Compliance
Can I Use Shopify for a Telehealth Business?
Shopify is a great storefront and a terrible place to store patient health data. Here is how to use it for a telehealth business the right way — and where the protected health information has to live instead.
Quick answer
Yes, but only as the commerce layer. Shopify does not sign Business Associate Agreements (BAAs) and its terms prohibit storing protected health information on its platform, so it cannot lawfully hold clinical data under HIPAA. The workable pattern is to use Shopify for the storefront and checkout while keeping intake, prescriptions, and patient records in a HIPAA-compliant system off Shopify.
Key takeaways
- Shopify works as a telehealth storefront and checkout, but not as a store of protected health information (PHI).
- Shopify does not sign BAAs and its Acceptable Use Policy prohibits PHI, so putting clinical data on it is a HIPAA problem, not a gray area.
- The compliant pattern keeps PHI off Shopify: commerce on Shopify, intake and records in a HIPAA-compliant system.
- A licensed provider must still approve every prescription — the storefront is commerce, not clinical authorization.
- Collect only what commerce needs at checkout (name, email); keep health questionnaires and diagnoses in the compliant layer.
- An overlay/rail architecture is designed for exactly this split — Shopify front, PHI-safe fulfillment behind it.
Yes — you can use Shopify for a telehealth business, but only as the commerce layer. Shopify does not sign Business Associate Agreements (BAAs), and its terms prohibit storing protected health information (PHI) on the platform, so it cannot lawfully hold your clinical data under HIPAA. The pattern that works is a clean split: run the storefront and checkout on Shopify, and keep intake, prescriptions, and patient records in a HIPAA-compliant system behind it.
This is a direct answer to a question thousands of operators ask, followed by the architecture that makes the answer safe. It is not legal advice. The whole issue reduces to one discipline — knowing which data is ordinary commerce data and which is PHI, and never letting the second kind land on Shopify. For the deeper build, see how to keep Shopify HIPAA-safe for telehealth.
Can You Legally Use Shopify for a Telehealth Business?
Yes, as the storefront and checkout, provided PHI stays off it. Shopify is an excellent commerce platform and countless health-adjacent brands sell on it. What it cannot be is your clinical system of record, because Shopify will not sign a BAA and its Acceptable Use Policy forbids PHI. The legality turns entirely on what data you put where.
The distinction is not a technicality — it is the difference between a compliant business and a HIPAA violation waiting to be discovered. Product catalog, cart, payment, and order fulfillment details like a shipping name and email are ordinary e-commerce data that belong on Shopify. Intake questionnaire answers, medical history, diagnoses, and prescriptions are PHI that must live elsewhere. Get that line right and Shopify is a perfectly good front end; get it wrong and your storefront becomes an unlawful PHI repository. The rest of this guide is about drawing the line correctly.
Why Doesn't Shopify Work for Storing Patient Data?
Because HIPAA requires a signed BAA with any vendor that handles PHI on your behalf, and Shopify does not sign one. Its Acceptable Use Policy prohibits using the platform to collect or store protected health information. Without a BAA and with a contractual PHI prohibition, storing clinical data on Shopify is not permitted — full stop.
The BAA is the mechanism HIPAA uses to extend its protections to third parties. As HHS explains in its business associate contract guidance, a covered entity or its business associates must have written assurances that any downstream vendor touching PHI will safeguard it. A vendor that declines to sign a BAA is telling you it will not accept those obligations — so you cannot lawfully hand it PHI. This is why "just put the health questionnaire in Shopify order notes" is a compliance trap, however convenient it looks. The FTC's Health Breach Notification Rule adds a second layer of exposure for mishandled health data outside HIPAA's core reach.
What Counts as PHI You Must Keep Off Shopify?
Any health information tied to an identifiable person. That includes intake questionnaire answers, medical history, symptoms, diagnoses, prescriptions, and provider notes. A customer's name and email for shipping an order are ordinary commerce data; the health details they disclose to be evaluated and treated are PHI. The test is whether the data reveals something about a person's health status or care.
The table sorts the data a telehealth business handles into where it belongs. When in doubt, treat it as PHI.
| Data | PHI? | Where it belongs |
|---|---|---|
| Product catalog, prices | No | Shopify |
| Cart, checkout, payment | No | Shopify (via compliant payment processing) |
| Name, shipping address, email | No | Shopify (commerce fulfillment) |
| Intake questionnaire answers | Yes | HIPAA-compliant clinical system |
| Diagnosis, prescription, provider notes | Yes | HIPAA-compliant clinical system |
| Medical history / symptoms | Yes | HIPAA-compliant clinical system |
The practical failure mode is subtle: teams put a "reason for order" or a health question into a Shopify field to streamline the flow, and quietly turn a commerce record into a PHI record. Instrument your intake so health questions are answered in the compliant layer, never on the storefront.
What Does the Compliant Architecture Look Like?
A two-plane split. Shopify runs commerce — catalog, checkout, payment, and non-PHI fulfillment data. A separate, HIPAA-compliant system (one that will sign a BAA) runs the clinical plane — intake, provider review, prescriptions, and the patient record. An integration layer passes commerce events between them without pushing PHI onto Shopify.
The flow in practice:
- Storefront (Shopify). The patient browses and checks out; Shopify captures the order and commerce data only.
- Handoff. The order event is passed to your compliant system; the health questionnaire is collected in that compliant environment, not on Shopify.
- Clinical review. A licensed provider evaluates the intake and approves (or declines) the prescription in the compliant system.
- Fulfillment. The approved order is routed to the compounding pharmacy from the compliant layer — see connecting Shopify to a compounding pharmacy.
- Record. The patient record — the PHI — lives in your compliant system, which is your system of record.
This is precisely the split an overlay/rail architecture is built to manage. It lets you keep Shopify's commerce strengths while the PHI-bearing work happens in a compliant environment behind it. The full build is in the Shopify telehealth stack.
Who Owns the Patient Record in This Setup?
You do — and that is the point. Because the PHI lives in your HIPAA-compliant system rather than inside Shopify or a platform vendor, you hold the patient record as your system of record. That ownership is both a compliance posture and a strategic asset: it keeps your most valuable data portable and under your control.
Contrast this with an all-in-one platform that stores your clinical data in its own infrastructure. There, the patient record is the platform's to hold, and reclaiming it later is a migration project. Keeping PHI in a system you control — behind a Shopify front you also control — means the two things a telehealth business is ultimately built on, the customer relationship and the clinical record, both belong to you. We make the full case in owning your patient data as the system of record. The header rule to remember: a licensed provider still approves every order, and that approval and its record belong in your compliant system, never on the storefront.
Key Takeaways
- You can use Shopify for a telehealth business as the storefront and checkout — not as a store of PHI.
- Shopify does not sign BAAs and its AUP prohibits PHI, so clinical data on Shopify is a HIPAA violation, not a gray area.
- Keep the planes separate: commerce on Shopify, intake and records in a HIPAA-compliant system that signs a BAA.
- Name and email are commerce data; questionnaire answers, diagnoses, and prescriptions are PHI that must live off Shopify.
- A licensed provider approves every order in the compliant system — the storefront is commerce, not clinical authorization.
- This split is exactly what an overlay/rail architecture manages: Shopify front, PHI-safe fulfillment behind it.
Frequently Asked Questions
Does Shopify sign a HIPAA BAA?
No. Shopify does not sign Business Associate Agreements, and its Acceptable Use Policy prohibits collecting or storing PHI. Because a BAA is required for any vendor that handles PHI on your behalf, Shopify cannot lawfully hold your clinical data — it can only be your commerce layer.
So can I legally use Shopify for a telehealth business at all?
Yes — as the storefront and checkout, provided PHI stays off it. Product catalog, cart, and payment can run on Shopify, while intake questionnaires, diagnoses, prescriptions, and medical records must live in a HIPAA-compliant system that will sign a BAA.
What counts as PHI I need to keep off Shopify?
Health information tied to an identifiable person: intake answers, medical history, diagnoses, prescriptions, and provider notes. A name and email for fulfillment are ordinary commerce data. The health details a patient shares to get treated are PHI and belong in your compliant clinical system.
How do the storefront and the clinical system connect?
Through an integration layer that passes commerce events (an order was placed) to your compliant system without pushing PHI onto Shopify. A licensed provider reviews the intake and approves the prescription in the compliant environment, and the order routes to the pharmacy from there.
neolife is the fulfillment rail that sits behind your storefront: you keep Shopify for commerce, the protected health information stays in a compliant system you own as the record, and a licensed provider approves every order before it routes to the compounding pharmacy you already use. If you want the Shopify-front, PHI-safe architecture without building it yourself, talk to us. This post is educational and not legal advice; consult qualified counsel on HIPAA and your specific data flows.
Primary sources
Frequently asked questions
Does Shopify sign a HIPAA BAA?
No. Shopify does not sign Business Associate Agreements, and its Acceptable Use Policy prohibits using the platform to collect or store protected health information. Because a BAA is required for any vendor that handles PHI on your behalf, Shopify cannot lawfully be the system that holds your clinical data — it can only be your commerce layer.
So can I legally use Shopify for a telehealth business at all?
Yes — as the storefront and checkout, provided PHI stays off it. Millions of health-adjacent brands sell on Shopify. The line is what data lives where: product catalog, cart, and payment can run on Shopify, while intake questionnaires, diagnoses, prescriptions, and medical records must live in a HIPAA-compliant system that will sign a BAA.
What counts as PHI I need to keep off Shopify?
Health information tied to an identifiable person: intake questionnaire answers, medical history, diagnoses, prescriptions, and provider notes. A name and email for order fulfillment are ordinary commerce data. The health-status details a patient shares to get treated are PHI and belong in your compliant clinical system, not in Shopify order notes or metafields.
How do the storefront and the clinical system connect?
Through an integration layer that passes commerce events (an order was placed) to your compliant system without pushing PHI onto Shopify. A licensed provider reviews the intake and approves the prescription in the compliant environment, and the order is routed to the pharmacy from there — Shopify never becomes the record of health information.
This article is operator education, not medical, legal, or tax advice. Telehealth and pharmacy regulation vary by state and product and change frequently. Verify the specifics for your business with qualified counsel and your pharmacy partner.