Is Calendly HIPAA Compliant?

Calendly is a tool that is popularly used by many businesses for managing meeting and appointment schedules. Can Calendly be used by healthcare organizations? Does it’s use comply with HIPAA?

Businesses generally spend considerable time and effort scheduling meetings and appointments and going after employees to confirm appointments. Calendly is created to do away with the wasting of time. It prevents the typical game of phone tag and makes scheduling appointments and creating schedules a lot easier. Calendly could lessen no-show incidences by sending reminder emails and text alerts about the start of meetings automatically.

Calendly works with favorite software platforms like iCloud calendar, Google Calendar, Office 365, Salesforce and GoToMeeting. It could also integrate directly with organization websites so clients can book their appointments on the web.

The platform could also be used by healthcare companies to schedule internal meetings, however to use Calendly in association with electronic protected health information (ePHI), there must be a business associate agreement (BAA) between the healthcare organization and Calendly.

Does Calendly Support HIPAA Compliance?

Calendly clearly states on its website the security of all information uploaded to its platform. This scheduling application uses 256-bit encryption for the protection of transmitted and stored data. The platform is hosted on the HIPAA-compliant hosting solution of Amazon Web Services. Calendly does not read health-related charts or other private information, only the status of calendared activities to avoid double bookings.

Although Calendly is secure, it is stated on its website that:

  • Calendly is not to be employed for acquiring Protected Health Information (PHI).
  • No personal or medical questions should be included by healthcare companies in forms when scheduling appointments.
  • Calendly will not enter into BAAs with HIPAA covered entities.

Hence, Calendly is not HIPAA-compliant. It is all right for healthcare companies to use it if no ePHI is used. It is required for healthcare companies to use only HIPAA-compliant scheduling applications for managing patient visits.