Is Calendly HIPAA Compliant?
Calendly is not HIPAA compliant and should not be used to create, collect, store, or transmit Protected Health Information as this would not only violate Calendly’s Terms and Conditions, but would also violate HIPAA as Calendly will not enter into Business Associate Agreements with HIPAA covered entities or business associates.
Calendly is a scheduling platform that sits in front of a connected calendar to help better manage appointments, meetings, and other events. It works by checking the connected calendar whenever a scheduling request is received, and either rejects the request when a conflict exists or confirms the request to both the invitee and the attendee by email.
Calendly can be integrated with a wide range of communication solutions (Zoom, Slack, MS Teams, etc.), be deployed on a website, used to collect payments via Stripe and PayPal, or connected to HubSpot, Salesforce, or Microsoft Dynamics 365. In the healthcare industry, Calendly can also be used to manage workflows, availability, and workforce shortages.
Calendly has Enterprise Grade Security
Calendly takes the security of customer data seriously. The platform has a host of tools to support account security and regulatory compliance including end to end encryption, network and perimeter protection, real-time activity logs, and cross-domain identity management. Calendly is certified SOC 2 Type II compliant and has CSA STAR Level One attestation.
Many of the tools would be adequate for making Calendly HIPAA compliant. However, under §13.c of Calendly’s Terms and Conditions, subscribers are not permitted to disclose “customer data that contains Protected Health Information or information subject to HIPAA compliance”. To do so could result in termination of the account and the loss of information stored on it.
Why Isn’t Calendly HIPAA Compliant?
With many security tools and compliance certifications, Calendly appears to tick the boxes to support HIPAA compliance. However, the reason why Calendly cannot be used to do is manage appointments, meetings, and other events when Protected Health Information (PHI) is disclosed to the platform has more to do with its rich list of features rather than compliance issues.
Calendly has multiple integrations and uses multiple sub-processors that do not support HIPAA compliance. As it is not possible for Calendly to enter into a Business Associate Agreement with some of its service providers, Calendly is unable to assure the security of PHI shared with those service providers and therefore will not enter into Business Associate Agreements with subscribers.
As Calendly prohibits customer data that contains PHI being disclosed to the platform, there is no workaround or exemption that could make Calendly HIPAA compliant – for example, the confidential communication standard in §164.522(b) of the HIPAA Privacy Rule. However, healthcare organizations can still use Calendly for purposes that do not disclose PHI to the platform.
Tips for Using Calendly in Healthcare
The best tip for using Calendly in healthcare is to provide HIPAA training on what is considered PHI under HIPAA. The training should include that patient information can be disclosed to the platform – and any services integrated with the platform – provided the information does not include a patient’s health condition, treatment for the condition, or payment for the treatment.
It is also advisable to include the use of Calendly in healthcare in security awareness training to ensure users are aware of the platform’s security controls and do not attempt to bypass them. Finally, if the platform is used to send automated appointment reminders, the frequency and content of the reminders must also comply with the Telephone Consumer Protection Act.
Is Calendly HIPAA Compliant? Conclusion
Although Calendly is not HIPAA compliant for the reason discussed, it could still be a valuable tool for many healthcare organizations. Organizations that are interested in the platform’s capabilities should review Calendly’s Terms and Conditions and Privacy Policy, and discuss their requirements with Calendly’s sales team. Alternatively, the option exists to subscribe to a feature-limited free plan to test the platform’s capabilities onsite.
Healthcare organizations that utilize Calendly’s features without disclosing PHI are reminded that the right to request confidential communications (§164.522(b)) also gives patients the right to request they are not contacted by certain communication channels. Even when PHI is not going to be disclosed in (for example) an appointment reminder, the channel used to send the reminder must comply with documented requests that have been agreed to.