The following is Stripe's statement regarding a Business Associate Agreement and HIPAA Compliance.
Stripe only processes payments, we only receive payment information and don't have access to protected health information (PHI) as defined in HIPAA because financial processing by a financial institution (such as our partner Wells Fargo) is excluded from the definition of business associates.
PHI is defined, at a high level, as "identifiable health information" (http://www.law.cornell.edu/cfr/text/45/160.103). Stripe is only processing card information and never handles the underlying health information about the patient. In fact, the payer and the patient may be different people. Contrast this with a billing service as contemplated under HIPAA that may include, for instance, insurance relating to patient treatment. Since Stripe doesn't handle PHI, it falls outside of the definition of a business associate, meaning that we don't need to sign agreements pertaining to business associates.
HIPAA also provides an exemption under the business associate definition for financial services companies that are providing "normal banking or other financial transactions... for, or on behalf of, the covered entity" http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. Stripe's Terms of Service is a tripartite agreement with Wells Fargo. Under the HHS guidance, payments processed by our financial services partners that solely part of the financial transaction would also be excluded from the definition of a business associate.