Vendor compliance profile

Shopify HIPAA compliance, PHI, and BAA notes

Shopify should not be treated as a PHI-handling platform. Shopify's Acceptable Use Policy lists uploading Protected Health Information subject to HIPAA as unsupported, so healthcare commerce teams should keep PHI out of products, checkout, notes, apps, and support workflows.

Visit vendor site

HIPAA status signal

Not supported for PHI

BAA public signal

Unable to confirm

SOC 2 evidence signal

Public evidence

PHI warning: Order notes, customer tags, prescriptions, product choices, and app data can create PHI exposure.

HIPAA, BAA, and SOC 2 summary

HIPAAShopify's Acceptable Use Policy says certain business activities are not supported by the platform, including uploading Protected Health Information subject to HIPAA.
BAAUnable to confirm a public Shopify BAA for HIPAA PHI workflows. Verify directly with Shopify before designing any regulated health-data workflow.
SOC 2Shopify documents SOC reports, including SOC 2 Type 2, in its compliance reports help materials. Review the current report from Shopify's compliance report flow.
CategoryHIPAA-Compliant CRM and Marketing Tools

What it may be used for

  • General business workflows that do not include PHI.
  • Healthcare-adjacent operations after BAA scope and configuration have been verified.
  • Vendor risk review, procurement research, and compliance planning.

What not to use it for

  • Uploading Protected Health Information subject to HIPAA.
  • Collecting diagnosis, treatment, prescription, or patient-status details in products, variants, checkout, notes, tags, or files.
  • Relying on Shopify apps, fulfillment tools, analytics, or support tickets to handle PHI without explicit vendor confirmation.

What to verify with the vendor

  • Whether the vendor will sign a BAA for your exact product, plan, and use case.
  • Which services, add-ons, regions, and support channels are covered by the agreement.
  • Whether your intended workflow stores, transmits, or processes PHI.
  • Which admin, access control, retention, audit log, and encryption settings must be enabled.

Safer alternatives and related profiles

HubSpot

HIPAA: Conditional | SOC 2: Public evidence

Klaviyo

HIPAA: Unable to confirm | SOC 2: Verify with vendor

Salesforce

HIPAA: Conditional | SOC 2: Public evidence

Pipedrive

HIPAA: Conditional | SOC 2: Yes

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

FAQ

Is Shopify HIPAA compliant?

Shopify should not be treated as a PHI-handling platform. Shopify's Acceptable Use Policy lists uploading Protected Health Information subject to HIPAA as unsupported, so healthcare commerce teams should keep PHI out of products, checkout, notes, apps, and support workflows.

Will Shopify sign a BAA?

Unable to confirm a public Shopify BAA for HIPAA PHI workflows. Verify directly with Shopify before designing any regulated health-data workflow.

Can Shopify be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Last checked and source notes

Last checked
2026-04-30
Confidence
High
Dataset rows
267 vendors