Is Acuity Scheduling HIPAA Compliant? BAA and Plan Requirements Explained

HIPAA Compliance Overview

HIPAA compliance for online scheduling focuses on how your system collects, stores, transmits, and displays Protected Health Information (PHI). In appointment software, PHI can include a client’s name linked to a provider, service type, date, and time—details that reveal a relationship to care.

To meet the HIPAA Security Rule, you need administrative, physical, and technical safeguards, plus a Business Associate Agreement (BAA) with the platform provider. With Acuity Scheduling, HIPAA compliance becomes a shared responsibility: the platform supplies security controls, while you configure your account, limit PHI exposure, and train staff appropriately.

What counts as PHI in scheduling?

• Client identifiers tied to appointment details (provider, specialty, visit reason).
• Intake responses, notes, and custom form fields that imply diagnosis or treatment.
• Metadata in emails, calendar entries, and integrations that could reveal care.

Eligible Plans for HIPAA

HIPAA support is limited to specific Compliance Plan Tiers. Free trials and entry-level plans typically do not include HIPAA features or a BAA. In most cases, you must upgrade to the highest-tier plan to unlock HIPAA settings and documentation.

How eligibility works

• HIPAA features are available only on designated paid tiers; confirm your tier in billing before collecting PHI.
• Only the account owner can activate HIPAA mode and execute the BAA.
• If you manage multiple locations or brands, each eligible account must be covered individually.

Business Associate Addendum Requirements

A signed BAA (sometimes titled “Business Associate Addendum”) is required before you store or process PHI in Acuity. The BAA defines permitted uses and disclosures, breach notification duties, subcontractor safeguards, and data return or deletion upon termination.

What you need before signing

• Be on an eligible HIPAA plan tier.
• Designate the legal entity name that will appear on the BAA.
• Identify admins who need access to the executed agreement and audit history.

Core clauses to review

• Safeguards aligned with the HIPAA Security Rule and access control standards.
• Use limitations for support, operations, and de-identified analytics.
• Incident response timelines and cooperation requirements.

Enabling HIPAA Features

Once your plan is eligible and the BAA is executed, complete account configuration to minimize PHI exposure and enforce least-privilege access.

Step-by-step activation

1. Confirm BAA execution in your security or compliance settings.
2. Turn on HIPAA mode to apply stricter defaults across scheduling, forms, and notifications.
3. Review user roles; restrict staff to only the calendars and data they need.
4. Harden intake forms: collect only necessary fields and avoid diagnosis detail when not essential.
5. Test booking flows and notifications end-to-end to ensure PHI is not overexposed.

Post-activation checks

• Enable device-level protections for staff (MFA, screen locks, secure email).
• Document procedures for data requests, corrections, and export/retention policies.
• Schedule periodic audits to verify settings remain aligned with policy changes.

Email Notification Settings

Email is a common leak vector. Use PHI Email Controls to keep content minimal and generic so that messages don’t expose sensitive details if intercepted or forwarded.

Recommended configuration

• Generic subject lines (e.g., “Appointment Confirmation”) without provider or condition names.
• Exclude intake responses, notes, and custom field values from admin and client emails.
• Limit body content to date, time, and neutral location info; keep service names generic if they imply treatment.
• Suppress calendar attachments or ensure event titles and descriptions contain no PHI.
• Prefer secure portals for detailed information rather than embedding details in emails.

SMS and reminders

• Use neutral language; avoid service types that reveal diagnosis or specialty.
• Confirm opt-in and verify carrier policies; treat SMS as inherently less private.

Managing Third-Party Integrations

Every integration introduces Third-Party Vendor Risk. Connect only services that will sign their own BAA with you and configure data sharing to the minimum necessary.

Risk assessment checklist

• Calendar sync: keep event titles generic; avoid pushing PHI to personal calendars not covered by a BAA.
• Video platforms: use healthcare-eligible tiers with a BAA; disable cloud recordings or transcriptions that store PHI by default.
• CRM/marketing tools: do not pass intake data or condition-specific tags; separate marketing from care operations.
• Payments: avoid entering PHI in payment descriptions, receipts, or invoice notes.
• Automation/webhooks: restrict payloads; if redaction is not guaranteed, disable the connector.

Controls and monitoring

• Map data flows and document what each vendor receives.
• Use role-based API keys with rotation policies and audit logs.
• Review vendor access quarterly and revoke anything unused.

Service Limitations under HIPAA

To reduce exposure of PHI, certain convenience features may be restricted when HIPAA mode is enabled. Expect tighter defaults and some personalization limits compared with non-HIPAA accounts.

Typical limitations

• Email and SMS fields that could reveal PHI are hidden or disabled in templates.
• Calendar attachments and rich event details may be suppressed or sanitized.
• Some marketing, analytics, and open-ended integrations are unavailable or redacted.
• Exports and API/webhook payloads may exclude PHI or be limited to authorized scopes.

Operational tips

• Train staff to communicate specifics inside secure systems, not over email/SMS.
• Keep service names neutral on public booking pages; reserve clinical detail for intake inside the platform.
• Use periodic mock audits to catch regressions as your workflows evolve.

Conclusion

Achieving HIPAA compliance with Acuity Scheduling hinges on three pillars: enrolling in an eligible plan tier, executing a BAA, and applying rigorous configuration—especially for notifications and integrations. With these controls in place, you can schedule efficiently while protecting PHI and reducing Third-Party Vendor Risk.

FAQs

What plans support HIPAA compliance in Acuity Scheduling?

HIPAA features are available only on designated Compliance Plan Tiers—typically the highest-tier plan. Entry-level and mid-tier plans do not include HIPAA controls or a BAA. Check your billing page to confirm eligibility before collecting PHI.

How do I sign a BAA with Squarespace?

The account owner on an eligible plan can navigate to security or HIPAA settings, review the Business Associate Agreement, and sign electronically. After execution, you can enable HIPAA mode and proceed with configuration. If your legal entity name changes, re-execute the BAA to keep records accurate.

Which features are disabled to maintain HIPAA compliance?

When HIPAA mode is active, templates limit PHI in emails/SMS, calendar attachments or rich event details may be suppressed, certain marketing/analytics connectors are unavailable, and some API/webhook or export content is redacted to prevent PHI disclosure.

Can I review the signed BAA anytime?

Yes. Admin users with appropriate permissions can access the executed BAA from account settings (often under security, compliance, or billing) to view or download it for your records and audits.