Is Acuity Scheduling HIPAA Compliant? BAA, Security Features, and How to Enable It

HIPAA Compliance Overview

Acuity Scheduling can support HIPAA compliance when you use a HIPAA-enabled account and have a fully executed Business Associate Agreement (BAA) with the provider. In this arrangement, Acuity functions as a business associate and you, as a covered entity or business associate, remain responsible for how Protected Health Information (PHI) is collected, transmitted, and accessed within your organization.

HIPAA compliance hinges on technical safeguards in the platform and administrative and physical safeguards you implement. The platform focuses on Data Encryption Practices, access control, and features designed to reduce PHI exposure, aligning with the HIPAA Security Rule. You must configure the account to avoid sending PHI through insecure channels and limit PHI to authorized users and systems only.

Remember that “HIPAA compliant” is not a one-time switch. It is an ongoing program of configuration, staff training, monitoring, and documentation. If you handle appointment details that could reveal a diagnosis, treatment, or provider relationship, treat those data as PHI and apply PHI Transmission Safeguards accordingly.

Business Associate Addendum Requirements

The BAA (also called a Business Associate Addendum) is the contract that permits the platform to process PHI on your behalf under HIPAA. Without a signed BAA, you should not store or transmit PHI through your scheduling system. The BAA defines permitted uses and disclosures, requires breach notification, and sets expectations for safeguarding, retention, and return or destruction of PHI upon termination.

Typical BAA terms include: limiting the vendor’s use of PHI to delivering the service; implementing administrative, physical, and technical safeguards; managing subcontractors that may access PHI; and reporting security incidents to you within specified timeframes. Review the BAA carefully to confirm how exports, backups, and deletion requests are handled, and how you can obtain audit information if you perform Compliance Audit Procedures.

Only account owners or authorized signatories should accept the BAA. Keep a copy for your compliance records, and ensure your internal policies reflect the BAA’s Email Notification Restrictions and integration rules.

Account and Plan Eligibility

HIPAA support is available only on specific, eligible paid plans. Trial tiers or lower-cost plans generally do not include a BAA and must not be used for PHI. Before collecting health-related data, verify that your subscription level is eligible and that your account has HIPAA mode enabled with a signed BAA on file.

Eligibility may extend to the entire organization tied to the account. Ensure all team members who can view appointments or client intake data are provisioned under the HIPAA-enabled account. If you manage multiple locations or sub-calendars, confirm they are covered by the same BAA before sharing PHI across them.

Security Features of HIPAA-Enabled Accounts

When HIPAA mode is active, the platform applies controls to help you meet Security Rule expectations. These include encryption of data in transit and at rest, role-based access to limit staff visibility, and audit logging that records key user actions for later review. Together, these Data Encryption Practices and access controls reduce the risk of unauthorized disclosure.

HIPAA mode also narrows how PHI can flow outside the application. For example, Email Notification Restrictions may remove or limit sensitive fields, subject lines, or message bodies so that appointment reminders do not expose PHI. Some exports or attachments may be disabled, and calendar invites may be redacted to minimize PHI leakage.

Client intake and scheduling forms can be configured to capture only what you need. Use custom fields judiciously, avoid free-text prompts that encourage oversharing, and restrict who can access submitted responses. Enable two-factor authentication for staff accounts and review logs periodically as part of your Compliance Audit Procedures.

User Responsibilities for Compliance

Compliance is shared. You must define what constitutes PHI in your workflows and apply PHI Transmission Safeguards end to end. Do not place diagnoses, treatment notes, or other PHI into subject lines, public descriptions, or reminder templates. Train staff not to enter PHI into fields that might be routed to email, SMS, or external calendars.

Establish least-privilege access, revoke access promptly for departing staff, and require strong authentication on every device that touches PHI. Document retention and deletion schedules that align with your legal and clinical obligations, and periodically test your incident response plan.

Finally, conduct routine Compliance Audit Procedures: review permissions, sample message content, check integration settings, and confirm that your BAA, privacy notices, and internal policies match how you actually use the platform.

Third-Party Integrations and Risks

Third-party tools can quietly move PHI beyond the protections of your BAA. Calendar syncs, CRMs, marketing platforms, video tools, and automation services (e.g., connectors that copy form responses) may not sign a BAA or may transmit PHI via channels you cannot control. Before enabling any integration, determine whether it will handle PHI and, if so, ensure the vendor offers a Business Associate Agreement and suitable safeguards.

Apply Email Notification Restrictions and redaction wherever possible. If a service cannot meet HIPAA requirements, either avoid sending PHI to it, limit the data shared to non-PHI, or disable the integration entirely. Treat payment, telehealth, and analytics connections with extra scrutiny, because metadata like appointment type and provider name can reveal PHI.

Accessing and Managing the BAA

You can typically review and accept the BAA from your account’s security or compliance settings once your plan is eligible. The owner signs electronically, and the system records the effective date. Download and file the executed BAA for your records, and verify that HIPAA mode is fully enabled after acceptance.

Revisit the BAA when you change plans, add locations, or enable new integrations. If you terminate your account or cease using HIPAA mode, follow the BAA’s procedures for data return or destruction and document completion for your compliance file. Periodically confirm that staff roles, message templates, and form fields still align with the BAA’s constraints.

Conclusion

Acuity Scheduling can be part of a HIPAA-compliant workflow when you use an eligible plan, execute a Business Associate Agreement, and configure the account to respect the HIPAA Security Rule. Combine the platform’s safeguards with disciplined user practices, conservative data sharing, and careful integration choices to protect PHI from booking to reminder and beyond.

FAQs

What plans support HIPAA compliance in Acuity Scheduling?

HIPAA support is limited to specific paid plans that include the ability to sign a BAA and enable HIPAA mode. Lower tiers and trials typically do not qualify. Confirm your current subscription includes HIPAA features before collecting or storing PHI.

How do I enable HIPAA compliance on my Acuity account?

First, upgrade to an eligible plan. Next, access your account’s security or compliance settings to review and electronically sign the Business Associate Agreement. Once the BAA is executed, enable HIPAA mode, review Email Notification Restrictions, adjust templates to avoid PHI, and verify user access, forms, and integrations before handling PHI.

What are the main security features in Acuity's HIPAA-compliant mode?

Key features include encryption at rest and in transit, role-based access controls, audit logging for key actions, restricted exports and attachments, and redactions that limit PHI in notifications and calendar events. These measures support the HIPAA Security Rule and help enforce PHI Transmission Safeguards.

Does Acuity integrate with third-party apps under HIPAA rules?

Yes, but you must evaluate each integration. Only connect services that either do not receive PHI or will sign a Business Associate Agreement and provide appropriate safeguards. If a vendor cannot meet HIPAA requirements, disable the integration or restrict data sharing to non-PHI to avoid compliance gaps.