Online patient scheduling is a wonderful convenience to patients and providers alike. However, this convenience does add complexity: you will have another HIPAA business associate and will need to obtain patient authorization. To understand why, let's discuss the three elements of online scheduling.
Note: If you are not using a dedicated scheduling service linked to an appointment calendar, and patients instead request appointments via your website's "Contact Us" form, then read this article instead.
Many providers falsely believe appointment data (e.g., patient name with date & time only) does not fall under HIPAA rules because it contains no "clinical" information. The fact is, appointment information is clinical in nature, thus protected health information (PHI), and HIPAA safeguards must be implemented to properly protect this data.
Don't believe me? Consider this scenario: You're a patient at The Acme Clinic and you discover your last 20 appointments to their facility have been posted on Facebook. Are you upset, or are you indifferent because the World doesn't know your diagnosis or the treatment provided? You may not care if The ACME Clinic is a dentist or chiropractor, but would likely care deeply if ACME was a mental health, infertility, cancer, diabetes, etc. treatment facility.
The scheduling service itself
Business associate requirement
The HIPAA requires that you have a business associate relationship with any person or business who performs a service on your behalf in which the entity has access to PHI.
Because all scheduling services, online or off, are performing a service for you—scheduling patients—and because they have access to your PHI, creating and storing the PHI, too, they are absolutely considered a business associate.
This leads to the...
Business associate agreement (the hard part)
Countless scheduling apps exist on the market; a small fraction are HIPAA compliant. In this case, "HIPAA compliant" means the company is willing to sign a business associate agreement (BAA). The hard part (not really hard, just takes time) is figuring out if the service you wish to use is comfortable signing a BAA.
Companies that specifically market themselves as a healthcare service should embrace their business associate responsibilities and have a pre-signed BA agreement as part of their Terms of Service agreement. Meaning, they don't physically sign a BA agreement with each individual customer; instead, they post a "pre-signed" agreement online for everyone.
With that said, it is still your responsibility to either obtain a signed BAA from the appointment scheduling service or to ensure that their Terms of Service clearly states they fully agree to being your business associate. Never assume the latter to be true.
The last piece of the compliance puzzle related to online appointment scheduling is the patient. Scheduling services will send appointment confirmations and reminders to your patients' email addresses and/or phone numbers. Because those end points are typically unsecured and not under your control, and because it's not reasonable for you to obtain a BAA from every email and phone service provider (impossible), you must obtain patients' authorization before transmitting PHI to an email address or phone via text message. Read Make Appointment Reminders HIPAA Compliant to learn about patient authorization.
Even though it takes a little leg work getting online appointment scheduling HIPAA compliant, many providers conclude the benefit of convenience is worth the extra effort.