Your Responsibility in HIPAA Compliance
While we are pleased to offer a HIPAA compliant solution, you must play a part to achieve compliance. When using Acuity Scheduling, these responsibilities include carefully selecting the amount and type of electronic protected health information that is included in text and email messages, as well as executing a Business Associate Agreement with Acuity Scheduling.
Some considerations as you configure your account:
- Ensure a BAA is in place between you and Acuity Scheduling before storing any protected health information in your account. Because of ongoing overhead required to maintain HIPAA compliance this is only available with Gold plans. After you upgrade to Gold plans you'll see a link under My Account to sign the BAA online. Before upgrading you can also preview a copy of the BAA to review it. Having a BAA in place is an important part of your organizational requirements to be HIPAA compliant .
- Client name, appointment type, and appointment time are sent in emails and text messages. You can limit the amount of information sent in messages by updating them within Email Settings. A calendar attachment including the client's name, appointment type, and appointment time is also attached to confirmation and rescheduling notifications. If you would like that removed, please contact support..
- The “From” area of the notification emails to you will come from the client’s name, even after being marked as a HIPAA account.
- Clients receiving notifications can opt-out from future ones by clicking the "Unsubscribe" link in e-mails or replying to a text message with "STOP". When scheduling an appointment you can prevent notifications from being sent by omitting the email address or phone number for that appointment.
- Create unique accounts for each of your staff to audit their access. Separate admin accounts can be created within Manage Users under Availability & Calendars.
- All accounts share most of the same technology and security protections, but there are some additional minor changes to accounts marked as HIPAA enabled:
- Your login will time out after 4 hours instead of several days
- Client forms are not included at the bottom of email notifications to you as the admin
- Intake forms (including forms you've marked as internal use only) can no longer include File Upload questions since that uses an external service for managing uploads which is not HIPAA compliant. If you were using this feature before becoming HIPAA compliant please remove those fields.
- Clients can't redeem packages just by using an email address, they must use the randomly generated code they were given or be logged in to their
Have more questions? Submit a request