Best Scheduling Software for Therapists in 2026 — HIPAA-Compliant Options
Scheduling software for therapists must be HIPAA-compliant — the moment a client books a therapy appointment, that connection between their name and their mental health treatment is Protected Health Information (PHI) under HIPAA. This means the scheduling platform must sign a Business Associate Agreement (BAA) with your practice before you use it for therapy appointments.
Most therapists discover this problem after the fact — they have been using Calendly, Acuity's free plan, or Google Calendar for years before learning these tools are not HIPAA-compliant on standard plans. Switching is straightforward once you know your options. Here is an honest comparison of the best HIPAA-compliant scheduling tools for therapists in 2026.
Calendly warning: standard plans are NOT HIPAA-compliant
Many therapists use standard Calendly to schedule therapy appointments — this is a HIPAA violation. Calendly only offers a BAA on their Enterprise plan, which costs significantly more. Use Acuity or SimplePractice instead.
SimplePractice
Full EHR with scheduling · $29–$99/mo
BAA: ✓ Included
Best for: Therapists who want scheduling integrated with notes, billing, and telehealth
- ✓Online booking with custom intake forms
- ✓Automated reminders (email + SMS)
- ✓Client self-scheduling portal
- ✓Syncs with Google Calendar
- ✓HIPAA-compliant — BAA included
- ✗Requires full EHR subscription
- ✗More than you need if you only want scheduling
Acuity Scheduling
Standalone scheduling · From $16/mo
BAA: ✓ BAA available on paid plans
Best for: Therapists who already have an EHR and just need better scheduling
- ✓Clean, easy setup
- ✓BAA available
- ✓Custom intake forms
- ✓Payment collection at booking
- ✓Embeds in your website
- ✗Does not replace an EHR
- ✗Need separate system for notes and billing
- ✗BAA not automatic — must request
Calendly
Standalone scheduling · Free / Standard $10/mo / Teams $16/mo
BAA: ⚠️ BAA only on Enterprise plan ($$$)
Best for: Non-PHI scheduling only — consultation calls, not therapy sessions
- ✓Very easy to use
- ✓Free plan available
- ✓Widely recognized by clients
- ✗BAA requires expensive Enterprise plan
- ✗Standard Calendly = NOT HIPAA-compliant for therapy
- ✗Not designed for healthcare
TherapyNotes
Full EHR with scheduling · From $49/mo
BAA: ✓ Included
Best for: Therapists who also need Wiley Treatment Planners
- ✓Integrated scheduling + EHR
- ✓BAA included
- ✓Automated reminders
- ✓Insurance billing included
- ✗Higher starting price
- ✗Older interface
Trusted by 225,000+ Therapists
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
What Makes Scheduling Software HIPAA-Compliant?
Not all scheduling software marketed to healthcare providers is actually HIPAA-compliant. The term is used loosely in marketing materials. The specific requirements for a scheduling tool to meet HIPAA standards are:
1. Signed Business Associate Agreement (BAA)
The vendor must sign a BAA with your practice before you use their platform for any PHI. The BAA must be in place before any client data enters the system — not after. Many platforms offer BAAs only on paid plans or only on request.
2. Encryption in transit and at rest
All data transmitted between the scheduling platform and your browser or app must be encrypted (TLS/SSL). Data stored on the platform's servers must also be encrypted. Most modern scheduling tools meet this standard, but it should be confirmed in their security documentation.
3. Access controls and audit logs
The platform should allow you to control who can access scheduling data and should maintain logs of who accessed or modified records. This is particularly important for group practices where multiple staff members use the scheduling system.
4. Secure appointment reminders
Automated appointment reminders (email, SMS, phone) that mention the client's name and the fact that they have a therapy appointment are PHI. The reminder system must also be HIPAA-compliant — which means the reminder vendor must also have a signed BAA.
Why Appointment Reminders Create HIPAA Liability
Appointment reminders are one of the most overlooked sources of HIPAA violations for therapists. A reminder that says "Your appointment with [your name] is scheduled for Tuesday at 2pm" contains PHI — it connects the client's phone number or email address to the fact that they have a mental health appointment with a specific provider.
This means the service sending the reminder must also have a signed BAA. When therapists use standard SMS services, personal phone texting, or a scheduling platform's reminder feature that lacks a BAA, every reminder sent is a potential HIPAA violation.
The solution: use a scheduling platform where the BAA covers both the scheduling system and the reminder system — SimplePractice, for example, covers both under one BAA. Or use a separate HIPAA-compliant reminder service (Spruce Health, TigerConnect) alongside your scheduling tool.
FAQ — Scheduling Software for Therapists
Is Calendly HIPAA-compliant for therapy scheduling?
No — not on standard plans. Calendly only offers a HIPAA BAA on their Enterprise plan, which is designed for large organizations and costs significantly more. Most solo therapists and small practices should use Acuity Scheduling's paid HIPAA plan or SimplePractice's built-in scheduling instead.
Can I use Google Calendar for therapy appointments?
Google Calendar on a standard personal account is not HIPAA-compliant. Google Workspace Business accounts include a BAA that covers Google Calendar. However, using Calendar alone does not replace an EHR — you still need a HIPAA-compliant system for notes and billing records.
What should HIPAA-compliant scheduling software include?
At minimum: a signed Business Associate Agreement, encryption in transit and at rest, access controls and audit logs, and the ability to send HIPAA-compliant appointment reminders. Automated SMS reminders that include a client's name and the fact that they have a therapy appointment are PHI and require a separate covered system.
Does online self-scheduling by clients create HIPAA liability?
Yes — when clients book their own appointments through an online portal, they submit their name, contact information, and the nature of their appointment (therapy). This is PHI. The booking portal must be covered under a BAA. SimplePractice's client portal is designed specifically for this — clients log in securely to book, complete intake forms, and communicate, all under the SimplePractice BAA.
Can I use Square or Stripe for payment when clients book?
Standard Square and Stripe are not HIPAA-compliant — they do not sign BAAs for standard accounts. If you collect payment at booking through a scheduling tool, the payment processor must also have a BAA. SimplePractice uses a HIPAA-compliant payment processing integration. Stripe does offer a HIPAA-eligible product for healthcare, but it requires a separate healthcare agreement.