HIPAA

"We Use Calendly and Google Forms" — Why That's Already a HIPAA Violation for Your Clinic

LoricaWeb
"We Use Calendly and Google Forms" — Why That's Already a HIPAA Violation for Your Clinic

You probably already know about HTTPS and privacy policies. But most small-scale HIPAA violations in clinics today don’t happen because of a broken website — they happen because of convenient tools you set up in 10 minutes that look completely innocent.

Here’s what we see over and over again in dental, chiropractic, and physical therapy clinics.

Calendly, Acuity, and other “regular” scheduling tools

Online appointment booking is a convenience patients expect by default. Dental clinics use Calendly. PT offices use Acuity or SimplePractice. Chiropractors use everything — often just a built-in form from Wix.

The problem: most of these services don’t sign a Business Associate Agreement (BAA) on their standard plans.

When a patient enters their name, phone number, and reason for visit (“back pain,” “wisdom tooth problem,” “post-surgery rehabilitation”) — that’s already Protected Health Information. And if Calendly hasn’t signed a BAA with you — every single appointment technically constitutes a HIPAA violation.

What to do: Either upgrade to plans that include a BAA (some services offer them — for example, Jane App, which is popular in PT and chiro), or use a booking form built into your website’s HIPAA-compliant infrastructure. We help set up exactly the second option — without changing the familiar interface for your front desk staff.

SMS appointment reminders: convenient for everyone, a problem for you

You send patients a reminder: “Tomorrow at 2:00 PM — appointment with Dr. Smith. Sunrise Dental Clinic.” Seems harmless.

But if the SMS service (Twilio, SimpleTexting, or even the built-in functions of your PMS) doesn’t have a signed BAA with you — that’s a violation. Patient name + the fact of a medical visit = PHI.

For chiropractic and PT clinics, the situation is even more acute: reminders often include the procedure type or insurance name.

Online reviews and your responses

This is one of the least obvious sources of violations — and one of the most common among dentists.

A patient leaves a Google review: “Came in with pain, they did a root canal.” The clinic responds: “Thank you, Michael! Glad we could help, come back for your next check-up as part of your treatment plan.”

That response publicly confirmed that Michael is your patient and that he has a treatment plan. That’s disclosure of PHI without patient authorization.

A proper response never confirms the fact of treatment and never contains details. We help clinics develop review response templates that stay friendly but HIPAA-compliant.

Intake forms on an iPad in the waiting room — and where the data goes

In many dental and PT clinics, patients fill out questionnaires right in the waiting room on a tablet. Looks modern. But where does the data go?

If the form is built in Google Forms, JotForm (without the HIPAA plan), or data is saved to a regular Google Sheet — you’re violating HIPAA. Google Workspace can be HIPAA-compliant, but only with a signed BAA and proper configuration. By default — it’s not.

We’ve seen clinics where patient questionnaires were stored for years in a regular Drive folder without any access restrictions.

”Insurance verification” pages and cost calculators

Dental clinics often place insurance verification forms or treatment cost calculators on their website. The patient enters their insurer’s name, plan ID, and date of birth.

That’s PHI. And if the data goes to a regular email inbox or is stored in an unprotected database — that’s a violation.

What HHS actually checks when complaints are filed

HHS Office for Civil Rights (OCR), when investigating complaints, checks not just the website itself, but also:

  • All third-party services with access to patient data
  • The existence of a BAA with each of them
  • Access logs and form submission logs
  • Staff training policies

For small dental and chiropractic clinics, fines in the $10,000–$50,000 range per violation are not uncommon. But the reputational damage is even more costly: the HHS public breach portal is accessible to everyone.

Free audit for your clinic

We specialize in technical support and HIPAA compliance for small medical practices — dental, chiropractic, physical therapy.

What the free audit includes:

  • Review of all forms and data collection channels on your website
  • Analysis of third-party services (scheduling, SMS, analytics, email)
  • BAA verification with every vendor
  • Specific list of violations prioritized by risk level

Most issues are resolved within 2–3 weeks. We handle the technical side — you keep seeing patients.

Schedule your free compliance audit →

This material is for informational purposes only and does not constitute legal advice. For assessment of specific legal risks, we recommend consulting a HIPAA attorney.