HIPAA-Compliant Scheduling Software for Therapists in 2026
Online booking is one of those conveniences that quietly became standard in private practice. A client clicks a link, picks a slot, and the appointment lands on your calendar. No phone tag, no email back-and-forth.
The catch is that almost nobody chose their scheduling tool with HIPAA in mind. They picked the one a colleague recommended, or the one that looked cleanest, and started taking bookings. And a scheduling tool holds a surprising amount of protected information — names, contact details, the fact that someone is seeing a therapist, sometimes the reason for the visit. This guide covers what makes a scheduler compliant and how the popular options actually stack up.
Why your scheduler is a HIPAA matter at all
It's tempting to think of scheduling as administrative — just times on a calendar, not "real" health data. That's the mistake.
A booking record connects a named person to your practice. When your practice is mental health care, that connection is itself Protected Health Information (PHI). Add in a phone number, an email, an intake reason, or a "what brings you in today?" field, and the record is unambiguously PHI.
So the scheduling vendor is storing and processing protected information on your behalf. Under the Security Rule that makes them a business associate, and a business associate must sign a Business Associate Agreement with you (§164.308(b) and §164.502(e)). A scheduler with no BAA available is not a compliant option, no matter how polished it looks.
What makes a scheduling tool actually compliant
Four things have to be true. Use this as your checklist for any tool, not just the ones below.
1. A signed BAA is available — and you've signed it. This is non-negotiable. Many mainstream scheduling tools either don't offer a BAA at all, or only offer it on specific paid tiers. Being a paying customer is not the same as having signed the BAA.
2. Encryption in transit and at rest. TLS for data moving between browser and server, and encryption for data sitting in the database. This supports the technical safeguards under §164.312.
3. Access controls and unique logins. Multi-factor authentication on your account, no shared logins, and ideally role-based permissions if anyone else helps with your calendar.
4. Audit logging. The ability to see who accessed or changed booking records supports the audit-control requirement under §164.312(b) and matters a great deal in an investigation.
A tool can be beautifully designed, widely used, and still fail the very first test. The BAA is where most scheduling tools quietly fall down.
Calendly
Calendly is probably the most widely used standalone scheduler, and the most common source of accidental non-compliance among therapists — because the free and entry tiers are the ones everybody starts on.
BAA: Calendly does offer a BAA, but only on higher-tier plans — historically its enterprise-level offering rather than the free or low-cost individual plans. If you're on the free plan or a basic paid plan, you almost certainly do not have a BAA in place, which means it is not compliant for client booking. Before relying on Calendly, confirm in writing that your specific plan includes the BAA and that you've executed it.
Encryption and controls: Calendly uses TLS in transit and encrypts data at rest, supports single sign-on and MFA on business tiers, and offers admin controls on its higher plans. The technical safeguards are reasonable once you're on a tier that qualifies.
What to watch for: The default Calendly experience encourages collecting a name and email at minimum, and many therapists add custom questions. On a non-BAA tier, every one of those bookings is PHI sitting with a vendor you have no agreement with. The fix is to either upgrade to a BAA-eligible plan and sign the agreement, or use a different tool.
Acuity Scheduling (Squarespace)
Acuity is the other standalone scheduler therapists reach for, now owned by Squarespace.
BAA: Acuity has historically made a BAA available, generally tied to its higher-tier plans rather than the cheapest one. Because it sits under Squarespace, you should confirm the current BAA process directly and get the executed agreement in hand — don't assume your tier qualifies.
Encryption and controls: TLS in transit, encryption at rest, and standard account security. Acuity supports intake forms and questionnaires natively, which is convenient and also exactly why the BAA matters so much here.
What to watch for: Acuity's intake-form feature makes it easy to collect detailed clinical information at the point of booking — symptoms, reason for visit, insurance details. That's all PHI. If you use those forms, you must be on a BAA-covered plan with the agreement signed. Also review your appointment-reminder text, which Acuity sends by email and SMS by default (see the reminders section below).
Jane App
Jane App is a full practice-management platform with scheduling built in, popular across therapy and allied health.
BAA: Jane offers a BAA to US customers as part of being a healthcare-focused platform. Because scheduling is part of the broader clinical system rather than a bolt-on, the booking data lives inside the same compliant environment as the rest of your records.
Encryption and controls: Modern TLS in transit, AES-256 at rest, MFA support, role-based permissions, and activity logging. As a platform built for healthcare, the compliance posture is designed in rather than added later.
What to watch for: Jane is more than a scheduler, so it's more to learn and costs more than a standalone booking link. But for a therapist who wants scheduling, charting, and billing in one compliant system, the integration is the point — there's no separate scheduling vendor to vet or separate BAA to chase.
SimplePractice built-in scheduling
SimplePractice is the most widely used EHR among solo therapists, and its scheduling is part of the platform.
BAA: SimplePractice provides a BAA, accepted as part of account setup, and it covers the scheduling features along with the rest of the platform. This is one of the simplest BAA situations of any option here — there's no separate tier to reach or document to chase down.
Encryption and controls: TLS in transit, AES-256 at rest, MFA, configurable session timeout, and role-based access on higher tiers. The client-booking widget and client portal sit inside the same compliant environment as your notes and billing.
What to watch for: The convenience of an integrated client portal is real, but you still need to think about what your public booking page and your reminders reveal. SimplePractice gives you control over reminder content and booking-page visibility — use it. The portal approach, where clients log in to book and message, is generally the most protective pattern available.
IntakeQ / IntakeID
IntakeQ (with its practice-management companion sometimes branded IntakeID) is built around intake forms and scheduling for healthcare practices.
BAA: IntakeQ markets itself as HIPAA-focused and provides a BAA as part of its offering. Because intake forms are its core feature — and intake forms are dense with PHI — the BAA is central to how the product is positioned.
Encryption and controls: TLS in transit, encryption at rest, MFA, and access controls appropriate to a healthcare platform. Audit and activity logging are available.
What to watch for: The strength of IntakeQ is also its risk surface — it's designed to collect a lot of detailed client information up front. Make sure the BAA is signed before you publish a single intake or booking link, and apply the minimum-necessary principle (§164.502(b)) to your forms: only ask for what you actually need to begin care.
Side-by-side at a glance
| Tool | BAA available | Notes on BAA | Built for healthcare | |------|---------------|--------------|----------------------| | Calendly | Yes, higher tiers only | Confirm your plan qualifies; free/basic do not | No (general scheduler) | | Acuity (Squarespace) | Yes, higher tiers | Confirm tier and execute the agreement | No (general scheduler) | | Jane App | Yes (US) | Part of the full platform | Yes | | SimplePractice | Yes | Accepted at setup, covers scheduling | Yes | | IntakeQ | Yes | Core to the product | Yes |
The pattern is hard to miss: the general-purpose schedulers gate the BAA behind their priciest tiers, while the healthcare-built platforms include it as standard. If you're using a general tool, the burden is on you to confirm and sign — assuming you have a BAA because you pay for the tool is a classic gap.
The two traps that catch even compliant practices
Picking a tool with a BAA solves the vendor problem. It does not solve these two, which are about how you configure and use the tool.
Appointment reminders that contain PHI
Automated reminders are wonderful for reducing no-shows and a frequent source of leaks. A reminder that says "Reminder: your therapy appointment with Dr. Lee tomorrow at 4pm" sent by SMS or to a shared family email address exposes the very relationship HIPAA protects.
Tighten reminder content to the minimum. "You have an appointment tomorrow at 4pm" — no provider type, no service description — is usually enough to be useful while revealing far less. And remember that SMS reminders generally travel over the carrier network unencrypted; keep them deliberately sparse, and confirm clients consent to text reminders.
Public booking pages that expose names
Some scheduling tools, by default, show existing bookings or display a client's name once a slot is selected, or let one client glimpse that a time is "taken by Sarah M." Public-facing booking pages can leak more than you'd expect. Before you publish a booking link, book a test appointment as if you were a stranger and see exactly what is visible. Turn off any setting that shows other clients' information, and prefer a portal-login model over a fully open public page when the tool offers it.
What the OCR record teaches
Enforcement in solo and small practices rarely starts with a dramatic hack. It starts with a complaint, a misdirected message, or a vendor relationship nobody papered. OCR has repeatedly settled cases with small providers where the core failure was a missing or incomplete Business Associate Agreement and the absence of a current risk analysis — not exotic attacks.
A scheduler with no BAA is exactly the kind of unaddressed business-associate relationship that turns an ordinary complaint into a finding. The fix is unglamorous and cheap compared to the alternative: sign the BAA, document it, and keep it with your other vendor agreements.
Putting it together
A compliant scheduling setup is four things: a signed BAA, encryption, controlled access, and audit logging — plus careful configuration of reminders and public booking pages. The healthcare-built platforms (Jane, SimplePractice, IntakeQ) make the BAA easy and bake scheduling into a compliant whole. The general tools (Calendly, Acuity) can work, but only on the right tier with the agreement actually signed.
Whichever you choose, your scheduler is one business associate among many. The EHR, the email provider, the telehealth platform, the billing service — each needs its own BAA and its own review. A compliant booking link is a real step, not the finish line.
Take the next step
Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.