Is Calendly HIPAA Compliant? What Healthcare Practices Need to Know
Calendly is not HIPAA compliant, and no setting changes that. The vendor will not sign a Business Associate Agreement, which means Protected Health Information does not belong in Calendly at all. The practical work is making sure none has quietly ended up there.
Calendly is not HIPAA compliant and does not offer a Business Associate Agreement. Its Customer Terms explicitly state that customer data should not contain Protected Health Information, so PHI does not belong in Calendly.
Plan / requirement: No Calendly plan carries a BAA. There is no configuration that makes standard Calendly compliant for PHI.
Sources: Calendly Customer Terms and Conditions (no PHI) Calendly Platform Security and Compliance. Last verified 2026-06-14.
What HIPAA actually requires here
HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Calendly, that mechanism works like this:
None. Calendly does not sign a BAA, and its terms prohibit placing PHI in the platform.
The conditions that decide whether you are actually covered:
- Calendly's Customer Terms forbid storing PHI or HIPAA-regulated information.
- HIPAA-compliant scheduling requires a different tool, or middleware such as Keragon that connects Calendly through a compliant layer.
Where the vendor stops and you begin
The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:
| Where responsibility sits |
|---|
| Because there is no BAA, keep PHI out of Calendly entirely. |
| Collect only non-PHI scheduling details (name, email, time) and gather clinical intake elsewhere. |
| Route any PHI intake through a scheduler or form tool that does sign a BAA. |
Compliance review
Not sure your Calendly setup holds up to an audit?
Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.
Configuring Calendly the right way
A defensible Calendly deployment in a healthcare practice comes down to a short, ordered checklist:
- Audit your Calendly event types and intake questions for any PHI fields.
- Remove questions that capture diagnoses, conditions, or clinical detail.
- Move clinical intake to a HIPAA-enabled scheduling or forms tool.
- If you must keep Calendly, place a compliant middleware layer between it and your records.
Mistakes that quietly void compliance
- Adding intake questions that ask patients to describe their condition.
- Assuming TLS encryption makes Calendly HIPAA compliant. Without a BAA it is not.
- Syncing Calendly bookings containing PHI into a downstream system.
Where Cobrix fits
Cobrix is a California MSP/MSSP that configures and monitors tools like Calendly for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.
Free resource
Calendly HIPAA setup checklist
The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.
Frequently asked questions
Is Calendly HIPAA compliant?
No. Calendly is not HIPAA compliant and does not offer a Business Associate Agreement. Its Customer Terms explicitly state that customer data should not contain Protected Health Information, so PHI does not belong in Calendly.
Will Calendly sign a Business Associate Agreement?
No. None. Calendly does not sign a BAA, and its terms prohibit placing PHI in the platform.
Can I store patient information in Calendly?
No. Without a BAA, any individually identifiable health information placed in the tool is a HIPAA exposure. Keep PHI out entirely.
Does a BAA alone make Calendly compliant?
No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.