Squarespace Scheduling is designed to allow you to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Other parts of the Squarespace platform, including contact form features like the Form Block, can't be used as part of a HIPAA compliant solution. To collect secure patient information online for areas outside of Scheduling, we recommend linking to an external, compliant service.
This guide covers how Scheduling handles Protected Health Information as the term is understood under United States law. If you’re not in the health field, this guide probably doesn’t apply to you.
Note: Scheduling is the only Squarespace feature currently designed to offer services consistent with HIPAA obligations. Your Business Associate Addendum (BAA) doesn't cover other Squarespace features. You shouldn't maintain or transmit Protected Health Information through Squarespace outside of Scheduling.
You can make your Scheduling account HIPAA-enabled on the Powerhouse Player plan.
Scheduling meets HIPAA Security Rule requirements
A qualified third-party information security consultant reviewed Scheduling. The consultant validated that Scheduling can meet the requirements of the HIPAA Security Rule. We're happy to provide more details about our HIPAA practices on request.
Make your account HIPAA-enabled
- Ensure you’re on the Powerhouse Player plan.
- In the Home Menu, click Scheduling.
- In the Scheduling panel, click Customize Appearance.
- Click Scheduling Page Options.
- Click the link at the top of the page to begin the process of entering into a BAA.
- Review the BAA and ensure that you understand your obligations.
- Enter into the BAA by submitting the necessary information and clicking Submit.
Your responsibilities for HIPAA
Enabling HIPAA-related features in Scheduling alone isn't enough to make you HIPAA compliant. You must also ensure your business practices and systems work with Scheduling to stay in compliance.
To use Scheduling in a way that complies with the HIPAA Security Rule, you must exercise responsibility when setting up your account. These responsibilities include carefully selecting the amount and type of electronic protected health information included in and excluded from text and email messages, as well as entering into a Business Associate Addendum (BAA) with Squarespace.
A BAA governs the use and protection of Protected Health Information exchanged between a "covered entity" and a "business associate." In this situation, if you’re a covered entity pursuant to HIPAA, then Squarespace is a business associate to you. To learn more, visit the U.S. Department of Health and Human Services site.
- You must be on the Powerhouse Player plan to enable HIPAA-related services and enter into a BAA with Squarespace. We don't enter into outside BAAs for this plan, but custom BAAs are available on an Enterprise plan for an additional cost. To learn more about Enterprise plans, contact us.
- Ensure that you’ve made your Scheduling account HIPAA-enabled before maintaining or transmitting any Protected Health Information through your account.
- You must make each Scheduling account HIPAA-enabled. An account only becomes HIPAA-enabled when a separate BAA is entered into for that specific account.
- You are solely responsible for ensuring that the proper controls, settings, and limitations are in place to satisfy your needs and HIPAA compliance. Each organization controls and determines its own HIPAA compliance practices, including how to implement certain controls, de-identification, and the types of information exchanged between your organization, your clients, and Squarespace. Every organization is different and has different needs, and so we provide settings to help you meet your own compliance program.
More protections for HIPAA-enabled Scheduling accounts
All Scheduling accounts share most technical and security protections, but there are additional protections for HIPAA-enabled accounts:
- Your browser session times out after four hours, rather than several days.
- Email notifications we send you won’t include client form answers.
- Intake forms only accept file uploads from a local computer or device. Uploading from Google Docs and similar services is disabled.
- Clients can’t use their email address to redeem packages they’ve purchased. Instead, they must enter the randomly generated code they received or log into their client account.
- Calendar syncing with Office 365, Outlook.com, Live.com, Exchange, and iCloud isn't available. Before making your Scheduling account HIPAA-enabled, disable any syncing to those services.
Email and text notification controls and settings
- Email and text notifications may contain Protected Health Information (PHI) by default, including client names, email addresses, appointment types, and appointment dates and times. You're responsible for changing the information in messages by updating your notification settings.
- By default, confirmation and rescheduling messages sent to the client and to you contain a calendar file (ICS invite) as an attachment. This ICS invite contains the client's name, appointment type, and appointment time. To disable this feature, contact us.
- If you don’t disable email notifications, Scheduling will send you emails with the From and Reply-To fields showing the client’s name and email address.
- Clients can opt out of future communications by clicking Unsubscribe in emails or replying to a text message with STOP. When scheduling an appointment on a client's behalf, you can prevent notifications from being sent by omitting their email address or phone number in the appointment details.
Third-party integrations and HIPAA
Many third-party integrations don't support HIPAA. You can disable any or all of these integrations before making your Scheduling account HIPAA-enabled.
If you connect Scheduling to any third-party integrations, such as Google Calendar or Stripe, it's your responsibility to determine if the integration is acceptable for your business, and/or modify your use, settings, security, or information to meet your HIPAA compliance practices and obligations. It's also your responsibility to enter any new contractual agreements necessary to meet your HIPAA compliance practices and obligations. You should do all of this prior to using the third-party service.
Acuity and the Appointment Scheduling Block
If you're not using Squarespace Scheduling, but you are using the Appointment Scheduling Block to embed your scheduler from Acuity, you must still play a part in achieving HIPAA compliance in your Acuity account. To learn more, visit Acuity’s guide on HIPAA compliance.
The Appointment Scheduling Block embeds an Acuity scheduler on your Squarespace site, which visitors use to book appointments. Visitors' appointment data goes directly to Acuity's servers, and doesn't flow through Squarespace web hosting servers. Acuity uses iframes and HTTPS encryption to protect the privacy of customer data and prevent other websites and servers from accessing the data while it is in transit to Acuity.