What Acuity says officially
Squarespace’s Acuity Scheduling and HIPAA guide documents an eligible-account path that includes a Business Associate Agreement and healthcare settings. The current path uses Acuity’s Powerhouse plan, with separate instructions for eligible legacy and enterprise arrangements.
The guide identifies important limitations. Each Acuity account needs its own BAA. The agreement does not cover other Squarespace features or third-party integrations. Notification emails and calendar files can contain appointment details, so customers are told to adjust or disable content that could expose PHI.
Acuity also documents how staff can manage client information , including records associated with appointments. That capability is useful only inside the appropriately contracted and controlled account. The number of surrounding settings makes the verdict conditional.
What this means for a medical practice
Scheduling data becomes PHI when an identifiable patient is linked to care. Appointment type, intake answers, notes, forms, payment status, and the calendar itself may reveal treatment information. A reminder or calendar attachment can create a copy in a personal inbox even when the Acuity account is configured correctly.
A connected calendar, video platform, payment provider, or automation service is a separate system. The Acuity BAA should not be read as covering those companies. Staff access also needs management because a scheduler may show an entire day’s patient list.
Cancellation and rescheduling links should be tested as carefully as the original booking form. A link that exposes too much detail, remains usable indefinitely, or forwards information to an unmanaged calendar can undermine an otherwise careful setup. Front-desk procedures should also prevent staff from adding diagnoses to free-text appointment notes simply for convenience.
The handoff from a HIPAAconscious medical website should avoid exposing appointment reasons in public URLs or analytics. A well-designed patient selfscheduling workflow can still be convenient while limiting the information shown in reminders and calendars.
How to use it safely
- Put the scheduler in a practice-owned eligible Acuity account and confirm the current plan requirements.
- Complete the BAA and enable the documented healthcare settings before accepting PHI.
- Review appointment types and intake forms. Collect only what scheduling staff need at that stage.
- Remove PHI from notification subject lines and body text, or disable messages that cannot be made appropriate.
- Review calendar synchronization and ICS attachments; use only managed calendars whose vendor relationship is approved.
- Evaluate payment, video, email, analytics, and automation integrations separately.
- Assign named users with minimum access, require strong authentication, and document offboarding.
- Book fictional appointments and trace confirmations, reminders, calendar entries, exports, rescheduling, cancellation, and deletion.
Compliant alternatives
Jotform can combine scheduling requests with protected intake on eligible plans, although it is less calendar-focused. Wix offers protected website features on supported plans and can be useful when the practice wants scheduling inside a broader managed site environment.
Bottom line
Acuity provides a documented BAA path on eligible accounts, but safe use depends on detailed setup. Sign the agreement, configure healthcare settings, minimize notification and calendar details, and review every integration outside Acuity separately.