Calendly is a tool that is popularly used by many businesses for managing meeting and appointment schedules. Can Calendly be used by healthcare organizations? Does it’s use comply with HIPAA?
Businesses generally spend considerable time and effort scheduling meetings and appointments and going after employees to confirm appointments. Calendly is created to do away with the wasting of time. It prevents the typical game of phone tag and makes scheduling appointments and creating schedules a lot easier. Calendly could lessen no-show incidences by sending reminder emails and text alerts about the start of meetings automatically.
Calendly works with favorite software platforms like iCloud calendar, Google Calendar, Office 365, Salesforce and GoToMeeting. It could also integrate directly with organization websites so clients can book their appointments on the web.
The platform could also be used by healthcare companies to schedule internal meetings, however to use Calendly in association with electronic protected health information (ePHI), there must be a business associate agreement (BAA) between the healthcare organization and Calendly.
Does Calendly Support HIPAA Compliance?
Calendly clearly states on its website the security of all information uploaded to its platform. This scheduling application uses 256-bit encryption for the protection of transmitted and stored data. The platform is hosted on the HIPAA-compliant hosting solution of Amazon Web Services. Calendly does not read health-related charts or other private information, only the status of calendared activities to avoid double bookings.
Although Calendly is secure, it is stated on its website that:
- Calendly is not to be employed for acquiring Protected Health Information (PHI).
- No personal or medical questions should be included by healthcare companies in forms when scheduling appointments.
- Calendly will not enter into BAAs with HIPAA covered entities.
Hence, Calendly is not HIPAA-compliant. It is all right for healthcare companies to use it if no ePHI is used. It is required for healthcare companies to use only HIPAA-compliant scheduling applications for managing patient visits.
Calendly and HIPAA Compliance: FAQ
What are the penalties for using Calendly without a Business Associates Agreement?
Using any third-party service for HIPAA-covered transactions (such as sending or storing PHI) is a violation of HIPAA. Such violations can be reported to the Office for Civil Rights, which can levy hefty fines on the CE or BA that violated HIPAA. It is therefore important that no CE or BA uses Calendly for a HIPAA-covered transaction.
Why won’t Calendly enter into a BAA?
Calendly does not state exactly on its website why it will not sign a BAA, but it might be related to its inability to meet all of the HIPAA-related security requirements that BAs must adhere to.
Can CEs use Calendly for uses that do not involve PHI?
Yes, so long as Calendly is not used in conjunction with any PHI, it is not being used for a HIPAA-covered transaction. Business Associate Agreements are only required for such HIPAA-covered transactions.
Can Calendly be used to schedule meetings during which PHI will be discussed?
Yes, so long as no PHI is being uploaded directly to Calendly, it can be used to schedule meetings.