation, vendor-specific RBAC roles, and per-vendor audit trails. Spree Enterprise provides this architectural foundation with native marketplace functionality and granular access controls.
