The ScheduleOnce BAA

The ScheduleOnce Business Associate Agreement (BAA) is a legal mechanism for ensuring patient data is adequately protected. To be HIPAA compliant, covered entities must sign a BAA with their business associates. The ScheduleOnce standard BAA is available to paid Enterprise account holders at no additional cost. To execute the agreement, submit a request by contacting our support team. View the terms of the ScheduleOnce BAA

What are my responsibilities?

To comply with the terms of the ScheduleOnce BAA, account holders must use our service in a HIPAA compliant manner. For example, you should enable account security policies to satisfy the requirements of the HIPAA security rule. Users that are not familiar with the HIPAA security rule should follow best practices when securing their ScheduleOnce account. Learn more about securing your account.

What is covered?

The ScheduleOnce BAA covers patient data that is stored on our servers. Data that is passed to third-parties via integrations is outside our control and not covered by the BAA. If you are using third-party integrations you should ensure that the receiving party is compliant with HIPAA. For example, if you have a calendar integration with Google, you should make sure that your BAA with Google covers the data transferred from ScheduleOnce.

SMS notifications are not covered by the ScheduleOnce BAA. The ScheduleOnce SMS service is not HIPAA compliant and should only be used to send booking notifications that do not contain patient information.

The ScheduleOnce help desk software is not HIPAA compliant. Support inquiries containing health information should not be sent to the ScheduleOnce support team. If you are unsure about the scope of the ScheduleOnce BAA contact us to get more information.


Why can’t I downgrade?

A HIPAA compliant account cannot be reverted to a regular ScheduleOnce account. Patient data is stored for the lifetime of your account, and your patient data is regulated by HIPAA until it is deleted. Patient data stored in ScheduleOnce is only deleted when you stop using our service.

HIPAA compliant accounts require additional security controls only available on the Enterprise plan.  For example, short sessions timeouts should be enabled to satisfy the HIPAA security rule. HIPAA compliant accounts must use these security features and can’t be downgraded to a lower plan.

Rate this article