To support the needs of our customers in the healthcare industry, we have successfully designed our service and our security program to comply with the requirements of the HIPAA Security Rule. We've engaged a qualified third party information security consultancy to review Acuity Scheduling and they have validated that it meets the stringent requirements of the HIPAA Security Rule. More details about our HIPAA compliance are available upon request.
Your Responsibility in HIPAA Compliance
While we are pleased to offer a HIPAA compliant solution, you must play a part to achieve compliance. When using Acuity Scheduling, these responsibilities include carefully selecting the amount and type of electronic protected health information that is included in text and email messages, as well as executing a Business Associate Agreement with Acuity Scheduling.
Some considerations as you configure your account:
- Ensure a BAA is in place between you and Acuity Scheduling before storing any protected health information in your account. Because of ongoing overhead required to maintain HIPAA compliance this is only available with Powerhouse plans. After you upgrade to Powerhouse you'll see a link under My Account to sign the BAA online. Before upgrading you can also preview a copy of the BAA to review it. Having a BAA in place is an important part of your organizational requirements to be HIPAA compliant.
- Client name, appointment type, and appointment time are sent in emails and text messages. You can limit the amount of information sent in messages by updating them within Email Settings. A calendar attachment including the client's name, appointment type, and appointment time is also attached to confirmation and rescheduling notifications. If you would like that removed, please contact support.
- The “From” area of the notification emails to you will come from the client’s name, even after being marked as a HIPAA account.
- Clients receiving notifications can opt-out from future ones by clicking the "Unsubscribe" link in e-mails or replying to a text message with "STOP". When scheduling any appointment you can prevent notifications from being sent by omitting the email address or phone number for that appointment.
- Create unique accounts for each of your staff to audit their access. Separate admin accounts can be created within Manage Users under Availability & Calendars.
- If you are interested in connecting Acuity Scheduling with Google Calendar you must sign a separate BAA with Google prior to connecting them together. The same goes for any other services you integrate Acuity with, and it’s up to you to maintain HIPAA compliance with any and all connected services.
- All accounts share most of the same technical and security protections, but there are some additional minor changes for accounts marked as HIPAA enabled:
- Your login will time out after 4 hours instead of several days
- Client forms are not included at the bottom of email notifications to you as the admin
- Intake forms (including forms you've marked as internal use only) can no longer include File Upload questions since that uses an external service for managing uploads which is not HIPAA compliant. If you were using this feature before becoming HIPAA compliant please remove those fields.
- Clients can't redeem packages just by using an email address, they must use the randomly generated code they were given or be logged in to their account
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange and iCloud is no longer available since they rely on an external service which is not HIPAA compliant. If you were using this feature before becoming HIPAA compliant please disable it.
Please note the following:
- Zapier does not support HIPAA compliance.
- Acuity does not sign outside BAAs.