In plain terms: WooCommerce can be made HIPAA compliant. Shopify cannot — it does not offer a Business Associate Agreement (BAA), which is a legal requirement under HIPAA for any vendor that handles protected health information (PHI) on behalf of a covered entity. If your online store collects, stores, or transmits PHI, Shopify is not a viable option regardless of which plan you choose. Violating this requirement can result in HHS penalties ranging from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category.

Quick Comparison

🔄 Rotate your phone for a better view of the comparison table.
Feature WooCommerce Shopify
Offers BAA Yes (through HIPAA-compliant hosting provider) No public BAA confirmed
PHI in platform Configurable with proper controls Explicitly unsupported per Shopify AUP
SOC 2 Via hosting provider Yes, but does not confer HIPAA compliance
HIPAA Compliant Achievable with proper setup Not available
Control over hosting Full control Shopify controls the environment
Transaction fees None (pay for hosting + plugins) Up to 2% per transaction + monthly fees
Open source / portable Yes No — proprietary platform

Running a healthcare store on WooCommerce? HIPAA Vault provides managed HIPAA-compliant WordPress and WooCommerce hosting with a signed BAA, U.S.-based private servers, and full security monitoring.

See hosting plans →

E-commerce Compliance: Where HIPAA Meets PCI-DSS

Standard WooCommerce isn't enough for medical data. Get a store that protects patient info and avoids fines.

Learn More

Why Shopify Is Not HIPAA Compliant

Shopify is a fully hosted, closed SaaS platform. Shopify’s Acceptable Use Policy explicitly lists uploading Protected Health Information subject to HIPAA as an unsupported activity — meaning PHI should not enter Shopify products, checkout fields, order notes, customer tags, apps, or support workflows. No public BAA path has been confirmed for any Shopify plan, including Shopify Plus (last verified: June 2026).

It’s worth noting that Shopify does publish SOC 2 Type 2 reports — but SOC 2 certification does not create HIPAA compliance, confirm BAA coverage, or authorize PHI use. These are separate frameworks with different requirements.

This matters because HIPAA’s Privacy Rule (45 CFR Part 164) requires any vendor that accesses, stores, or transmits PHI on behalf of a covered entity to sign a BAA. Without one, using a platform to sell medical devices, process insurance information, or collect patient health data is a direct HIPAA violation — regardless of how secure the platform may otherwise be.

As Gil Vidals, CTO and co-founder of HIPAA Vault, explains:

“Shopify is the only place that you can buy Shopify. You can’t manipulate it. You can’t protect it. You can’t do anything with it other than add your products and services. They claim on their site that they’re not HIPAA compliant. They won’t sign a BAA. And that’s okay — it’s not really a criticism. It’s just that that’s not the market they are playing in.”

The fundamental issue is architectural. Shopify controls the entire infrastructure. You cannot choose your hosting provider, configure your own encryption settings, or implement the custom security controls that HIPAA requires. This is true on every Shopify tier — including Shopify Plus.


Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

Why WooCommerce Can Be HIPAA Compliant

WooCommerce is a free, open-source plugin for WordPress. Because it runs on your own hosting environment, you have full control over the infrastructure — which means you can configure it to meet HIPAA requirements.

Making WooCommerce HIPAA compliant requires:

  1. A HIPAA-compliant hosting provider that signs a BAA — the foundation everything else depends on
  2. Encrypted database — PHI must be encrypted at rest (AES-256) and in transit (TLS 1.2 or higher)
  3. Two-factor authentication — required for all admin access
  4. Regular vulnerability scanning — at minimum quarterly, ideally monthly
  5. HIPAA-compliant SSL certificate — HTTPS required at all times
  6. Plugin vetting — only use paid, actively maintained plugins from reputable vendors
  7. Business Associate Agreements with all third-party plugins and payment processors

As Gil Vidals explains, the hosting environment — not the software itself — is what determines compliance:

“What makes WooCommerce HIPAA compliant when it’s on this particular server, and then you compare it to the same WooCommerce installation but on a different server? This one’s HIPAA compliant, this one’s not.”

WooCommerce itself is free to install. The cost comes from building and maintaining the compliant infrastructure around it.


Does Your Healthcare Store Even Need HIPAA Compliance?

Not every healthcare e-commerce store automatically requires HIPAA compliance. The determining factor is whether your store collects or transmits PHI — and this is where many store owners get it wrong.

The test: Can a customer’s purchase be linked to a specific medical condition?

  • Selling bandages or compression sleeves? Likely not PHI — these have general consumer uses.
  • Selling insulin pumps, CPAP machines, or prescription medical devices? Almost certainly PHI — purchasing an insulin pump implies a diabetes diagnosis.
  • Selling supplements with health questionnaires? Likely PHI if the questions collect health history.

If a customer’s name plus their purchase reveals a health condition, treat it as PHI and apply HIPAA compliance. The HHS Office for Civil Rights (OCR) has consistently enforced this standard — including in enforcement actions against healthcare vendors who failed to sign BAAs with technology partners.


What Does HIPAA-Compliant WooCommerce Actually Cost?

This is one of the most searched questions in the healthcare e-commerce space, and the honest answer is: more than most people expect.

Industry pricing for HIPAA-compliant WordPress/WooCommerce hosting varies widely depending on what’s included:

  • Budget providers: $99–$120/month — typically bare-bones hosting with a BAA, little or no managed security
  • Mid-tier providers: $299–$500/month — e-commerce support, moderate traffic, some security features
  • High-traffic / enterprise: $1,000–$2,000+/month

Most of these prices don’t include everything you actually need for HIPAA compliance. Additional costs that often get added on separately:

  • Domain name: ~$15–$20/year
  • WordPress theme (WooCommerce compatible): ~$50/year
  • SSL certificate: $50–$150/year
  • Shipping calculator plugin: ~$79/year
  • Subscription management plugin: ~$199/year
  • Annual vulnerability scan: varies by provider
  • Security monitoring, backups, WAF: often billed separately

As Gil Vidals notes: “Even though it’s attractive to say, ‘oh, I get a free widget, a free plugin,’ that’s really not the total cost of ownership.”

HIPAA Vault’s Starter Plan starts at $549/month and bundles all of the above into a single managed plan — no add-on fees, no vendor juggling. See the full breakdown in the pricing section below.

For context, non-compliance carries significantly steeper costs: the average cost of a healthcare data breach reached $7.42 million in 2025 — down from a peak of $10.93 million in 2023, but still the most expensive industry for data breaches for the 14th consecutive year, according to IBM’s Cost of a Data Breach Report. In the U.S. specifically, the average across all sectors hit a record $10.22 million, driven largely by regulatory fines and compliance failures.



Not sure if your store is handling PHI? Talk to a HIPAA Vault compliance specialist — we’ll help you assess your setup and identify the right hosting configuration for your workflow.

Schedule a free consultation →


Can You Use Shopify for Anything in Healthcare?

There is one scenario where Shopify is acceptable: selling products that have no connection to PHI whatsoever — for example, branded merchandise, office supplies, or generic health and wellness items that carry no diagnostic implication.

If a medical practice wants to sell branded T-shirts for a charity fundraiser, Shopify is fine. If they want to sell patient-specific products or services where purchases could reveal health conditions, Shopify is not appropriate.


What About Other Platforms?

For healthcare providers who cannot manage the technical complexity of WooCommerce, there are purpose-built HIPAA-compliant e-commerce platforms that include hosting, compliance, and security in a single subscription. These tend to cost more but eliminate the setup burden.

For those who already run WordPress, WooCommerce with a HIPAA-compliant host is typically the most cost-effective path — provided you have technical support to configure it correctly. General hosting providers like GoDaddy, Bluehost, and WP Engine do not offer HIPAA-compliant environments and will not sign BAAs.

If you’re selling…Platform recommendation
Medical devices tied to diagnosesWooCommerce + HIPAA-compliant host
Prescriptions or health subscriptionsWooCommerce + HIPAA-compliant host
General wellness products (no PHI)Either platform
Branded merchandise onlyEither platform

Shopify is a powerful e-commerce platform — but HIPAA compliance is simply outside its scope. It does not sign BAAs, does not offer a HIPAA-compliant environment, and explicitly states this on its own website.

WooCommerce, when hosted in a properly configured HIPAA-compliant environment with a signed BAA, can fully meet HIPAA requirements. The investment is real, but so is the liability of getting it wrong.



Ready to make your WooCommerce store HIPAA compliant? HIPAA Vault offers managed WooCommerce hosting with signed BAAs starting at $99/month — running on U.S.-based private servers with AES-256 encryption, two-factor authentication, and continuous security monitoring.

View WooCommerce Hosting Plans  |  Talk to a Specialist


Frequently Asked Questions


This article draws on expert commentary from Gil Vidals, CTO and co-founder of HIPAA Vault, from the HIPAA Insider Show Episodes 86 and 63. HIPAA Vault provides managed HIPAA-compliant WordPress and WooCommerce hosting for healthcare organizations, running on U.S.-based private servers. This content is educational and does not constitute legal advice. Consult a qualified HIPAA compliance attorney for guidance specific to your organization.