Is QuickBooks Online HIPAA Compliant? What Accounting Practices Need to Know

QuickBooks Online is not HIPAA compliant, and no setting changes that. The vendor will not sign a Business Associate Agreement, which means Protected Health Information does not belong in QuickBooks Online at all. The practical work is making sure none has quietly ended up there.

No

QuickBooks Online is not HIPAA compliant. Intuit will not enter into a Business Associate Agreement, so QuickBooks Online cannot lawfully be used to create, store, or transmit Protected Health Information.

Plan / requirement: No QuickBooks Online plan carries a BAA. There is no configuration that makes it compliant for PHI.

Sources: Is QuickBooks HIPAA Compliant? (HIPAA Journal) Is QuickBooks Online HIPAA Compliant? (Accountable). Last verified 2026-06-14.

What HIPAA actually requires here

HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For QuickBooks Online, that mechanism works like this:

None. Intuit does not sign BAAs with covered entities or business associates for QuickBooks Online.

The conditions that decide whether you are actually covered:

Where the vendor stops and you begin

The most expensive misunderstanding in accounting practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:

Where responsibility sits
Because there is no BAA, the responsibility is structural: keep PHI out of QuickBooks Online entirely.
Use de-identified or non-PHI billing references instead of clinical detail.
Route any PHI-linked workflow through a tool that does sign a BAA.

Compliance review

Not sure your QuickBooks Online setup holds up to an audit?

Cobrix runs a configuration review against the actual accounting rules your practice operates under, then fixes what does not pass.

Book a compliance reviewCall (213) 214-1385

Configuring QuickBooks Online the right way

A defensible QuickBooks Online deployment in a accounting practice comes down to a short, ordered checklist:

  1. Audit existing QuickBooks records for any embedded PHI (diagnoses, treatment notes, identifiable patient detail).
  2. Replace PHI fields with non-identifying invoice or account references.
  3. Move PHI-dependent workflows to accounting or billing software that offers a BAA.
  4. Train billing staff never to paste clinical detail into memo or description fields.

Mistakes that quietly void compliance

Where Cobrix fits

Cobrix is a California MSP/MSSP that configures and monitors tools like QuickBooks Online for accounting practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.

Free resource

QuickBooks Online HIPAA setup checklist

The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.

Get the checklist

Frequently asked questions

Is QuickBooks Online HIPAA compliant?

No. QuickBooks Online is not HIPAA compliant. Intuit will not enter into a Business Associate Agreement, so QuickBooks Online cannot lawfully be used to create, store, or transmit Protected Health Information.

Will QuickBooks Online sign a Business Associate Agreement?

No. None. Intuit does not sign BAAs with covered entities or business associates for QuickBooks Online.

Can I store patient information in QuickBooks Online?

No. Without a BAA, any individually identifiable health information placed in the tool is a HIPAA exposure. Keep PHI out entirely.

Does a BAA alone make QuickBooks Online compliant?

No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.