Is Acuity HIPAA Compliant?
Acuity is HIPAA compliant for covered entities and business associates that subscribe to a HIPAA-enabled Powerhouse or Enterprise account, configure the account to support HIPAA compliance, and disable non-compliant integrations and services. Depending on if and how payments are accepted via Acuity, it may also be necessary to change payment processors.
Acuity is a versatile online scheduling solution that was acquired by Squarespace in 2019. Acuity Scheduling can be used with – or independently of – Squarespace websites to schedule appointments, send automated text and email reminders, and process payments. It also integrates with many client engagement, video conferencing, and accounting solutions to increase productivity and efficiency.
When using Acuity to create, receive, store, or transmit personal information that is considered Protected Health Information (PHI) under HIPAA, it is necessary for Acuity to be HIPAA compliant. Acuity states it supports HIPAA compliance, but only under certain conditions. These conditions include subscribing to a Powerhouse or Enterprise account and making Acuity HIPAA compliant.
How to Make Acuity HIPAA Compliant
The way to make Acuity HIPAA compliant can differ depending on whether an organization subscribes to a Powerhouse or Enterprise account because, under the Powerhouse account, organizations must accept the terms of Acuity’s Business Associate Agreement, whereas, under an Enterprise account, organizations can ask Acuity to agree to the terms of their own Business Associate Agreement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
To access the Acuity HIPAA compliant Business Associate Agreement, organizations must log into the software, navigate to “Customize Appearance” and select “Scheduling Page Options”. Clicking the link at the top of this page will open the Acuity Business Associate Agreement. Organizations subscribed to a Powerhouse plan must accept the Agreement before disclosing PHI to Acuity. Organizations subscribed to an Enterprise plan can either accept the Agreement or discuss alternatives with their Account Manager.
Thereafter, system administrators are required to configure the software’s settings to comply with applicable standards of the HIPAA Security Rule (access controls, notification settings, etc.) and disable any connected integrations and services that are not HIPAA compliant (for example, Squarespace Email Campaigns). It may also be necessary to disable the ICS invite file which is attached to confirmation and rescheduling messages depending on the information the ICS invite file collects.
The Issue Relating to Payment Processors
In addition to making Acuity HIPAA compliant, covered entities and business associates may have to change payment processors if they configure the software to accept online payments directly from clients. Acuity offers a choice of three payment processors – Square, PayPal, and Stripe. Square is HIPAA compliant subject to certain conditions. PayPal and Stripe are not HIPAA compliant.
Although payment processing activities are exempt from HIPAA compliance, covered entities and business associates cannot use secondary business services offered by non-compliant payment processors (i.e., invoicing and reporting tools) if PHI is disclosed to these services. For this reason, Acuity’s invoices feature is disabled in HIPAA-enabled accounts.
Consequently, if using a payment processing service offered by Acuity for more than just payment processing, it will be necessary to subscribe to a Square account and agree to the terms of Square’s Business Associate Agreement. (Note: Agreement with Square’s Business Associate Agreement is automatic when customers subscribe to the Square service. No signature is required).
Integrations with Other Third Party Services
It will also be necessary to enter into HIPAA Business Associate Agreements with any other third party services to whom PHI will be disclosed via Acuity. For example, if integrating Zoom to provide video conferencing services, Constant Contact to support marketing activities, it will be necessary to enter into Business Associate Agreements with these providers.
While this can create extra administration for smaller covered entities and business associates, in many cases some of these third party services will already be in use. It is not necessary to enter into additional Business Associate Agreements with (for example) Zoom to integrate Zoom into Acuity if a Business Associate Agreement with Zoom already exists. Organizations with further questions about Business Associate Agreements are advised to refer to this article or seek independent compliance advice.
