A business may use PayJunction and still maintain HIPAA compliance. The government specifically excludes financial institutions conducting normal financial transactions from the requirement of obtaining a Business Associate Contract surrounding HIPAA compliance.
Other Situations in Which a Business Associate Contract Is NOT Required. When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Source:
In other words, there is no requirement for your financial providers to sign a Business Associate Contract surrounding HIPAA compliance so long as your financial provider is processing routine payments and takes industry standard steps to protect the transactions.
PayJunction follows an alternate specification than HIPAA Compliance as we are governed by stricter rules designed specifically for payment processors. PayJunction maintains the highest level of security compliance following the Payment Card Industry Data Security Standard (aka PCI-DSS). PayJunction is a level 1 PCI-DSS Compliant payment gateway and ISO.
More information on PCI can be found here: https://www.pcisecuritystandards.org