To support the needs of our customers in the healthcare industry, we have successfully designed our service and our security program to comply with the requirements of the HIPAA Security Rule. We've engaged a qualified third party information security consultancy to review Acuity Scheduling and they have validated that it meets the stringent requirements of the HIPAA Security Rule. More details about our HIPAA compliance are available upon request.
Your Responsibilities for HIPAA
You must play a part when configuring your account. When using Acuity Scheduling, these responsibilities include carefully selecting the amount and type of electronic protected health information that is included in text and email messages, as well as executing a Business Associate Agreement with Acuity Scheduling.
Some considerations as you configure your account:
- Ensure a BAA is in place between you and Acuity Scheduling before storing any protected health information in your account. Because of ongoing overhead required to maintain HIPAA compliance this is only available with Powerhouse plans. After you upgrade to Powerhouse you'll see a link under My Account to sign the BAA online.
- A separate BAA must be signed for each account. Accounts will only become HIPAA enabled when the BAA is signed for that account.
- Emails and SMS may contain ePHI by default, but you can customize them within Email Settings or disable emails and/or SMS entirely.
- Client name, appointment type, and appointment time are included by default in emails and text messages. You can change the information sent in messages by updating them within Email Settings. A calendar file (ICS invite) which includes the client's name, appointment type, and appointment time is also attached to initial confirmation and rescheduling messages. If you would like to disable this feature, please contact support.
- If email messages are not disabled, the “From” and “Reply-To” fields of emails sent by Acuity to you will show the applicable client’s name and email address.
- Clients receiving notifications can opt-out from future ones by clicking the "Unsubscribe" link in e-mails or replying to a text message with "STOP". When scheduling any appointment you can prevent notifications from being sent by omitting the email address or phone number for that appointment.
- You can create unique accounts for each of your staff to audit and manage their access. Separate user accounts can be created within Manage Users under Business Settings.
- if you are connecting your Acuity account to any 3rd party integrations, e.g, Google Calendar, Stripe, etc., it is your responsibility to ensure that the 3rd party is acceptable for your business and contractual and other protections are in place prior to connecting. You may wish to disable any of these integrations prior to making your account HIPAA enabled.
- Your use of Acuity and your BAA are exclusively related to the Acuity Scheduling product and do not extend to other uses of Squarespace.
- All accounts share most of the same technical and security protections, but there are some additional protections for accounts marked as HIPAA enabled:
- Your browser session will time out after 4 hours instead of several days.
- Client form details are not included at the bottom of email notifications to you as the admin.
- If you add file upload questions to your intake forms they can only accept documents from your local computer or device. Uploading from Google Docs or other similar services is disabled.
- If you sell packages your clients can't redeem packages just by using an email address, they must use the randomly generated code they were given or be logged in to their client account.
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange and iCloud is no longer available since they rely on an external service which is not HIPAA compliant. Before making your Acuity account HIPAA enabled you may also wish to disable these integrations.
Please note the following:
- Many 3rd party integrations do not support HIPAA, for example Zapier, it is your responsibility to determine if the integration is acceptable for your business.
- Acuity does not sign outside BAAs.