Is the scheduling service Calendly HIPAA compliant? The service streamlines how businesses can organize meetings – saving time and improving productivity by eliminating the confusion that results from lengthy email chains. This makes Calendly a popular service across a variety of sectors, but can it be used in the healthcare industry in a HIPAA-compliant manner?
The Calendly platform integrates with a number of other cloud-based products, including iCloud Calendars, Office 365 products, GoToMeeting, Google Calendar, and Salesforce. These can also allow customers to schedule meetings directly with vendors. Within the healthcare context, Calendly can be used to schedule meetings as long as there is no protected healthcare information (PHI) disclosed in the transaction.
Why Calendly is Not HIPAA Compliant
The reason why it is not possible to disclose PHI in transactions has nothing to do with Calendly´s security nor its willingness (or not) to enter into a Business Associate Agreement. Calendly states in its Terms of Use that customers are not allowed to “disclose any types of information listed in California´s Customer Records statute or other relevant privacy regulations, including medical or health insurance information”.
In case of any doubt the prohibition relates only to organizations disclosing information about Californian residents, the Terms of Use also stipulate that customers are not allowed to “collect or disclose any types of information that falls within the definition of Protected Health Information under California law or other relevant law or regulation.” Without naming HIPAA, this clause makes it impossible for Calendly to be used for HIPAA-covered purposes.
There is no way around this prohibition; and, if a Covered Entity or Business Associate subsequently experiences a data breach due to impermissibly using Calendly as a communication channel for PHI, Calendly has an indemnification clause in its Terms of Use to protect the service from third party claims – or, in the context of HIPAA compliance, against enforcement action by HHS´ Office for Civil Rights.
One final point to consider is that, in order to avoid the necessity of a Business Associate Agreement, Covered Entities could ask patients to provide a written authorization allowing them to disclose their PHI over the Calendly platform. While this would circumnavigate HIPAA´s requirements, it would still be a violation of Calendly´s Terms of Use and likely to result in the service being terminated. Consequently, it is recommended Covered Entities look elsewhere for HIPAA compliant patient scheduling software.