Making your Acuity account HIPAA-compliant.
Acuity Scheduling is designed to allow you to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Other parts of the Squarespace platform, including contact form features like the form block, can't be used as part of a HIPAA compliant solution. To collect secure patient information online for areas outside of Acuity, we recommend linking to an external, compliant service.
This guide covers how Acuity handles Protected Health Information as the term is understood under United States law. If you’re not in the health field, this guide probably doesn’t apply to you.
Note: Acuity is the only Squarespace feature currently designed to offer services consistent with HIPAA obligations. Your Business Associate Addendum (BAA) doesn't cover other Squarespace features. You shouldn't maintain or transmit Protected Health Information through Squarespace outside of Acuity.
You can make your Acuity account HIPAA-enabled on the Powerhouse plan.
Acuity meets HIPAA Security Rule requirements
A qualified third-party information security consultant reviewed Acuity. The consultant validated that Acuity can meet the requirements of the HIPAA Security Rule.
Make your account HIPAA-enabled
- Ensure you’re on the Powerhouse plan.
- In Acuity, click Customize Appearance.
- Click Scheduling Page Options.
- Click the link at the top of the page to begin the process of entering into a BAA.
- Review the BAA and ensure that you understand your obligations.
- Enter into the BAA by submitting the necessary information and clicking Submit.
Your responsibilities for HIPAA
Enabling HIPAA-related features in Acuity alone isn't enough to make you HIPAA compliant. You must also ensure your business practices and systems work with Acuity to stay in compliance.
To use Acuity in a way that complies with the HIPAA Security Rule, you must exercise responsibility when setting up your account. These responsibilities include carefully selecting the amount and type of electronic protected health information included in and excluded from text and email messages, and entering into a Business Associate Addendum (BAA) with Squarespace.
A BAA governs the use and protection of Protected Health Information exchanged between a "covered entity" and a "business associate." In this situation, if you’re a covered entity pursuant to HIPAA, then Squarespace is a business associate to you. To learn more, visit the U.S. Department of Health and Human Services site.
- You must be on the Powerhouse plan to enable HIPAA-related services and enter into a BAA with Squarespace. We don't enter into outside BAAs for this plan, but custom BAAs are available on an Enterprise plan for an additional cost. To learn more about Enterprise plans, contact us.
- Ensure that you’ve made your Acuity account HIPAA-enabled before maintaining or transmitting any Protected Health Information through your account.
- You must make each Acuity account HIPAA-enabled. An account only becomes HIPAA-enabled when a separate BAA is entered into for that specific account.
- You're solely responsible for ensuring that the proper controls, settings, and limitations are in place to satisfy your needs and HIPAA compliance. Each organization controls and determines its own HIPAA compliance practices, including how to implement certain controls, de-identification, and the types of information exchanged between your organization, your clients, and Squarespace. Every organization is different and has different needs, and so we provide settings to help you meet your own compliance program.
More protections for HIPAA-enabled Acuity Scheduling accounts
All Acuity accounts share most technical and security protections, but there are additional protections for HIPAA-enabled accounts:
- Email notifications we send you won’t include client form answers.
- Intake forms only accept file uploads from a local computer or device. Uploading from Google Docs and similar services is disabled.
- Clients can’t use their email address to redeem packages they’ve purchased. Instead, they must enter the randomly generated code they received or log into their client account.
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange, and iCloud isn't available. Before making your Acuity account HIPAA-enabled, disable any syncing to those services.
- Integration with Squarespace Email Campaigns isn’t available. If this integration is active, you’re responsible for disabling it before making your Acuity account HIPAA-enabled.
- Acuity's invoices feature isn't enabled.
- Integration with Reserve with Google isn't enabled.
- Subscription renewal reminder emails don’t include subscription names.
Email and text notification controls and settings
- Email and text notifications may contain Protected Health Information (PHI) by default, including client names, email addresses, appointment types, and appointment dates and times. You're responsible for changing the information in messages by updating your notification settings.
- By default, confirmation and rescheduling messages sent to the client and to you contain a calendar file (ICS invite) as an attachment. This ICS invite contains the client's name, appointment type, and appointment time. To disable this feature, contact us.
- If you don’t disable email notifications, Acuity will send you emails with the From and Reply-To fields showing the client’s name and email address.
- Clients can opt out of marketing emails by clicking Unsubscribe. They'll continue to receive automated emails documenting completed transactions. They can opt out of text messages by replying STOP. When scheduling an appointment on a client's behalf, you can prevent notifications from being sent by omitting their email address or phone number in the appointment details.
Third-party integrations and HIPAA
Many third-party integrations don't support HIPAA. You can disable any or all of these integrations before making your Acuity account HIPAA-enabled.
If you connect Acuity to any third-party integrations, such as Google Calendar or Stripe, it's your responsibility to determine if the integration is acceptable for your business, and/or modify your use, settings, security, or information to meet your HIPAA compliance practices and obligations. It's also your responsibility to enter any new contractual agreements necessary to meet your HIPAA compliance practices and obligations. You should do all of this prior to using the third-party service.
Access your BAA
You can review or download your BAA at any time:
- In Acuity, click Customize Appearance.
- Click Scheduling Page Options, then click View and download your signed BAA.
- Optionally, click Download as PDF to download a copy.