TL;DR: Healthcare scheduling tools handle PHI (patient names, appointment reasons, contact info) and must meet HIPAA requirements: AES-256 encryption at rest, TLS 1.2+ in transit, audit logging, role-based access controls, and a signed BAA. Schedulee is built on HIPAA-eligible AWS infrastructure with flat-rate pricing — a 20-person clinic pays $69/mo vs. $320/mo on per-seat alternatives.
If you run a healthcare practice, clinic, or telehealth service, your scheduling tool touches patient data. Names, email addresses, phone numbers, appointment reasons, and sometimes insurance details all flow through booking forms and calendar events. Under HIPAA, that's Protected Health Information (PHI) — and it needs to be handled accordingly.
Most scheduling tools weren't built for this. Schedulee was.
Why does healthcare scheduling need HIPAA compliance?
Every patient booking contains PHI. A calendar event titled "Jane Doe — Initial Psychiatric Evaluation" links an identifiable person to a healthcare service. That's PHI under the HIPAA Privacy Rule, and it requires administrative, physical, and technical safeguards.
Here's where PHI shows up in a typical scheduling workflow:
- Booking forms: Patient name, email, phone number, reason for visit
- Calendar events: Appointment titles, descriptions, attendee lists
- Confirmation emails: Date, time, provider name, meeting links
- Video conferencing links: Session recordings, chat logs
- Internal notes: Staff annotations on bookings
A breach of any of these can trigger HIPAA violations with fines up to approximately $2 million per incident (amounts adjusted annually for inflation).
What makes a scheduling tool HIPAA-compliant?
HIPAA compliance isn't a checkbox — it's a set of technical and administrative requirements. Here's what to look for:
Encryption at rest (AES-256)
All stored data — database records, file attachments, backups — must be encrypted with AES-256 or equivalent. If someone gains physical access to a server or disk, the data should be unreadable without the encryption key.
Encryption in transit (TLS 1.2+)
Every network connection — browser to server, server to database, API to API — must use TLS 1.2 or higher. This stops anyone from eavesdropping on data as it moves between systems.
Audit logging
HIPAA requires covered entities to track who accessed what data and when. Your scheduling tool should log authentication events, booking access, data changes, and admin actions with timestamps and user identifiers.
Access controls
Role-based access means only authorized staff can view or modify patient scheduling data. A front-desk coordinator shouldn't have the same permissions as a practice administrator.
Business Associate Agreement (BAA)
Any vendor that handles PHI on your behalf must sign a BAA. This contract spells out their HIPAA obligations and makes them legally accountable for protecting your patient data.
How does Schedulee handle HIPAA compliance?
Schedulee runs on HIPAA-eligible AWS infrastructure with security controls at every layer.
AWS KMS encryption
All data at rest is encrypted with customer-managed AWS KMS keys using AES-256. This covers:
- SQS job queues (KMS-encrypted messages)
- CloudWatch logs (KMS-encrypted with 1-year retention)
- Secrets Manager entries (KMS-encrypted credentials)
A customer-managed KMS key with automatic rotation encrypts AWS-hosted data. The database (Neon PostgreSQL) provides its own encryption at rest — data is encrypted on disk by the hosting provider.
TLS everywhere
All connections use TLS 1.2+:
- Browser to API (HTTPS enforced via API Gateway)
- API to database (SSL required by Neon PostgreSQL)
- OAuth token exchange with Google/Outlook (HTTPS)
- Email delivery via AWS SES (TLS)
Audit logging for workspace admins
Database audit logging captures all connection events, disconnections, and SQL statements. CloudWatch logs are encrypted and retained for one year per HIPAA requirements. Every API request is logged with timestamps, user context, and action details.
Encrypted OAuth tokens
When you connect Google Calendar or Outlook, your OAuth tokens are encrypted with AES-256-GCM before storage. Tokens are decrypted only at runtime for calendar sync and re-encrypted after refresh. No credentials sit in plain text.
Role-based access controls
Schedulee's multi-tenant workspace model enforces access at three levels:
- Workspace owners manage team members, meeting types, and integrations
- Team members see only their own bookings and schedules
- Public booking pages expose only available time slots — no internal data
Resource tagging
All AWS resources are tagged with Compliance: HIPAA and DataClassification: PHI for audit and governance tracking.
What about third-party services?
Schedulee integrates with third-party services that handle parts of the scheduling workflow. These services have their own compliance policies, and healthcare organizations should sign BAAs with each provider separately.
| Service | Purpose | HIPAA Status |
|---|---|---|
| AWS SES | Email delivery | HIPAA-eligible; AWS signs BAAs |
| Google Calendar | Calendar sync, Meet links | Google signs BAAs for Workspace customers |
| Microsoft Outlook | Calendar sync, Teams links | Microsoft signs BAAs for enterprise customers |
| Zoom | Video conferencing | Zoom signs BAAs on healthcare plans |
| Neon PostgreSQL | Database hosting | Contact Neon for BAA availability |
Schedulee's job is to keep data encrypted and access-controlled while it flows through our platform. Once data reaches a third-party service (e.g., a calendar event synced to Google Calendar), that provider's compliance policies take over.
Recommendation: Before using any scheduling tool in a healthcare setting, confirm that every service in your stack — scheduling platform, email provider, calendar, and video conferencing — has a signed BAA in place.
For remote healthcare teams coordinating across locations, our remote team scheduling guide covers timezone and collaboration best practices.
How do other scheduling tools handle HIPAA?
Most scheduling tools don't address HIPAA at all. Here's what we found:
| Tool | HIPAA Mentioned? | BAA Available? | Encryption Details Published? |
|---|---|---|---|
| Calendly | No | No public BAA | No |
| Cal.com | No | No public BAA | No |
| TidyCal | No | No public BAA | No |
| SavvyCal | No | No public BAA | No |
| Acuity (Squarespace) | Mentions HIPAA on enterprise plan | Limited | Minimal |
| Schedulee | Yes — built for it | Contact us | Full documentation |
This doesn't mean those tools are insecure. It means they weren't designed with healthcare compliance as a priority. If you're scheduling patient appointments, you need a tool that explicitly addresses HIPAA — not one where compliance is an afterthought.
What should healthcare teams look for in a scheduling tool?
When you're evaluating scheduling software for a healthcare practice, ask these questions:
- Is data encrypted at rest and in transit? Look for AES-256 and TLS 1.2+ specifically.
- Will the vendor sign a BAA? If they won't, you can't legally use them for PHI.
- Are audit logs available? You'll need them when compliance audits come around.
- How are OAuth tokens stored? Encrypted at rest, or plain text in a database?
- What happens to data when you cancel? Retention and deletion policies matter.
- Are third-party integrations covered? You need BAAs with every vendor in the chain.
How much does HIPAA-compliant scheduling cost?
Schedulee's pricing is flat-rate, not per-seat. For healthcare teams, that means predictable costs no matter how many providers, nurses, or coordinators need access:
- Free: 1 user, unlimited bookings, AES-256 encryption included
- Solo Pro: $5/mo for individual practitioners
- Starter: $29/mo for up to 5 users (small practices)
- Team: $69/mo for up to 20 users (clinics and group practices)
Compare that to per-seat pricing like Calendly at $16/user/month — a 20-person clinic would pay $320/mo for team features alone. Check each vendor's current pricing and HIPAA support before deciding. See our per-seat pricing breakdown for the full cost comparison.
Ready to switch to HIPAA-compliant scheduling?
Schedulee gives healthcare teams encryption, audit logging, and access controls without the per-seat pricing that makes enterprise compliance tools expensive.
Sign up free — no credit card required. Your first booking page is live in under 5 minutes. Want to protect provider focus time between patient appointments? Our guide on energy-based scheduling shows how to match appointment types to peak performance windows.
Frequently Asked Questions
What makes a scheduling tool HIPAA-compliant?
Five things, and you need all of them: AES-256 encryption at rest, TLS 1.2+ encryption in transit, audit logging of data access, role-based access controls, and a signed BAA. Drop any one and you can't legally handle PHI with that tool.
Does Schedulee sign a Business Associate Agreement (BAA)?
Schedulee runs on HIPAA-eligible AWS infrastructure and can work with healthcare organizations on BAA requirements. Reach out to support@schedulee.com to talk through your plan. And don't forget — you'll also need BAAs with your email provider, calendar service, and video platform.
Is patient scheduling data considered PHI under HIPAA?
Yes. Any booking that ties an identifiable person to a healthcare service counts as PHI. That means patient names, emails, phone numbers, appointment reasons, calendar event titles, confirmation emails, and staff notes on bookings. Fines for breaches can hit approximately $2 million per incident.
How much does HIPAA-compliant scheduling cost compared to Calendly?
Schedulee's Team plan is $69/month for up to 20 users, encryption included. Calendly charges $16/user/month for team features — that's $320/month for a 20-person team. For HIPAA-specific features, check each vendor's current plans since pricing and compliance offerings change.
Can I use Google Calendar with HIPAA-compliant scheduling?
Yes, with a caveat. Schedulee integrates with Google Calendar for busy-time checking and event creation, and all OAuth tokens are encrypted with AES-256-GCM before storage. But Google Calendar itself needs a separate BAA through Google Workspace. Make sure your Workspace plan supports HIPAA and sign a BAA with Google directly.