To support the needs of our customers in the healthcare industry, we have designed our services and our security program to comply with the requirements of the HIPAA Security Rule. We've engaged a qualified third party information security consultant to review Acuity Scheduling and they have validated that the services meet the requirements of the HIPAA Security Rule. More details about our HIPAA compliance are available upon request.
Your Responsibilities for HIPAA
You must play a part when configuring your account. When using Acuity Scheduling, these responsibilities include carefully selecting the amount and type of electronic protected health information that is included in and excluded from text and email messages, as well as entering into a Business Associate Agreement (BAA) with Acuity Scheduling.
Some considerations as you configure your account:
- Ensure that you’ve entered into a BAA with Acuity Scheduling before storing any protected health information in your account. Because of ongoing overhead required to maintain HIPAA compliance, making the services HIPAA eligible and entering into a BAA is only available with Powerhouse plans. After you upgrade to Powerhouse, you'll see a link under Scheduling Page Options to sign the BAA online.
- A separate BAA must be signed for each account. Accounts will only become HIPAA enabled when the BAA is signed for that account.
- Each organization controls and determines its own HIPAA compliance practices,
including how to implement certain controls, deidentification, and the types of
information exchanged between your organization, your clients and Acuity. Acuity
understands that each organization is different and has different needs, and so we
provide a number of controls and settings to help you meet your own compliance
program. You are solely responsible for ensuring that the proper controls, settings and
limitations are in place to satisfy your needs and HIPAA compliance.
- Email and SMS Controls and Settings
- Emails and SMS may contain PHI by default, including Client name, email address (if the communications is email), appointment type, and appointment date/time. You are responsible for changing the information contained in messages by updating you Email Settings. You can learn more about customizing your email and text messages, as well as which data fields can be added or removed, here and here, respectively. Alternatively, you can disable emails and/or SMS entirely.
- By default, initial confirmation and rescheduling messages sent to the client and to you contain a calendar file (ICS invite) as an attachment so that clients and you can easily import into your respective calendar systems. This ICS invite contains the client's name, appointment type, and appointment time. If you would like to disable this feature, please contact support.
- If email messages are not disabled, the “From” and “Reply-To” fields of emails sent by Acuity to you will show the applicable client’s name and email address.
- Clients receiving notification communications can opt-out from future communications by clicking the "Unsubscribe" link in emails or replying to a text message with "STOP". When scheduling any appointment on a client's behalf, you can prevent notification communications from being sent by omitting the email address or phone number for that appointment.
- Managing Accounts and Users: You can create unique accounts for each of your staff so that you can audit and manage their access. Separate user accounts can be created within "Manage Users" under "Business Settings".
- Third Party Integrations: If you are connecting your Acuity account to any third party integrations, e.g, Google Calendar, Stripe, etc., you are solely responsible for ensuring that the third party service is acceptable for your business, and that the necessary contractual, security, and other protections are in place prior to using the third party service. You may wish to disable any or all of these integrations prior to making your Acuity account HIPAA enabled.
- Your use of Acuity and your BAA are exclusively for the Acuity Scheduling product and do not extend to other uses of Squarespace.
- All accounts share most of the same technical and security protections, but there are some additional protections for accounts marked as HIPAA enabled:
- Your browser session will time out after 4 hours instead of several days.
- Client form details are not included at the bottom of email notifications to you as the admin.
- File upload questions on your intake forms will only accept documents from your local computer or device. Uploading from Google Docs or other similar services is disabled.
- If you sell packages, your clients can't redeem packages by entering their email address on the package redemption page. Rather, they must use the randomly generated code they were given or be logged into their client account.
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange and iCloud is no longer available. Before making your Acuity account HIPAA enabled you may also wish to disable these integrations.
Please note the following:
- Many third party integrations do not support HIPAA, for example Zapier. It is your responsibility to determine if the integration is acceptable for your business, and/or modify your use, settings or information to meet your HIPAA compliance practices and HIPAA obligations.
- We do not sign outside BAAs on our Powerhouse plan. However, custom BAAs are available on our Enterprise plan for an additional cost. Please contact us if you are interested in the Enterprise plan.