Is Calendly HIPAA compliant? No. Calendly does not sign Business Associate Agreements on any plan, and their documentation explicitly states that the platform should not be used to collect protected health information. Healthcare practices can use Calendly for internal staff scheduling, but not for patient appointment booking that involves PHI.
Online scheduling is one of the first things patients expect from a modern healthcare practice. The problem is that the most popular scheduling tool on the market cannot legally be used for patient appointments in a HIPAA-covered environment. Here is why, and what to use instead.
Why Calendly Is Not HIPAA Compliant
Calendly fails the most fundamental HIPAA vendor requirement: it will not sign a Business Associate Agreement. This applies to every Calendly plan - Free, Standard, Teams, and Enterprise. No tier, no add-on, and no custom arrangement changes this.
Calendly's own help documentation is explicit: "Calendly should not be used for collecting Protected Health Information" and prohibits asking "any personal or medical questions in the question form invitees complete when scheduling."
Without a BAA, any use of Calendly that involves PHI is a HIPAA violation. The BAA requirement exists independently of Calendly's security features. Even though Calendly uses 256-bit encryption and runs on AWS infrastructure (which itself is HIPAA compliant), the platform as a service has no BAA, no audit logging for PHI access, and no obligation to notify you of a breach involving patient data.
Does Scheduling Data Count as PHI?
This is where many practices make a mistake. Scheduling data can absolutely constitute PHI depending on what information is collected. Under HIPAA, PHI is any individually identifiable health information. Consider what a typical patient scheduling form collects:
- Patient name + appointment type - if the appointment type is "psychiatric evaluation" or "HIV consultation," the combination of name and service type is PHI
- Patient name + provider name - if the provider is a specialist (oncologist, psychiatrist, addiction counselor), the fact that someone has an appointment with that provider can reveal health information
- Custom intake questions - many practices add screening questions to their scheduling forms. Any question about symptoms, conditions, medications, or medical history creates PHI
- Reason for visit - even a simple "reason for visit" field can generate PHI if the patient describes symptoms or conditions
A patient's name combined with the fact that they have a healthcare appointment is generally considered PHI. The only scenario where scheduling might not involve PHI is when the appointment contains no health-related context at all - which is rarely the case in a clinical setting.
What Calendly Can Be Used For
Calendly is fine for internal, non-clinical scheduling that does not involve patients or PHI:
- Staff meetings and team coordination
- Vendor meetings and sales calls
- Administrative appointments with no patient involvement
- Consultant or contractor scheduling
If you are a healthcare organization using Calendly for these purposes and keeping all patient scheduling on a separate, HIPAA-compliant system, there is no compliance issue. The problem arises when practices use one scheduling tool for everything, including patient bookings.
The Real Risk: Custom Intake Forms
Calendly allows event creators to add custom questions to their booking forms. In healthcare, this creates a direct pathway for PHI to enter a system with no BAA. A practice might add questions like:
- "What is the reason for your visit?"
- "Are you a new or returning patient?"
- "What insurance do you have?"
- "Please describe your symptoms"
Every response to these questions becomes PHI the moment it is linked to the patient's name and appointment. That PHI now sits in Calendly's system - on AWS servers, in their database, in their backups - with no BAA governing how it is handled, retained, or secured. If Calendly experiences a data breach involving this information, they have no HIPAA obligation to notify you or HHS.
HIPAA-Compliant Scheduling Alternatives
Several scheduling platforms are designed for healthcare and will sign BAAs:
- Acuity Scheduling (Squarespace) - offers a BAA on HIPAA-compliant plans, supports intake forms, and integrates with major calendar platforms
- SimplePractice - built for healthcare, includes scheduling, intake, and telehealth under one BAA
- Jane App - popular with allied health providers, includes online booking with BAA
- Healthie - EHR with built-in scheduling, designed for wellness and nutrition practices
- Your EHR's built-in scheduler - most modern EHR systems (athenahealth, Epic MyChart, DrChrono) include patient self-scheduling that is already covered under your EHR's BAA
For most practices, the simplest solution is to use the scheduling feature built into your EHR. You already have a BAA with that vendor, and the scheduling data stays within your system of record. If your EHR does not offer self-scheduling, Acuity Scheduling is the closest alternative to Calendly's interface with HIPAA compliance built in.
Include the scheduling tool restriction in your staff training and document the approved platform in your security policies. Staff who are used to Calendly will need clear direction on what tool to use for patient appointments versus internal meetings.
Can I use Calendly if I don't collect medical information?
Technically, if your Calendly booking collects only a name, email, and appointment time with no health-related context, some compliance experts argue it falls outside PHI. However, the appointment itself is with a healthcare provider - and the combination of patient identity plus the fact of a healthcare appointment is widely considered PHI. Most compliance officers recommend using a HIPAA-compliant scheduler for all patient-facing bookings to avoid the gray area entirely.
Does Calendly work with HIPAA-compliant video platforms?
Calendly integrates with Zoom and Microsoft Teams for automatic meeting links. While the video platform may be HIPAA compliant, the scheduling layer (Calendly) is not. PHI entered into Calendly's booking form is still exposed in a system without a BAA, even if the resulting meeting happens on a compliant platform.
Will Calendly ever become HIPAA compliant?
There is no public indication that Calendly plans to offer BAAs or pursue HIPAA compliance. Their documentation explicitly directs healthcare users away from PHI collection. Given that healthcare scheduling requires specific features (intake forms, consent management, EHR integration), Calendly may view it as outside their core market. Use a purpose-built healthcare scheduling tool instead of waiting for Calendly to change course.
Is there a way to make Calendly HIPAA compliant?
No. Unlike some tools that can be configured for HIPAA compliance (such as Google Drive through Workspace or Dropbox through Business plans), Calendly does not offer any configuration, plan, or add-on that enables HIPAA compliance. The issue is contractual - Calendly will not sign a BAA - so no technical configuration can resolve it.