What Calendly says officially
Calendly’s Customer Terms draw a direct boundary around health information. They say Customer Data must not include protected health information under HIPAA. That restriction applies to the information a customer or invitee places in the service, not just to a particular plan or optional feature. The public terms do not describe a healthcare tier or a Business Associate Agreement that changes that boundary.
Calendly can connect a scheduled event to another provider. Its videoconferencing guide explains that a host can add Zoom, Microsoft Teams, Google Meet, or other conferencing details to an event. That connection does not make the Calendly part of the workflow suitable for PHI. The booking questions, event name, invitee details, routing data, calendar entry, and notifications can still pass through Calendly.
This produces a “no” verdict for PHI workflows. It is based on Calendly’s express data restriction, rather than an assumption about the security of the product.
What this means for a medical practice
A generic “request a call” calendar can appear harmless. The risk grows as soon as the event type says “diabetes consultation,” an intake question asks why the patient needs care, or a staff member writes a diagnosis into a reschedule note. An identifiable person’s appointment context may reveal health information even when the form never asks for a medical record number.
Keeping the questions short does not remove the contractual restriction. Names, email addresses, calendar titles, free-text answers, location fields, reminders, and integration payloads all need to be considered together. A connected calendar may also copy the event into a second system, while automation tools may send it somewhere else.
This is why a HIPAAconscious medical website needs a documented boundary between public marketing and patient-data collection. A practice can publish office hours and a phone number without turning its public scheduler into an intake system. Our guide to patient selfscheduling also explains why the shortest convenient route is not automatically the safest route.
If a practice keeps Calendly for a non-clinical purpose, its policy should prohibit PHI and staff should know what to do when an invitee types health details anyway. That limited use does not change the verdict for collecting or processing PHI.
Compliant alternatives
Jotform offers a documented BAA and a healthcare setup path on eligible plans, making it a better fit when a scheduling request must collect clinical details. Wix also offers PHI protection and a BAA on supported site plans, although the practice must use only compatible Wix apps and complete the activation process.
Neither alternative makes every connected calendar, email service, or automation suitable automatically. Map the whole route from the patient’s submission to the staff member who receives it.
Bottom line
Do not use Calendly to collect appointment reasons, symptoms, diagnoses, insurance details, or other PHI. Its current public terms prohibit PHI in Customer Data and provide no documented BAA path that overrides that restriction. Use a healthcare-ready intake or scheduling workflow when patient information must be attached to an appointment.