HIPAA Configurations & Guidelines

Chargebee supports HIPAA compliance for its core billing and subscription management platform (Chargebee Billing). Upon customer's request and notice to Chargebee that the customer intends to disclose ePHI to Chargebee in its use of Chargebee Billing, Chargebee may evaluate customer’s necessity to share ePHI to the platform and choose to execute a business associate agreement (BAA) with the customer with respect to Chargebee Billing.

Additionally, even if a BAA is executed by Chargebee with the customer, it only applies to Chargebee Billing and does not apply to any other component, product or service that Chargebee provides or makes available, including:

1. Any middleware, integrations or other components that are capable of being used in conjunction with the platform.
2. Other products or services such as Chargebee Receivables, RevRec, Retention/Growth, or Reveal.

The validity of the BAA is subject to continued compliance by the customer to the mandatory configuration requirements relating to Chargebee Billing set forth below.

Mandatory Configuration Requirements

Given below is the list of mandatory requirements for HIPAA compliance for Chargebee Billing.

1. Custom SMTP: Chargebee allows email notifications to be sent out from Chargebee Billing using either Chargebee's SMTP server or customer's own SMTP server. However, for a HIPAA compliant account, customers must configure their own SMTP server to ensure autonomous control of incoming and outgoing emails and customers are prohibited from using Chargebee's SMTP servers. The custom SMTP server shall be completely managed by the customer. Please refer to the SMTP Configuration for more details.

2. Abandoned Carts: Chargebee offers a report for tracking abandoned carts whereby a customer can track the number of visitors or end-customers leaving the checkout process without completing a purchase or leaving items in the cart. This classic report uses geolocation. However, for a HIPAA compliant account, customers must disable this feature by logging in to your Chargebee site, navigate to Settings > Configure Chargebee > Checkout and Self-Serve Portal > Disable "Track abandoned carts".

3. Taxes Module: Chargebee offers a feature to verify customer tax details for accurate calculation as per tax norms for certain countries. However, for a HIPAA compliant account, a customer must disable this feature by logging in to your Chargebee site and navigate to Settings > Configure Chargebee > Taxes > Uncheck "Enable location validation".

4. E-invoicing Module: Chargebee offers a feature to generate, transmit, and manage electronic invoices in compliance with applicable regulations in supported countries. However, for a HIPAA compliant account, a customer must either (a) ensure that transactions involving ePHI or transactions subject to HIPAA are not processed using the e-invoicing feature; or (b) disable the feature by logging in to your Chargebee site and navigate to Settings > Configure Chargebee > E-invoicing; on the E-invoicing configuration page, click Disable > Confirm. For more details, please refer to E-invoicing documentation.

5. Auto-complete address in Checkout and Self-Serve Portal: Chargebee offers a feature to auto-complete addresses in checkout and self-serve portal. However, for a HIPAA compliant account, customer must disable this feature by logging in to your Chargebee site and navigate to Settings > Configure Chargebee > Checkout and Self-Serve Portal > Advance Settings > disable the toggle “Autocomplete addresses”. For more details, please refer to Hosted Checkout documentation.

6. Atomic Pricing: Chargebee offers a feature that allows customers to host and embed dynamic, customizable pricing tables on their websites through a simple front-end integration. However, for HIPAA-compliant accounts, this feature must not be enabled.

7. Integration with payment gateways: For a HIPAA compliant account, Chargebee recommends use of direct integrations that Chargebee makes available with the payment gateways (such as BlueSnap, Cybersource, NMI). For the following gateways, Chargebee currently offers integration through a payment aggregator and therefore, customer must either ensure that transactions involving ePHI or transactions subject to HIPAA are not processed through the following gateways or build and use direct integrations with the following gateways: BlueSnap, Cybersource, NMI, Ecentric, Windcave, JPM Mobility gateway, Pin Payments, eWay Rapid, Worldpay, Sage Pay, Ogone (Ingenico), Wirecard, Beanstream (Bambora), Paymill, dLocal, Metricsglobal, Nuvei, Paypal Pro, Orbital (Chase), Paypal Payflow, Moneris, BluePay, Elavon.

8. Customer must not submit any ePHI or other information subject to HIPAA as part of the inputs provided to any of the AI capabilities offered by Chargebee. Customers must also not cause any such ePHI or information to be processed by the AI capabilities (for example, in response to the inputs/prompts provided to the AI capabilities or otherwise through any configuration or use of the Chargebee services).

9. Chargebee recommends customers to refrain from submitting any ePHI to Chargebee’s pre-release offerings.

Please reach out to your Account Manager or Chargebee Support for any queries.