Calendly is not HIPAA compliant and if a business creates, collects, maintains, or transmits Protected Health Information using the service, it would be a violation of Calendly’s terms of service. In addition, Calendly refuses to enter into Business Associate Agreements with covered entities and business associates.
Businesses often waste a lot of time booking meetings and appointments and chasing employees to confirm availability. Calendly is designed to eliminate that wasted time and prevent the usual game of phone tag and make it much easier to schedule meetings and create schedules. Calendly can cut down no-show rates by sending automated email and text alerts that meetings are about to start.
The solution works with Google Calendar, Office 365, iCloud calendar, Salesforce, GoToMeeting and other favorite software platforms. It can also be incorporated directly into company websites allowing clients to book their appointments online.
Healthcare organizations can use the platform to schedule internal meetings but in order to use Calendly in connection with any electronic protected health information (ePHI), healthcare organizations must enter into a business associate agreement (BAA) with Calendly.
Is Calendly HIPAA Compliant?
Calendly makes it clear on its website that it has a secure platform and all information uploaded is protected. This scheduling tool uses 256-bit encryption to protect transmitted and stored data, and the platform is hosted on Amazon Web Services, a HIPAA-compliant hosting solution. Calendly is unable to read medical charts or other private data, it can only read the status of calendar events to prevent double bookings.
While Calendly is secure, the company states on its website that:
- Calendly is not to be used for obtaining Protected Health Information (PHI).
- Healthcare organizations must not include any personal or medical questions in forms when booking appointments.
- Calendly doesn’t sign BAAs with HIPAA covered entities.
Therefore, Calendly is not HIPAA-compliant. Healthcare organizations may use it as long as there’s no ePHI involved. Healthcare organizations need to make sure that only HIPAA-compliant scheduling applications are employed for arranging patient consultations.