Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: No.
Recommend for your HIPAA risk management needs?: No. We do not recommend AppointmentQuest for your HIPAA compliance needs as they do not exhibit an understanding of what HIPAA compliance means nor do they offer a BAA.

What Is This Product?

AppointmentQuest is an online scheduling tool that offers client self-scheduling, reminders, forms, and payments. At first glance, their page about using their product for healthcare seems to hit all of the right Person-Centered Tech buttons about HIPAA compliance requiring not just buying software with some imaginary “HIPAA Compliant” stamp on it but the HIPAA-compliant use of those products and overall clinician behavior, but then they take an abrupt turn towards reckless misunderstanding of HIPAA compliance when they state:

“HIPAA regulations do not apply to AppointmentQuest scheduling services since AppointmentQuest does not perform insurance, payment or related transactions (HIPAA transactions), and does not collect any medical history from patients.”

Huh? This indicates to us that AppointmentQuest doesn’t understand the relationship between a HIPAA covered entity and the Business Associates of that covered entity. AppointmentQuest is operating as a HIPAA Business Associate but does not offer a Business Associate Agreement (BAA), thus cannot be used in a HIPAA-compliant manner.

Even some of the clarification they provided makes it clear they don’t understand what Electronic Protected Health Information (ePHI) is. They write:

“We do not advice [sic] to store disclosed electronic protected health information (ePHI) in AppointmentQuest databases. Customer contact and appointment information is kept private and shared only with you (service provider).”

Wow. Roy would like to remind you that ePHI most certainly includes customer names, contact info, appointment times, and payment information. We do not recommend AppointmentQuest for any of your appointment-y needs. For a deep dive into what constitutes PHI, and how to protect PHI, please see our CE for OH course — access included in membership — “How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes.”