Is Shopify HIPAA Compliant?
Shopify is not HIPAA compliant and its Acceptable Use Policy stipulates users may not use Shopify to collect, store, or process protected health information subject to the Health Insurance Portability and Accountability Act. If covered entities are considering using the ecommerce platform in tandem with a third party app that isolates and secures PHI, we explain why this may not be a good idea and suggest an alternative.
Shopify is a Canadian-based ecommerce platform (like Amazon.com) through which businesses of all types can sell products and services. Because it is a worldwide ecommerce platform, in theory it is possible for a U.S.-based business to sell a product or service to U.S.-based consumer. It is also possible that a U.S.-based covered entity could sell a product or service to a U.S.-based consumer whose individually identifiable health information might then be protected by HIPAA.
HIPAA protections apply if any information provided by a consumer relates to a past, present, or future medical condition, treatment for the condition, or payment for the treatment. If this is the case, any other information provided by the consumer (i.e., name, address, phone number, etc.) also become Protected Health Information (PHI) because it is maintained by Shopify in the same data set. So, is Shopify HIPAA compliant? Could the platform be used to create, receive, and store PHI?
Shopify Complies with PIPEDA, but not HIPAA
Shopify itself acknowledges it is not HIPAA compliant; and, although the company is required to comply with Canada´s PIPEDA Privacy and Security standards, these standards are not as stringent as their HIPAA equivalents. The platform appears to lack the necessary safeguards to protect PHI; and, in the event of a data breach, Shopify will only notify the Office of the Privacy Commissioner of Canada, businesses, and consumers if there is a “real risk of significant harm”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Because of the platform´s security shortcomings (by HIPAA standards) and the qualification criteria for breach notifications, Shopify will not sign a Business Associate Agreement with U.S.-based covered entities. It is not permissible for covered entities to use the Shopify platform “as is” to create, receive, or store PHI. However, it is possible to configure Shopify to send consumers details to a third-party solution without saving the data on the platform. So, is this a viable option?
Is Making Shopify HIPAA Compliant Worthwhile?
There are no quick and easy extensions or plug-ins that would make Shopify HIPAA compliant, so any covered entities that wanted to use Shopify in compliance with HIPAA would need to deploy a third party app and configure it to send PHI to a HIPAA-compliant web-hosting service (i.e., AWS, Azure, etc.), which has itself been configured with the account, access, and audit controls required by the Security Rule. It would also be necessary to enter into Business Associate Agreements with the app vendor and the web hosting service.
For some covered entities, the additional work and expense of maintaining a Shopify shopfront and a separate HIPAA-compliant customer database may be worthwhile depending on the amount of business the platform attracts. However, for most covered entities, a better option is to use a U.S.-based, HIPAA-compliant ecommerce platform; and, if in doubt about using any ecommerce platform in compliance with HIPAA, seek professional compliance advice.
