Acuity Scheduling is designed to allow you to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Other parts of the Squarespace platform can't be used as part of a HIPAA-compliant solution. To collect secure patient information online for areas outside of Acuity, we recommend linking to an external, compliant service.
This guide covers how Acuity handles Protected Health Information as the term is understood under United States law. If you’re not in the health field, this guide probably doesn’t apply to you.
Note: Acuity is currently designed to offer services consistent with HIPAA obligations. Other Squarespace features are not. Your Business Associate Addendum (BAA) doesn't cover other Squarespace features. You shouldn't maintain or transmit Protected Health Information through Squarespace outside of Acuity or Squarespace Scheduling.
To make your Acuity account HIPAA-enabled, you must be on the Powerhouse plan.
Acuity meets HIPAA Security Rule requirements
A qualified third-party information security consultant reviewed Acuity. The consultant validated that Acuity can meet the requirements of the HIPAA Security Rule. We're happy to provide more details about our HIPAA practices on request.
Make your account HIPAA-enabled
- Ensure you’re on the Powerhouse plan.
- Click Customize Appearance.
- Click Scheduling Page Options.
- Click the link at the top of the page to begin the process of entering into a BAA.
- Click Yes, I agree and would like to Sign the BAA.
- Enter into the BAA by reviewing and electronically signing the document.
Your responsibilities for HIPAA
Enabling HIPAA-related features in Acuity alone isn't enough to make you HIPAA compliant. You must also ensure your business practices and systems work with Acuity to stay in compliance.
To use Acuity in a way that complies with the HIPAA Security Rule, you must exercise responsibility when setting up your account. These responsibilities include carefully selecting the amount and type of electronic protected health information included in and excluded from text and email messages, as well as entering into a Business Associate Addendum (BAA) with Squarespace.
A BAA governs the use and protection of Protected Health Information exchanged between a "covered entity" and a "business associate." In this situation, if you’re a covered entity pursuant to HIPAA, then Squarespace is a business associate to you. To learn more, visit the U.S. Department of Health and Human Services site.
- You must be on the Powerhouse plan to enable HIPAA-related services and enter into a BAA with Squarespace. We don't enter into outside BAAs for this plan, but custom BAAs are available on an Enterprise plan for an additional cost. To learn more about Enterprise plans, contact us.
- Ensure that you’ve made your Acuity account HIPAA-enabled before maintaining or transmitting any Protected Health Information through your account.
- You must make each Acuity account HIPAA-enabled. An account only becomes HIPAA-enabled when a separate BAA is entered into for that specific account.
- You are solely responsible for ensuring that the proper controls, settings, and limitations are in place to satisfy your needs and HIPAA compliance. Each organization controls and determines its own HIPAA compliance practices, including how to implement certain controls, de-identification, and the types of information exchanged between your organization, your clients, and Squarespace. Every organization is different and has different needs, and so we provide settings to help you meet your own compliance program.
More protections for HIPAA-enabled Acuity accounts
All Acuity accounts share most technical and security protections, but there are additional protections for HIPAA-enabled accounts:
- Your browser session times out after four hours, rather than several days.
- Email notifications we send you won’t include client form answers.
- Intake forms only accept file uploads from a local computer or device. Uploading from Google Docs and similar services is disabled.
- Clients can’t use their email address to redeem packages they’ve purchased. Instead, they must enter the randomly generated code they received or log into their client account.
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange, and iCloud isn't available. Before making your Acuity account HIPAA-enabled, disable any syncing to those services.
Email and text notification controls and settings
- Email and text notifications may contain Protected Health Information (PHI) by default, including client names, email addresses, appointment types, and appointment dates and times. You're responsible for changing the information in messages by updating your notification settings.
- By default, confirmation and rescheduling messages sent to the client and to you contain a calendar file (ICS invite) as an attachment. This ICS invite contains the client's name, appointment type, and appointment time. To disable this feature, contact us.
- If you don’t disable email notifications, Acuity will send you emails with the From and Reply-To fields showing the client’s name and email address.
- Clients can opt out of future communications by clicking Unsubscribe in emails or replying to a text message with STOP. When scheduling an appointment on a client's behalf, you can prevent notifications from being sent by omitting their email address or phone number in the appointment details.
Third-party integrations and HIPAA
Many third-party integrations don't support HIPAA. You can disable any or all of these integrations before making your Acuity account HIPAA-enabled.
If you connect Acuity to any third-party integrations, such as Google Calendar or Stripe, it's your responsibility to determine if the integration is acceptable for your business, and/or modify your use, settings, security, or information to meet your HIPAA compliance practices and obligations. It's also your responsibility to enter any new contractual agreements necessary to meet your HIPAA compliance practices and obligations. You should do all of this prior to using the third-party service.