HIPAA

Is Calendly HIPAA Compliant?

LoricaWeb
Is Calendly HIPAA Compliant?

Short answer: only on the Enterprise plan. Anything below that — Free, Standard, Teams — is not HIPAA compliant, no matter what the salesperson on the chat widget tells you.

The longer answer is the one most clinic owners actually need, because Calendly itself is rarely the whole problem.

What Calendly will and won’t sign

A vendor becomes HIPAA-relevant the moment they sign a Business Associate Agreement with you. The BAA is the document where the vendor agrees, in writing, to take on a share of the legal responsibility for any patient data flowing through their product. Without it, the vendor is just a third party holding PHI it has no right to hold, and the clinic is the one OCR will eventually write to.

Calendly’s BAA lives behind the Enterprise tier. It’s not on the Free plan, it’s not on Standard ($10/seat), and it’s not on Teams ($16/seat). Enterprise is custom-quoted, with annual commitments and minimum seat counts, and Calendly’s own sales team will tell you the same thing if you ask them directly.

This isn’t unique to Calendly. Acuity, SimplePractice’s lower tiers, Square Appointments, the booking module inside Wix — same structure. The cheap tier doesn’t include a BAA because the vendor doesn’t want federal liability for accounts paying $15 a month. We covered the same pattern with Google Forms, JotForm and the rest of the small-business form/scheduling stack here.

The practical consequence: if a patient picks a slot and types “follow-up after surgery” into the notes field on a Standard-tier Calendly account, that note is now PHI sitting on a vendor’s servers without a BAA. If something happens, the entire response — investigation, breach notification, fine — is on the practice. Calendly is not on the hook.

Enterprise alone doesn’t make the booking flow compliant

Most articles on this topic stop here, which is why people keep getting caught.

A signed BAA on Calendly Enterprise covers the data Calendly itself stores. It does not cover what’s happening on the rest of your website while the patient is on the way to the booking widget. If your homepage runs Google Analytics in its default configuration, or a Meta Pixel left over from a 2023 Facebook ad campaign, those scripts are reading URLs and behavior across the entire site — including the URL of the page the patient was reading right before they clicked “Book Appointment.”

OCR has been writing settlements against exactly that pattern since 2022, and the dollar figures are not small. The numbers, the named cases, and the new Risk Analysis Initiative are all in our writeup of HIPAA enforcement in 2025–2026 if you want to see them in one place. The short version: the booking widget being airtight is necessary; it isn’t sufficient.

The other layer most practices miss is the contact form sitting next to the Calendly embed. If “Book a Consultation” goes to Calendly Enterprise, but “Contact Us” goes to a WordPress form that emails the office Gmail, the second one is the actual breach. The five website-side violations we find on almost every audit include the email-routed form in the top three every time.

What clinics usually do instead

A four-person front desk does the math on Calendly Enterprise, sees the seat minimums and the annual contract, and decides it’s not worth it. From there, two reasonable paths:

  1. Switch to a scheduler built for healthcare, where the BAA is on the standard plan instead of locked behind Enterprise. Jane App is the most common choice for PT and chiropractic clinics; NexHealth and Tebra come up more often on the dental side. Each has its own tradeoffs around UI, EHR integration, and price.
  2. Drop the third-party widget and run booking from the site itself, on infrastructure already under BAA. This is what we usually end up doing for general medical practices that don’t want their staff to relearn a new SaaS, and where the volume doesn’t justify the per-seat math of a healthcare-specific scheduler.

Either path closes the booking-widget gap. Neither closes the analytics, the cookie banner, the contact form behind it, or a fifteen-plugin WordPress install hosted on GoDaddy. That part is its own engagement, and it’s why we treat the site as one surface, not as a list of separate widgets.

Where we fit in

We’re not a scheduling tool. We run the website and the infrastructure underneath it: HIPAA-friendly hosting with a signed BAA, monthly tracker audits, vendor BAA tracking, the parts no one wants to think about. When a plugin update silently re-enables a tracker (this happens routinely after WordPress core upgrades), or a vendor quietly changes its terms, we catch it before the next OCR letter does.

Most of the job isn’t building. It’s owning the legal surface of a website so the practice doesn’t have to keep an eye on it.

Run a free HIPAA scan on your site →

It checks every form, every embedded third-party tool, and every tracker on the site, and tells you which ones are covered by a BAA and which aren’t. Takes about a minute. No email required.

General information, not legal advice. For specific exposure on your practice, talk to a HIPAA attorney.