Vendor documentation review

Is Square Appointments HIPAA Compliant? (2026 Verdict)

Conditionally

Square Appointments can be used under Square's BAA when HIPAA-enabled, but the agreement has product boundaries and the booking workflow still needs configuration.

Last verified:

At a glance

BAA available
Yes
Plan required
Square account using HIPAA-enabled Appointments services
Configuration required
Confirm BAA scope, minimize booking details, restrict staff, and review notifications, Buyer Services, payments, and integrations.
Category
Scheduling

What Square says officially

Square publishes a current Business Associate Agreement that applies when a covered entity or business associate uses listed Square services with PHI. The agreement names Appointments among services that can be HIPAA-enabled. Square’s HIPAA help page says use of PHI with those services is governed by that BAA.

The agreement also defines exclusions. Buyer Services and other products where Square acts independently are not automatically part of the business-associate relationship. That means the presence of Square branding across a booking or payment journey does not prove one contract covers every screen and data use.

Square’s Appointments setup guide shows that customers control online booking, staff, services, notifications, and related settings. The documented BAA supports a conditional verdict because the exact product path and configuration still matter.

What this means for a medical practice

An appointment record may include the patient’s identity, service, staff member, time, location, notes, forms, payment status, and message history. That combination can reveal care even if no diagnosis field exists. Notifications and calendar entries can copy the context into email, SMS, or another provider.

Square also serves both the practice and buyers. The clinic should determine where its controlled seller workflow ends and a separate Buyer Service begins. Payment, loyalty, marketing, and third-party apps may have different data roles from Appointments.

Online-booking availability can expose patterns too. Avoid labels that disclose a clinician’s specialty when that label will follow a named patient into reminders or receipts. Document which team handles accidental clinical notes and how those notes are moved or removed.

A HIPAAconscious medical website should link into the reviewed booking path without putting health details in URLs or trackers. A good patient selfscheduling experience can use generic service labels and collect more detailed intake later in a protected clinical system.

How to use it safely

  1. Confirm that the practice’s Square account and intended Appointments features are within the current BAA and HIPAA-enabled service scope.
  2. Retain the BAA and document any Buyer Services or other exclusions that appear in the patient journey.
  3. Use practice-owned staff accounts, minimum permissions, strong authentication, and prompt offboarding.
  4. Keep service names, booking notes, confirmation pages, emails, texts, and calendar entries to the minimum necessary.
  5. Separate clinical intake from booking when Appointments does not need the information.
  6. Review Square payments, customer directory, loyalty, marketing, video, calendars, and third-party integrations independently.
  7. Make fictional appointments and inspect notifications, staff views, buyer views, exports, cancellations, payments, and deletion.

Compliant alternatives

Acuity offers a dedicated BAA path on eligible plans with detailed healthcare configuration guidance. Jotform offers protected forms and can handle a scheduling request when a practice needs more controlled intake than a calendar-first product.

Recheck booking fields, notices, buyer screens, and integrations whenever Square changes the product or the practice adds a service.

Bottom line

Square documents a BAA scope that includes HIPAA-enabled Appointments services. Treat the option as conditional: verify the exact features, keep booking information minimal, and review Buyer Services, notifications, payments, and integrations rather than assuming all Square products share one boundary.

Frequently asked questions

Does Square provide a BAA for Appointments?

Yes. Square's current BAA identifies Appointments among services that can be HIPAA-enabled when used within the agreement's scope.

Does Square's BAA cover every customer-facing Square service?

No. Square excludes Buyer Services and other independently controlled services from the BAA, so each part of the booking route needs scope review.

Can appointment reminders include clinical details?

Keep reminders and calendar text to the minimum necessary. Their delivery channel and content may create copies outside the controlled scheduling account.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review