What are the penalties for using Calendly without a Business Associates Agreement?

Using any third-party service for HIPAA-covered transactions (such as sending or storing PHI) is a violation of HIPAA. Such violations can be reported to the Office for Civil Rights, which can levy hefty fines on the CE or BA that violated HIPAA. It is therefore important that no CE or BA uses Calendly for a HIPAA-covered transaction.

Why won’t Calendly enter into a BAA?

Calendly does not state exactly on its website why it will not sign a BAA, but it might be related to its inability to meet all of the HIPAA-related security requirements that BAs must adhere to.

Can CEs use Calendly for uses that do not involve PHI?

Yes, so long as Calendly is not used in conjunction with any PHI, it is not being used for a HIPAA-covered transaction. Business Associate Agreements are only required for such HIPAA-covered transactions.

Can Calendly be used to schedule meetings during which PHI will be discussed?

Yes, so long as no PHI is being uploaded directly to Calendly, it can be used to schedule meetings.

Is Calendly HIPAA Compliant?

Calendly is not HIPAA compliant and cannot be used by a HIPAA Covered Entity or Business Associate to create, collect, maintain, or transmit protected health information because doing so violates Calendly’s terms of service and Calendly refuses to enter into Business Associate Agreements with covered entities and upstream business associates.

Calendly is a scheduling platform designed to reduce time spent coordinating meetings and appointments by allowing invitees to select available times and by sending automated reminders by email and text. Healthcare organizations use Calendly for scheduling internal meetings, but use with electronic protected health information requires a Business Associate Agreement with the vendor before the platform is used in a regulated workflow.

Calendly states that the platform is secure and that data uploaded to the platform is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption, and the service is hosted on Amazon Web Services. Calendly also states that it cannot read medical charts or other private information because it only reads the busy and free status of calendar events to avoid double bookings.

The compliance barrier is not resolved by encryption or hosting. Calendly states in its help content that Calendly should not be used for collecting protected health information and that the solution should not be used for asking any personal or medical questions in the question form invitees complete when scheduling. Calendly also does not sign Business Associate Agreements with HIPAA covered entities.

Calendly can be used by healthcare organizations when the scheduling use case is limited to workforce scheduling and other activities that do not involve electronic protected health information. Patient appointment booking through Calendly creates compliance risk when protected health information is entered into scheduling forms, reminder content, notes, or other fields stored by the platform. Healthcare organizations should use a scheduling tool that supports HIPAA compliance for patient appointment workflows and should implement administrative controls that prevent staff from using Calendly for patient scheduling.

Is Calendly HIPAA Compliant?

James Keogh