Key Takeaways
- No scheduling tool is "HIPAA compliant" on its own. Software can only support your compliance, per the HIPAA Journal. The deciding factor is whether the vendor signs a Business Associate Agreement (BAA) and lets you configure it to protect patient data.
- The BAA is the line that matters, and it is usually gated behind a higher plan. SimplePractice and Cal.com sign one; Acuity signs one only on its top tier; Setmore, TimeTap, and Jotform sign one on specific plans.
- Calendly is not HIPAA compliant on Free, Standard, or Teams, and its terms prohibit storing patient data. A BAA may be available only to eligible Enterprise customers, so confirm with their sales team before using it for anything clinical.
- If your practice operates in or serves the EU, GDPR data residency is a separate path worth weighing. meetergo is a strong fit for data-protection-focused European scheduling, though it is a GDPR product and does not offer a US HIPAA BAA.
Most "best HIPAA scheduling software" lists skip the one fact that decides everything: a scheduling app, by itself, cannot be HIPAA compliant. HIPAA is a US federal framework that applies to covered entities and the business associates they contract with, and the HIPAA Journal is blunt that even the best patient scheduling software can only support your compliance, never guarantee it. What you are actually shopping for is a vendor that signs a BAA, encrypts protected health information (PHI), keeps audit logs, and gives you the controls to keep PHI out of plain-text reminders. This comparison covers seven tools through that lens, flags exactly which plan unlocks a BAA, and answers the question therapists and clinic admins ask most: is Calendly HIPAA compliant, and if not, what is.
HIPAA-Compliant Scheduling Software at a Glance
The table below maps each tool to the single most important question for a healthcare buyer: does the vendor sign a BAA, and on which plan? Pricing reflects the lowest plan where a BAA becomes available, since that is the real cost of entry for a regulated practice.
| Tool | Signs a BAA? | BAA available from | Best for |
|---|---|---|---|
SimplePractice | Yes | Starter ($49/mo) | Solo therapists and mental-health practices wanting EHR plus scheduling |
ToolSimplePractice Signs a BAA?Yes BAA available fromStarter ($49/mo) Best forSolo therapists and mental-health practices wanting EHR plus scheduling | |||
Acuity Scheduling | Yes | Premium ($49/mo yearly) | Service-based clinics already on Squarespace |
ToolAcuity Scheduling Signs a BAA?Yes BAA available fromPremium ($49/mo yearly) Best forService-based clinics already on Squarespace | |||
Cal.com | Yes | Organizations (15+ users) or $300/mo add-on | Developer-led clinics needing an open-source, API-first scheduler |
ToolCal.com Signs a BAA?Yes BAA available fromOrganizations (15+ users) or $300/mo add-on Best forDeveloper-led clinics needing an open-source, API-first scheduler | |||
TimeTap | Yes | Business tier | Multi-location, multi-staff regulated organizations |
ToolTimeTap Signs a BAA?Yes BAA available fromBusiness tier Best forMulti-location, multi-staff regulated organizations | |||
Setmore | Yes | Pro tier | Small practices wanting a low-cost booking page |
ToolSetmore Signs a BAA?Yes BAA available fromPro tier Best forSmall practices wanting a low-cost booking page | |||
Jotform | Yes | Gold ($99/mo yearly) | Practices that need HIPAA intake forms with light scheduling |
ToolJotform Signs a BAA?Yes BAA available fromGold ($99/mo yearly) Best forPractices that need HIPAA intake forms with light scheduling | |||
Calendly | Enterprise only (verify) | Enterprise (confirm with sales) | General B2B scheduling, not clinical PHI use |
ToolCalendly Signs a BAA?Enterprise only (verify) BAA available fromEnterprise (confirm with sales) Best forGeneral B2B scheduling, not clinical PHI use | |||
meetergo | No (GDPR, not HIPAA) | n/a | EU-facing, data-protection-focused practices |
Toolmeetergo Signs a BAA?No (GDPR, not HIPAA) BAA available fromn/a Best forEU-facing, data-protection-focused practices | |||
A quick note on reading this table. The "best for" column is doing real work. A solo therapist and a 40-provider clinic are not shopping for the same product, and a tool that is perfect for one is overkill or underpowered for the other. The sections below go deeper on each, starting with what "HIPAA-ready" actually requires so you can judge any vendor, including ones not on this list.
What Makes a Scheduling Tool HIPAA Compliant?
Here is the part most buyers get wrong. You cannot buy your way to HIPAA compliance with a checkbox on a pricing page. Compliance is a property of your practice, including your staff training, your configuration choices, and the contracts you sign. The software is one input. The HIPAA Journal puts it plainly: no software of any type is HIPAA compliant, and the organization using it carries the responsibility.
That said, a scheduler either gives you the building blocks or it doesn't. Look for these five:
- A signed Business Associate Agreement (BAA). This is the contract that makes the vendor legally accountable for the PHI it handles on your behalf. Without it, using the tool for patient data is a violation regardless of how secure the product is.
- Encryption of PHI in transit and at rest. Patient names, appointment reasons, and contact details all count as PHI when tied to a healthcare context.
- Audit logging and access monitoring. You need a record of who viewed or changed an appointment, which is also what an auditor will ask for.
- Access controls. Role-based permissions so front-desk staff, clinicians, and admins see only what they should.
- Configurable notifications. The ability to strip PHI out of SMS and email reminders, because the default "Your 2pm with Dr. Lee for anxiety counseling" reminder leaks PHI to whoever sees the phone screen.
Google's AI Overview for this topic lands in the same place, listing encryption, audit logs, and a signed BAA as the essentials, and reminding readers that even with compliant software it is the provider's job to configure notifications and lock down third-party integrations like a synced Google Calendar.
The compliance gap that is easiest to create yourself is the reminder text. Out of the box, most schedulers send a reminder that names the provider and the reason for the visit, which becomes PHI the moment it lights up a patient's lock screen. Every tool here lets you strip that back to a time and a place, but none ship that way, so the compliant reminder is something you configure, not something you switch on.
Pro tip: A BAA from your scheduler does not cover the tools it connects to. If your scheduler pushes appointments into a personal Google Calendar without a separate BAA from Google, you have reopened the gap you just closed. Check every integration in the chain.
SimplePractice: Best for Solo Therapists and Mental-Health Practices
SimplePractice is a practice-management and EHR platform built specifically for therapists, counselors, and other mental-health and wellness clinicians, with scheduling sitting inside a wider system that also handles notes, billing, and insurance claims. It signs a BAA and publishes one openly, which is why it tends to anchor these lists for solo and small-group practices. The scheduling side covers client self-booking against your set availability, unlimited automated text and email reminders, and two-way sync with iCal, Outlook, and Google. Where it stops being just a scheduler is the clinical layer: filtering the calendar by unpaid balances, incomplete documents, or insurance type is something a pure booking tool can't do, and it is the reason clinicians stay.
Key Features
SimplePractice leans on the workflows around the appointment rather than the booking widget itself.
- Client self-scheduling with online appointment requests you approve
- Unlimited automated text and email reminders to cut no-shows
- Two-way calendar sync with iCal, Outlook, and Google
- Calendar filtering by client status, document state, or insurance type
- Waitlist management for full caseloads
- HIPAA-compliant telehealth on higher tiers
Pricing
| Plan | Price |
|---|---|
Starter | $49/mo |
PlanStarter Price$49/mo | |
Essential | $79/mo |
PlanEssential Price$79/mo | |
Plus | $99/mo |
PlanPlus Price$99/mo | |
A 30-day free trial is available, and a BAA is offered across plans. The catch is that several features clinicians treat as basic, including calendar sync and telehealth, sit on the pricier tiers.
Where SimplePractice Shines
- Purpose-built for mental-health and wellness practices, so the language and workflows fit
- Combines scheduling, notes, billing, and insurance in one HIPAA-ready system
- Unlimited free reminders, which directly attacks no-show rates
Where SimplePractice Falls Short
- Calendar sync is gated behind the higher tiers, with reviewers on G2 noting you need the top plan for even one-way integration
- Pricing changes draw repeated complaints, with G2 reviewers describing sudden increases tied to features they didn't ask for
- Overkill if you only need a booking page and nothing else clinical
Customer Reviews
Who SimplePractice Is Best For
Solo and small-group mental-health practices that want one HIPAA-ready system for scheduling, documentation, and billing rather than stitching a booking tool to a separate EHR.
Acuity Scheduling: Best for Service-Based Clinics on Squarespace
Acuity Scheduling, owned by Squarespace, is a service-business booking tool with strong verticalization across health, fitness, beauty, and coaching, and it is a common pick for clinics that already run their website on Squarespace. It signs a BAA, but only on its top plan, and the company is careful to frame this correctly: its help documentation says the product is designed to let you comply with the HIPAA Security Rule, not that the product is itself "HIPAA compliant." The scheduler handles client self-booking, payments and deposits through Stripe, Square, or PayPal, and intake forms, which makes it capable for a cash-pay clinic that wants bookings and a deposit in one flow.
Key Features
- Client self-scheduling across up to 36 calendars on the top plan
- Payments and deposits via Stripe, Square, and PayPal at booking
- Worldwide text-message reminders on Standard and above
- Appointment packages, memberships, and gift certificates
- BAA and HIPAA-enabled account on the Premium plan
Pricing
| Plan | Price |
|---|---|
Starter | $16/mo (yearly) / $20/mo |
PlanStarter Price$16/mo (yearly) / $20/mo | |
Standard | $27/mo (yearly) / $34/mo |
PlanStandard Price$27/mo (yearly) / $34/mo | |
Premium | $49/mo (yearly) / $61/mo |
PlanPremium Price$49/mo (yearly) / $61/mo | |
The BAA and HIPAA features sit only on Premium, so the effective price of entry for a healthcare practice is $49/mo billed yearly, not the $16 headline. A 7-day free trial is available with no card required.
Where Acuity Shines
- Flat per-plan pricing scales by calendar count, not per user, which is cheaper for multi-staff clinics
- Payments and deposits at booking come built in on every plan
- Tight Squarespace integration for practices already on that platform
Where Acuity Falls Short
- HIPAA and the BAA are locked to the top Premium plan, a real cost jump for healthcare buyers
- Capterra reviewers wanted better HIPAA-compliant intake forms and notetaking than what is offered
- US-hosted with a US parent, so it carries no EU data-residency story
Customer Reviews
Who Acuity Is Best For
Cash-pay service clinics, especially those already on Squarespace, that want booking, payments, and a BAA without adopting a full EHR.
Cal.com: Best for Developer-Led, API-First Clinics
Cal.com is the open-source scheduling platform, and it has moved aggressively into the regulated-industry conversation by offering a BAA and building its product around HIPAA's Privacy and Security Rules. It is the option for technical teams that want to self-host or deeply customize, with PHI encrypted in transit and at rest and SOC 2 Type II, ISO 27001, CCPA, and GDPR coverage layered on top. The trade-off is that the BAA is positioned for organizations rather than individuals: it ships in the Organizations plan at 15 or more users and in Enterprise, and below that it is a paid add-on, which makes Cal.com a poor fit for a solo practitioner but a strong one for a clinic with an engineering function.
Key Features
- Open-source core with self-hosting available for full data control
- BAA signed for covered entities, formalizing PHI responsibility
- PHI encrypted in transit and at rest
- SOC 2 Type II, ISO 27001, CCPA, and GDPR compliance
- Extensive API and app ecosystem for custom workflows
Pricing
| Plan | Price |
|---|---|
Free | $0 |
PlanFree Price$0 | |
Teams | $15/user/mo + $300/mo BAA add-on |
PlanTeams Price$15/user/mo + $300/mo BAA add-on | |
Organizations | $37/user/mo (BAA included at 15+ users) |
PlanOrganizations Price$37/user/mo (BAA included at 15+ users) | |
Enterprise | Custom (BAA included) |
PlanEnterprise PriceCustom (BAA included) | |
The cleanest BAA path is the Organizations plan at 15 or more seats. Smaller teams can buy the BAA as a $300/mo add-on on Teams, which is steep for a handful of providers.
Where Cal.com Shines
- Open-source and self-hostable, the strongest data-control story among general schedulers
- BAA plus SOC 2 Type II and ISO 27001 for buyers who want layered attestations
- Deep API for clinics that want to build around the scheduler
Where Cal.com Falls Short
- The BAA is gated to 15+ user Organizations or a $300/mo add-on, pricing out solo and small practices
- Self-hosting and customization assume technical staff most clinics don't have
- More configuration up front than a turnkey healthcare tool
Customer Reviews
Who Cal.com Is Best For
Larger or technically-staffed clinics and digital-health companies that want an open-source, API-first scheduler with a signed BAA and can meet the 15-user Organizations threshold.
Three More HIPAA-Ready Schedulers Worth Knowing
Beyond the three above, a handful of tools sign a BAA on specific plans and suit narrower needs.
TimeTap is built for complex, multi-location, multi-staff organizations across healthcare, government, and higher education, with a dedicated HIPAA compliance page. The BAA sits on the Business tier; the entry Pro tier is deliberately stripped of HIPAA, API access, and Salesforce integration, so a regulated buyer effectively starts at Business. It is sales-led and US-hosted, which fits enterprise procurement more than self-serve sign-up.
Setmore is the low-cost option, with a signed BAA available on its Pro plan. It covers the booking-page basics, online payments, and reminders, making it a reasonable pick for a small practice that wants HIPAA coverage without an EHR. The trade-off is a thinner feature set than the EHR-grade tools above.
Jotform comes at the problem from forms rather than scheduling. Its appointment feature lives inside a broader forms product, and HIPAA features, including the BAA, are available on the Gold plan ($99/mo yearly) and Enterprise. It is the right call when HIPAA-compliant intake forms are your primary need and booking is secondary.
Did you know? Pricing pages rarely say which tier unlocks the BAA. With Acuity, TimeTap, Setmore, and Jotform, the BAA lives on a higher plan than the one most buyers first land on. Always read the compliance row, not the headline price.
Is Calendly HIPAA Compliant?
Short answer: no, not on the plans most people use. Calendly is not HIPAA compliant on its Free, Standard, or Teams plans, and its terms of service explicitly state the platform should not be used to collect, store, or transmit PHI. The product has genuine security strength, including SOC 2 Type II certification and encryption, but security is not the same as HIPAA, and HIPAA hinges on a signed BAA that those plans don't include.
There is one narrow exception. A BAA may be available to eligible Enterprise customers, so if you are committed to Calendly and operate at that scale, the move is to confirm BAA availability directly with their sales team before putting any PHI near it, a point the HIPAA Journal makes as well. For a solo therapist or a small clinic, that path is usually impractical, and a tool that signs a BAA at a normal plan level will be the simpler choice. This is a common point of confusion because Calendly is the default scheduler for so many businesses, but defaulting to it for clinical use is exactly the mistake the HIPAA Journal warns against.
meetergo: A Data-Protection-First Scheduler for EU-Facing Practices
meetergo belongs in this conversation, but it is honest to place it in a different category than the tools above. meetergo is a Cologne-built scheduling platform with feature coverage across healthcare, sales, talent acquisition, and other verticals, and its compliance posture is built on GDPR and European data residency rather than US HIPAA. It does not offer a HIPAA BAA. For a US covered entity that needs HIPAA and a signed BAA, that is the deciding fact, and one of the tools above will fit better.
Where meetergo earns its place is the data-protection path that HIPAA-focused lists usually ignore. The company is a German GmbH with no US corporate parent, which means patient and client data stays under EU law without CLOUD Act or FISA exposure, and its healthcare positioning leans on the German BDSG and SGB V frameworks rather than HIPAA. For a European clinic, a cross-border telehealth practice, or a US digital-health company that handles EU patient data and needs a GDPR answer alongside its HIPAA stack, that distinction is the whole point. The 24/7 patient self-booking and built-in encrypted video let a practice run scheduling and consultations in one place, and SMS and email reminders cut no-shows without leaning on a US messaging vendor for the core flow.
Key Features
EU Data Residency and Encryption
All data is stored exclusively in Europe, hosted in Frankfurt with a French backup region, on ISO 27001 certified infrastructure. Data is encrypted at rest and in transit using AES-256 and RSA-2048, and meetergo signs a Data Processing Agreement with full GDPR liability on every plan.
Built-In Encrypted Video
meetergo includes its own encrypted video conferencing, so a clinic can run telehealth consultations directly from the booking without a separate Zoom or Teams subscription. Bookings that need a video room get one automatically.
Patient Self-Booking and Reminders
Patients book 24/7 against real availability, with automated email and SMS reminders and follow-ups that reduce no-shows. The healthcare solution reports up to 70% fewer no-shows for practices that turn reminders on.
Forms, Payments, and E-Signatures
Native forms collect intake details before the appointment, payments and deposits process at booking to protect against no-shows, and the e-signature feature handles consent documents, all within the same pipeline rather than across four tools.
Pricing
| Plan | Price |
|---|---|
Basic | €0 (free forever) |
PlanBasic Price€0 (free forever) | |
Essentials | €7/mo (yearly) / €10/mo |
PlanEssentials Price€7/mo (yearly) / €10/mo | |
Growth | €13/mo/user (yearly) / €16/mo/user |
PlanGrowth Price€13/mo/user (yearly) / €16/mo/user | |
Teams | €25/mo/user (yearly) / €40/mo/user |
PlanTeams Price€25/mo/user (yearly) / €40/mo/user | |
Enterprise | On request (30+ users) |
PlanEnterprise PriceOn request (30+ users) | |
The Basic plan is free forever with one calendar and one meeting type, and the paid tiers come with a 7-day free trial that needs no credit card. After the trial, accounts drop back to the free Basic plan rather than cutting off.
Where meetergo Shines
- European data residency with no US corporate parent, the strongest GDPR position among the tools here
- Built-in encrypted video, payments, forms, and e-signatures in one platform
- A genuinely free forever plan, separate from the paid trial
Where meetergo Falls Short
- No HIPAA BAA, so it is not the right tool for a US covered entity that needs HIPAA coverage
- Its healthcare framing targets German and EU regulations (BDSG, SGB V), not US ones
- English-language copy and support hours reflect a DACH origin
Customer Reviews
Who meetergo Is Best For
European clinics, EU-facing telehealth practices, and data-protection-focused teams that want GDPR-grade scheduling with video, payments, and forms in one place, rather than a US HIPAA BAA.
Curious whether the EU-residency path fits your practice? Start free with meetergo on the Basic plan, no credit card required.
How to Choose HIPAA-Compliant Scheduling Software
The shortlist narrows fast once you answer three questions in order.
Does the Vendor Sign a BAA, and on Which Plan?
This is the gate. If a tool won't sign a BAA, it is off the list for clinical PHI no matter how good it looks, which is what rules Calendly out for most practices. When a tool does sign one, find the cheapest plan that includes it, because that, not the headline price, is your real cost. With Acuity that means Premium, with Cal.com it means the Organizations tier or a pricey add-on, and with Jotform it means Gold.
What Else Does the Tool Need to Do?
A solo therapist who wants notes, billing, and scheduling in one HIPAA-ready system is a SimplePractice buyer. A clinic with an engineering team that wants to customize and self-host leans toward Cal.com. A multi-location organization with formal procurement looks at TimeTap. Match the tool to the workflow, not just the compliance checkbox.
Where Does Your Data Need to Live?
This is the question HIPAA lists skip. If your practice serves or operates in the EU, or you are a digital-health company juggling both US and EU patient data, data residency and GDPR liability matter alongside HIPAA. A US-hosted tool with a US parent cannot give you EU data sovereignty for structural reasons, while a GDPR-first scheduler keeps data under EU law. For a purely US practice this is moot; for anyone touching EU data it can be decisive.
The Bottom Line on HIPAA-Compliant Scheduling
The honest version of this guide is shorter than most: pick a tool that signs a BAA, confirm which plan includes it, and remember the software supports your compliance rather than delivering it. SimplePractice fits solo and small mental-health practices, Acuity suits cash-pay clinics already on Squarespace, and Cal.com serves larger or technically-staffed teams that can meet its Organizations threshold. Calendly is not the answer for clinical PHI unless you are an Enterprise customer who has confirmed a BAA. And if your practice lives partly or wholly in Europe, the GDPR-residency path is worth a serious look.
If data protection and EU residency are where your real exposure sits, see how a GDPR-compliant scheduling platform handles patient booking, video, and reminders, or book a demo to walk through your setup. No credit card required.
Booking + video conferencing in one tool.
Booking + video conferencing in one tool.
Frequently Asked Questions
Can any scheduling software be HIPAA compliant by itself?
No. Per the HIPAA Journal, no software of any type is HIPAA compliant on its own. It can only support your compliance. Your practice stays responsible for configuration, staff training, and signing a BAA with the vendor.
What is a BAA and why does it matter for scheduling?
A Business Associate Agreement is a contract that makes a vendor legally accountable for the PHI it handles for you. Without a signed BAA, using a scheduler for patient data violates HIPAA regardless of how secure the product is.
Which scheduling tools sign a HIPAA BAA?
SimplePractice, Cal.com, Acuity (Premium plan), TimeTap (Business tier), Setmore (Pro plan), and Jotform (Gold and Enterprise) sign a BAA. Calendly offers one only to eligible Enterprise customers.
Is there free HIPAA-compliant scheduling software?
Free tiers rarely include a BAA, so genuinely HIPAA-ready scheduling almost always requires a paid plan. Some tools offer free trials, but confirm the BAA is active before entering any PHI.
Does a calendar reminder count as PHI?
It can. An SMS or email reminder that names the patient, the provider, and the reason for the visit exposes PHI. HIPAA-ready schedulers let you strip clinical detail from reminders so they stay generic.
What if my practice serves patients in the EU?
Then GDPR applies alongside or instead of HIPAA, and data residency matters. A scheduler hosted in the EU with no US corporate parent, such as meetergo, keeps data under EU law, though it is a GDPR product and does not offer a US HIPAA BAA.
Is Google Calendar HIPAA compliant for scheduling?
Only if you have a BAA with Google through Google Workspace and configure it correctly. A personal Google Calendar synced to your scheduler with no BAA reopens the compliance gap, so check every integration in the chain.