Is Calendly HIPAA Compliant?

Between December 2022 and mid-2024, the regulatory environment around healthcare technology shifted more than it had in the previous decade. The HHS Office for Civil Rights published guidance on tracking technologies that redefined what counts as protected health information online. The FTC launched an enforcement wave against healthcare companies sharing patient data through routine marketing tools. OCR and the FTC sent joint warning letters to approximately 130 hospital systems and telehealth providers. Combined settlements crossed $193 million.

Every one of those cases involved tools that healthcare organizations considered safe: analytics platforms, advertising pixels, intake forms. None involved a data breach in the traditional sense. The pattern was always the same: a standard SaaS tool collected data that, in a healthcare context, became PHI.

That pattern raises an important question about scheduling tools. When a patient books an appointment through a third-party scheduling platform, what data is being collected, where does it go, and does the platform treat that data as protected health information?

The 2022 to 2024 Regulatory Shift and Scheduling Software

The OCR's December 2022 guidance on tracking technologies clarified something that many healthcare organizations had overlooked. PHI is not limited to medical records, lab results, or insurance claims. When someone visits a healthcare website and their browsing activity reveals information about their health, that activity can constitute PHI. Even an IP address combined with the fact that someone visited a specific provider's page may qualify.

This guidance was aimed primarily at analytics and advertising pixels, but the principle extends to any third-party tool embedded on a healthcare website. Scheduling widgets are no exception. When a patient uses an embedded scheduling tool on a hospital's website to book a "dermatology consultation" or a "behavioral health intake," the scheduling platform is receiving health information alongside personal identifiers like name, email address, and IP address.

The FTC reinforced this interpretation through enforcement. In the BetterHelp case, the commission imposed a $7.8 million penalty after the company shared mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels. BetterHelp had used intake forms to collect information about users' mental health history. That form data, combined with user identifiers, flowed directly to advertising platforms. A recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook.

The Monument case reinforced the same lesson. Monument, an alcohol addiction telehealth platform, disclosed data of up to 84,000 users to ad platforms through tracking pixels. Custom event names like "Paid: Weekly Therapy" and "Paid: Med Management" revealed specific services. These event names, sent alongside email addresses and IP addresses to Meta, became the basis for an FTC ban on sharing health data for advertising.

Both cases involved form and intake data. The lesson for scheduling tools is direct: any platform that collects appointment types, custom intake fields, or service categories alongside personal identifiers is handling data that regulators have treated as protected.

How Calendly Collects and Processes Data

Calendly is a scheduling platform used by millions of professionals. It allows organizations to create booking pages where visitors select an appointment type, choose a time slot, and provide their contact information. In healthcare, organizations commonly use Calendly for patient scheduling, consultation bookings, and intake coordination.

Calendly collects several categories of data during the booking process:

• Personal identifiers: Name, email address, phone number, and IP address

• Appointment metadata: The type of appointment selected (which healthcare organizations often label by specialty or condition), date, time, and provider

• Custom form fields: Calendly allows organizations to add intake questions to the booking flow. Healthcare organizations frequently use these for "reason for visit," "insurance provider," "referring physician," or symptom descriptions

• Behavioral data: The Calendly widget, embedded via JavaScript on a healthcare website, operates client-side and can interact with other scripts on the page

The scheduling data itself inherently contains health context. When a patient books an "oncology consultation" or a "prenatal visit" through Calendly, they are disclosing health information through the act of scheduling. The appointment type, combined with the patient's name and email, meets the threshold that regulators have applied in enforcement actions.

Calendly's embed operates as client-side JavaScript. When a healthcare organization embeds the Calendly widget on its website, the widget loads in the visitor's browser and communicates directly with Calendly's servers. This is the same client-side architecture that has been at the center of every major healthcare tracking enforcement case.

The BAA Gap in Standard Calendly Plans

Under HIPAA, any vendor that receives, stores, or transmits protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA is a legal contract where the vendor accepts liability for safeguarding PHI and agrees to specific obligations around breach notification, data handling, and permitted uses.

Calendly does not sign BAAs for its standard plans. Their publicly available terms and privacy policy make no mention of HIPAA obligations for individual, professional, or team tier subscribers. This means that for the vast majority of Calendly users, including healthcare organizations on standard plans, there is no legal framework in place that obligates Calendly to treat scheduling data as PHI.

Calendly does offer a "Calendly for Enterprise" product that may support healthcare use cases with additional contractual protections. However, the availability of a BAA through this enterprise offering requires direct negotiation, and the specific terms and scope of coverage are not publicly documented. Healthcare organizations considering this path should evaluate the BAA carefully. Not all BAAs are equal. Some vendor agreements carve out certain categories of data, exclude information collected on unauthenticated pages, or limit liability in ways that create gaps in coverage.

Without a BAA, using Calendly on a healthcare website creates a structural compliance gap. The tool is receiving data that may constitute PHI, but neither party has a legal agreement governing how that data is protected, how breaches are reported, or what happens to the data when the relationship ends.

Why Client-Side Scheduling Widgets Create Risk

The architectural question matters as much as the legal one. Calendly's scheduling widget loads as third-party JavaScript in the visitor's browser. This means:

Data flows through a path you do not control. When a patient fills out a Calendly booking form embedded on your healthcare website, their data travels from their browser directly to Calendly's infrastructure. Your organization does not have visibility into what data is transmitted, what additional scripts Calendly's widget loads, or how that data is processed after it leaves the browser.

Third-party scripts interact with other scripts on the page. If your healthcare website also runs analytics tools, advertising pixels, or session replay software, those scripts can observe the Calendly widget and the data entered into it. A Meta Pixel on the same page could capture form field data or appointment type selections. This is precisely the scenario that led to enforcement in the BetterHelp and Monument cases.

Your compliance posture changes without your knowledge. When Calendly updates its widget code, your website's data collection behavior changes automatically. New tracking parameters, updated third-party integrations, or modified data collection practices can be introduced without any action on your part. You would have no way of knowing unless you were actively monitoring your website's tracking surface.

Server-side scheduling architectures avoid these problems entirely. When scheduling data is collected on your server and transmitted from your infrastructure to its destination, the browser never communicates with a third-party scheduling vendor. There is no client-side JavaScript, no third-party data path, and no risk of interaction with other scripts on the page.

Building a Compliant Scheduling Workflow

Healthcare organizations that need scheduling functionality have several options for reducing compliance risk, whether they continue using Calendly or explore alternatives.

Audit What Calendly Is Actually Collecting

Start by mapping the data that flows through your Calendly integration. Review every appointment type name for health context. Examine every custom form field for PHI. Check whether your Calendly booking pages are embedded on pages that also run analytics or advertising scripts.

Evaluate Whether a BAA Is in Place

If you are using Calendly's standard plans, you almost certainly do not have a BAA. If you are on an enterprise plan, review the agreement to confirm it specifically covers the scheduling data you are collecting, including custom form fields and appointment type metadata.

Assess Your Website's Full Tracking Surface

The Calendly widget is one piece of a larger picture. A web scanner can crawl your site on an ongoing basis and detect every cookie, script, localStorage entry, and tracking pixel across every page. It flags which scripts lack a BAA, which cookies are set by third parties, and which tracking pixels are sending data to ad platforms. Without continuous scanning, you are relying on the hope that nobody on your team introduced a non-compliant script since your last manual audit. Every enforcement case in the reference data involved tracking that had been running for years before anyone noticed.

Consider Server-Side Alternatives

A server-side data architecture routes scheduling and form data through your own infrastructure before it reaches any third-party destination. This eliminates the client-side data path that creates exposure. When combined with consent-gated dispatch, where data only flows to destinations after consent is verified server-side, you gain control over what data goes where and under what conditions.

Require SOC 2 Type II with All Five Trust Criteria

Any vendor in your healthcare data pipeline should hold SOC 2 Type II certification covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most vendors certify only Security (1 of 5). That confirms basic access controls and encryption but says nothing about how data is processed, whether it remains confidential, or how the vendor handles privacy obligations. All five criteria mean independent auditors verified the vendor handles data with the rigor healthcare requires, sustained over a review period rather than a point-in-time snapshot.

Five Questions to Ask Before Using Calendly in Healthcare

1. Does Calendly sign a BAA that covers my scheduling data? Not on standard plans. Calendly's individual, professional, and team tiers do not include BAA provisions. The enterprise product may support healthcare use cases, but the terms require direct negotiation and careful review.

2. Do my Calendly appointment types contain health information? If your appointment types include specialty names (cardiology, psychiatry, oncology) or condition references (anxiety consultation, chronic pain management), the appointment type itself constitutes health information when combined with a patient's name and email. Regulators have treated similar data combinations as PHI in enforcement actions.

3. Can other scripts on my website access data entered into the Calendly widget? Yes. Because the Calendly widget runs client-side as JavaScript, other scripts on the same page can observe interactions with the widget. If you run analytics tools, advertising pixels, or session replay software on pages where Calendly is embedded, those tools may capture scheduling data.

4. How would I know if Calendly changed its data collection behavior? You likely would not, unless you are actively monitoring your website's tracking surface. Calendly's widget code updates independently of your website. New data collection parameters or third-party integrations can be introduced without any change on your end. Ongoing website scanning is the only reliable way to detect these changes.

5. What happens to scheduling data if I stop using Calendly? Without a BAA, there is no contractual obligation governing data retention or deletion when the relationship ends. Review Calendly's privacy policy and data processing terms to understand their standard retention practices, and evaluate whether those practices meet your organization's obligations under HIPAA.

Where Scheduling Fits in the Compliance Stack

Scheduling tools are easy to overlook in a compliance audit. They feel transactional: a patient picks a time, confirms their information, shows up. But the data generated in that transaction, the combination of personal identifiers with appointment types and intake responses, is exactly the kind of data that has driven $193 million in enforcement actions since 2023.

The consent and privacy landscape is moving in one direction. State privacy laws are expanding. Patient expectations around data handling are rising. The FTC has signaled that it will continue using the Health Breach Notification Rule against companies that share health data through routine technology tools.

Healthcare organizations that want to stay ahead of this curve need to evaluate every tool in their stack, including scheduling platforms, against the same compliance bar: a real BAA covering the full data pipeline, SOC 2 Type II with all five trust criteria, server-side architecture that eliminates client-side data leakage, and ongoing monitoring that catches changes before they become breaches.

If your organization is evaluating its scheduling workflow alongside the rest of its marketing and analytics stack, Ours Privacy provides a healthcare-grade CDP with server-side data collection, a web scanner for ongoing compliance monitoring, and BAA coverage across the full data pipeline. You can also explore our guide to HIPAA-compliant tools for a broader view of how different categories of marketing technology stack up, or read our assessments of related tools like HubSpot, Typeform, and Intercom.