Yes. Card data is tokenized and never stored on practice systems. Processing runs through a PCI DSS Level 1 certified gateway, and MD Synergy signs a BAA covering all PHI elements connected to the payment record. Practices receive scope-reduction documentation to support their own PCI attestation.