HIPAA & BAA · Scheduling
Is Calendly HIPAA compliant?
No. Calendly does not sign a BAA on any plan and its terms prohibit using the platform to collect, store, or transmit PHI.
Key facts
- BAA available: No — vendor will not sign a BAA
- Official source: HIPAA Journal — Is Calendly HIPAA Compliant? — https://www.hipaajournal.com/calendly-hipaa-compliant/ (verified 2026-06)
What to do instead of Calendly
- Do not collect any PHI in Calendly booking forms, event names, or questions (e.g., reason for visit, symptoms, conditions).
- Limit Calendly to non-PHI scheduling such as hiring interviews, vendor meetings, or general inquiry calls.
- For patient scheduling involving PHI, use a HIPAA-friendly scheduler that signs a BAA.
- Strip intake questions that could capture health details and move them to a BAA-covered system.
Important caveats
- Calendly cites reliance on sub-processors that do not support HIPAA as the reason it will not sign a BAA, including for Enterprise.
- Enterprise adds admin controls/SSO but does NOT add a BAA, so it is still unsuitable for PHI.
- Confirm directly with the vendor before any PHI use, as scheduling metadata can itself be PHI.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Calendly correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Calendly.
Frequently asked questions
Does Calendly sign a BAA?
No. Calendly does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is Calendly HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Calendly offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Calendly with PHI?
Calendly cites reliance on sub-processors that do not support HIPAA as the reason it will not sign a BAA, including for Enterprise.
