Is Calendly HIPAA Compliant? Plans, the BAA, and What to Use Instead
Last updated: July 15, 2026
Is Calendly HIPAA compliant? On the plans most practices use, no. Calendly signs no Business Associate Agreement (BAA) on its Free, Standard, or Teams plans. Its terms of service go further: the platform should not be used to collect, store, or transmit protected health information (PHI). There is one path. Calendly offers a BAA to eligible Enterprise customers, with scope you confirm with your account representative. Everything below Enterprise is off-limits for patient scheduling, no matter how the form is set up. Practitioners ask this question constantly, and the confusion is fair, because a booking form feels harmless. Here is the plan-by-plan answer, why "it is encrypted" does not save it, and the scheduling setups that actually work. Disclosure up front: we sell the hosting side of the fix.
TL;DR: Quick answer
Calendly Free, Standard, and Teams plans include no BAA, and Calendly's terms prohibit PHI on the platform. Patient scheduling on those plans violates 45 CFR § 164.308(b).
Calendly Enterprise offers a BAA to eligible customers. It is not automatic. Confirm availability and scope in writing before any patient books.
Scheduling data becomes PHI fast: a name plus an appointment with a therapist or clinic reveals care-seeking, before any symptom field is added.
Calendly's encryption and AWS infrastructure do not change the answer. The BAA is the legal test, not the security.
The setups that work: an Enterprise BAA with PHI kept to a minimum, a scheduler that signs a BAA on your plan tier, or a booking and intake flow on your own BAA-covered hosting.
When does a booking become PHI?

Earlier than most schedulers assume. PHI is health information tied to an identifiable person under 45 CFR § 160.103, and context supplies the health information. A booking that says "Jane Doe, Tuesday 2pm, initial consultation" on a therapy practice's calendar links an identity to care-seeking. That alone is PHI. Add the fields practices love, like reason for visit, symptoms, or insurance, and the form is collecting explicit health details. If the practice is a Covered Entity, the scheduling tool storing those bookings is handling PHI on its behalf. That makes the tool a Business Associate, and it must sign a BAA first. A wellness coach outside HIPAA may be fine on any scheduler; that boundary is covered in does HIPAA apply to coaches.
Is Calendly HIPAA compliant on your plan?

Plan | BAA available? | Patient scheduling? |
|---|---|---|
Free | No | No; terms prohibit PHI |
Standard | No | No; terms prohibit PHI |
Teams | No | No; terms prohibit PHI |
Enterprise | Conditional, for eligible customers | Yes, if the BAA is signed and PHI is kept minimal |
Two details matter on the Enterprise path. First, the BAA is offered, not automatic. Get it signed, read its scope before go-live, and keep the record. Second, the BAA covers Calendly's layer only. You still keep the form fields minimal, limit integrations that move booking data into uncovered tools, and put the whole flow in your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). As of early 2026 no public change to Calendly's position has been announced. Vendor terms change, so confirm the current answer with Calendly directly.
Why "it is encrypted and runs on AWS" does not make it compliant
This objection comes up in every community thread where someone asks is Calendly HIPAA compliant, and it misunderstands the test. Calendly has solid general security: encryption, SOC 2, and AWS infrastructure underneath. None of that substitutes for the contract. Under 45 CFR § 164.308(b), a vendor that stores PHI for you must sign a BAA. Without one, the arrangement fails on legal grounds before security is even evaluated. The same logic runs through the whole vendor landscape. AWS itself is eligible rather than automatically compliant, as we cover in is AWS HIPAA compliant. A tool built on compliant infrastructure inherits none of that status for your data unless it signs its own agreement. Security protects the data. The BAA assigns responsibility for it. You need both.
What to use instead: three setups that work

Calendly Enterprise with the BAA signed. Right for larger organizations already on Enterprise. Keep the form to name and contact, keep reason-for-visit fields off it, and audit the integrations.
A scheduler that signs a BAA at your tier. Acuity Scheduling supports HIPAA on Squarespace's top plans, with conditions we detail in is Squarespace HIPAA compliant. Several practice-management platforms also bundle compliant scheduling with their EHR. Get the BAA answer in writing at your actual plan level, not the vendor's top tier.
Own the booking flow. Run scheduling and intake on your own site, on BAA-covered hosting, with compliant forms. No third-party scheduler in the PHI path means one less vendor to verify every year. The form standards are in HIPAA compliant forms. The infrastructure is what we sell: BAA-covered environments from $79 per month self-managed or $229 managed, detailed in managed HIPAA hosting.
A hybrid also works. Keep Calendly for genuinely non-PHI bookings, like vendor calls or a wellness class open to anyone, and run patient scheduling through a covered path. The split has to be real, and the patient-facing link on your site must point at the covered one.
The trap: the Calendly form that grew a symptom field
Most scheduling violations are drift, not decisions. The practice set up Calendly for phone consults years ago. Then someone added "What brings you in?" to the booking form, because it made triage easier. From that day, identity plus health context flowed into a platform whose own terms prohibit it, with no BAA in sight. The 2026 penalty tiers start at $145 per violation, and the discovery usually happens during someone else's audit. Run this 60-second check today:
Who stores the booking? Name the tool and its plan tier, then name the BAA that covers it. No BAA, no patient bookings.
What does the form ask? Anything beyond name and contact details, like symptoms, reason for visit, or insurance, is explicit health information.
Where do notifications go? Booking alerts landing in a personal inbox carry the same PHI out of the covered path.
That check is step two of our full HIPAA website audit, which covers the rest of your site the same way.
If you want your booking flow checked or rebuilt
Tell us how patients book with you today and what your form collects. If Calendly Enterprise or a BAA-signing scheduler fits your setup, that is the answer you will get. If the cleaner fix is booking and intake on your own HIPAA compliant hosting, we build that, and our client-side compliance review documents what your current flow leaks. We sell those services, so weigh that as a disclosure.
Frequently asked questions
Is Calendly HIPAA compliant?
Not on the Free, Standard, or Teams plans, which include no BAA and whose terms prohibit PHI. Calendly Enterprise offers a BAA to eligible customers. With it signed and PHI kept minimal, patient scheduling can be done compliantly on that tier.
Does Calendly sign a BAA?
Only for eligible Enterprise customers, and it is not automatic. Confirm availability and scope with Calendly in writing before patient data touches the platform. All lower plans have no BAA path.
Can therapists use Calendly for client scheduling?
Only on Enterprise with a signed BAA, and even then with minimal form fields. On any other plan, a therapy booking links identity to care-seeking, which is PHI on a platform that prohibits it. Coaches and wellness providers outside HIPAA may use any scheduler.
What scheduling tools are HIPAA compliant?
Tools that sign a BAA at your plan level: Calendly Enterprise conditionally, Acuity Scheduling on qualifying Squarespace plans, and various practice-management platforms with built-in scheduling. The alternative is booking and intake forms on your own BAA-covered hosting.
Is a name and appointment time really PHI?
On a healthcare provider's calendar, usually yes. The appointment context reveals that an identified person is seeking care, which is health information under 45 CFR § 160.103. Symptom or reason-for-visit fields remove any doubt.
Recap: is Calendly HIPAA compliant?
To recap, is Calendly HIPAA compliant? No on Free, Standard, and Teams, where no BAA exists and the terms prohibit PHI. Conditionally yes on Enterprise, with the BAA signed, the form kept minimal, and the integrations audited. Encryption and AWS infrastructure do not change the answer, because the BAA is the test. The paths that work are the Enterprise BAA, a scheduler that signs at your tier, or a booking flow you own on BAA-covered hosting. Check your booking form's fields before someone else does.
This article is general information, not legal advice. Calendly's plans, terms, and BAA availability are as publicly described in early-to-mid 2026 and change; confirm current terms with Calendly directly, consult qualified counsel, and base your safeguards on a documented risk analysis. We sell HIPAA compliant hosting and compliance reviews. Reviewed July 2026.
Sources
Calendly: Terms of Use
HIPAA Journal: Is Calendly HIPAA compliant?
45 CFR § 160.103 (PHI and Business Associate definitions): ecfr.gov
45 CFR § 164.308 (administrative safeguards, BAA provisions): ecfr.gov