HIPPA for DaySmart Appointments is specifically for Platinum or Enterprise Users. You can reach out to your account executive can help determine pricing for your unique needs.

Overview

Protect client privacy and streamline scheduling with one secure, HIPAA-compliant solution. The most comprehensive appointment scheduling software, built for professionals handling sensitive health data, with built-in support for audit readiness.

What is HIPAA?

DaySmart Appointments delivers a HIPAA-compliant scheduling platform designed to protect client data and meet the strictest healthcare privacy standards, with every safeguard built in from the start.

Click here to review an overview of what HIPAA is

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that protects people’s private health information. It sets rules for how doctors, hospitals, and insurance companies can use and share your health data.

Key Points:

It keeps your medical records private.
It gives you the right to see your own health information.
It requires healthcare providers to safeguard your data from being shared without your permission.

Why does HIPAA matter?

Organizations collecting client health data require scheduling tools designed with HIPAA compliance as a foundational element. DaySmart Appointments latest HIPAA update addresses this need by providing a secure, all-in-one platform that protects sensitive client data while streamlining the scheduling process. It eliminates risk and reduces the need for external tools or manual workarounds.

How will HIPAA affect your business?

Click here to see what your business will achieve using HIPAA

Clients are confident in your booking process
Your organization meets HIPAA requirements without extra tools or effort
Staff saves time by using a secure, streamlined scheduling platform
Peace of mind knowing your scheduling system is audit ready by adhering to the most up-to-date HIPAA controls
Allows a company to store more relevant healthcare related information pertinent to an appointment without the concerns of whether this type of information will be fully protected.

Click here to view key product and feature benefits of using HIPAA

Full compliance with HIPAA regulations
Secure infrastructure with encryption and access controls
Simple setup with no additional configuration required
Streamlined scheduling experience for both staff and clients
A set it and forget it HIPAA compliant scheduling platform
Controls met to meet standards for HIPAA audits

Click here to view why using HIPAA with DaySmart is different than other softwares

Unlike general-purpose scheduling software, DaySmart Appointments is purpose-built to meet HIPAA standards. It requires no plug-ins, no extra tools, and no complex setup. Just secure, seamless scheduling from day one. DaySmart Appointments helps support the HIPAA audit process companies face to ensure compliance.

From their first scheduled visit, your clients trust you with their most sensitive information. Give yourself peace of mind with a scheduling platform featuring fully HIPAA-compliant security measures that safeguard client privacy from the moment they book their first appointment.

Click here to view the list of HIPAA controls that DaySmart is complying with

Access Control & Role Permissions
- Limit PHI access based on user roles. Only authorized staff see sensitive data.
- Link to the SMS which will navigate the users to secure log in page where it displays the appointment details.
Audit/Access Logging
- Track both when and what both authorized and unauthorized users access ePHI data. Tracks all changes made to ePHI data, including creation, modification, and deletion. Essential for compliance audits and breach detection.
Data Encryption
- All PHI is encrypted both in transit and at rest, protecting it from interception or unauthorized access. Ensures all ePHI is never transmitted via unencrypted or unsecured means, such as via email, SMS, or unauthenticated/non-TLS websites.
Business Associate Agreement (BAA)
- We offer a signed BAA, affirming our responsibilities under HIPAA as a trusted service provider.
Session Timeouts & Auto-Logout
Automatic logouts prevent unauthorized access when devices are left unattended.
Secure Hosting & Backups
- Data is stored in HIPAA-compliant environments with regular backups and disaster recovery protocols.
Minimum Necessary Standard
- Our platform supports workflows that limit PHI exposure to only what's necessary for each user or interaction.
Data/Media Disposal & General Security Standards
- Ability to remove ePHI from the system to ensure it aligns with the data retention policy. After termination, deleting data can still happen as per the contract since data retention is the responsibility of the customer
Transmission Security
- Avoiding inclusion of ePHI in SMS/email and using secure links reduces the risk of unauthorized access in transit.

Click here to view the updated areas in the software when upgrading to the HIPAA enviroment

Access to PHI data based on the user access role
PHI data protected when using SMS and Emails Templates
Audit log controls
Customer Login Management
Privacy Rules
Data breach

Set Up Process

Step 1: Setting Up Your HIPAA-Compliant Account

Click here to view what happens in the first step of setting up your HIPAA-compliant account

When your HIPAA account is created, the system automatically sets important configurations to ensure your account stays compliant and consistent. Here’s what happens:

✅ Your First Staff Member

Role: Headquarter (HQ) Admin
Type: Manager
This setup is done for you on the Staff page.

🔐 Protected Health Information (PHI) Fields

The system automatically treats the following fields as sensitive PHI data:

Service Name
Customer Notes
Appointment Notes
These are set up for protection on the Fields/Terms page.

👥 Default Staff Roles

Two staff types are created by default:

Manager
Staff
This helps organize roles and responsibilities from the start.

🔧 PHI Permissions

Permissions for PHI fields are automatically set for both Manager and Staff roles.

The HQ Admin (Manager) can view and update these permissions anytime through the Staff/Advisor Type page.

Step 2: Classify Data Fields as Protected Health Information (PHI)

Click here to view how to classify data fields as PHI

To help your business meet HIPAA requirements from day one, certain data fields are automatically marked as Protected Health Information (PHI) when your HIPAA account is created.

🔒 Default PHI Fields

The following fields are classified as PHI by default:

Service Name
Customer Notes
Appointment Notes

This ensures that sensitive information is properly protected right from the start.

🛠️ Customize PHI Classifications

As your organization grows or your needs change, you may want to mark additional fields as PHI.

Your HQ Admin can update these settings anytime. Follow this path to do so:Settings > Preferences > Patient Fields/Terms

Classify Custom Fields as PHI

Step 3: Staff Member Types – Setup and Management

Click here to review the setup and management of staff member types

When your HIPAA account is created, the system automatically sets up two default Staff Member Types to help manage roles and permissions:

Staff
Manager

These roles come with built-in settings that support consistent, secure access across your organization.

⚙️ Predefined Role Settings

Each role includes a set of default permissions and configurations.
This helps streamline role-based access control and ensures your team members have the right level of access.

🔍 How to View or Edit Staff Member Types

If you’d like to review or update these settings — or create new custom types — here’s how:

Go to: More > Lists > Advisor/Staff Member Types

From here, HQ Admins can:

View existing role permissions
Make updates as needed
Add new staff member types to fit your organization’s structure

Staff-Based Permissions: Controlled Access for Data Security

Users assigned to the ‘Staff’ role have limited access to sensitive data, helping to protect your organization’s information and support HIPAA compliance.

🔐 How Staff Access Works

Staff members can only view or edit fields that have been specifically set to ‘Show’ for their role.
If a field is not marked as ‘Show’, it will be either:

Hidden completely, or
Masked, based on your system’s settings.

This ensures that each team member only sees the data they need, promoting data minimization best practices.

📋 Default Access Settings

Your system comes with built-in default field permissions for the ‘Staff’ role to help you get started securely.

🛠️ How to Adjust Staff Permissions

Want to make changes? It’s easy:

Go to: More > Lists > Advisor/Staff Types
Then select the ‘Staff’ type to update which fields they can access or edit.

Manager Role based permission: The following are the default field access settings for users with the ‘Manager’ Staff member type. By default, all fields are marked as ‘Show’

For all business types except Chiropractor, the system automatically configures data field visibility for the ‘Staff’ and ‘Manager’ role as follows:

Below is the configuration for Chiropractor:

Note: The HQ Admin assigned the ‘Manager’ role has full control over access settings. They can customize permissions for all staff types, including both standard and custom fields.

This flexibility allows your organization to adjust role-based access to match your unique operational workflows and compliance requirements.

Step 4: Creating Custom Staff/Advisor Types

Click here to see how to create custom staff and advisor types

To support the unique roles within your organization, the HQ Admin (with the ‘Manager’ role) has the ability to create custom Staff/Advisor Types.

This feature lets you define field-level access and system permissions tailored to each role—ensuring that team members only access the data they need.

🆕 Example: Creating a Custom Role

Let’s say you want to add a new role called ‘Custom Type’.
The HQ Admin can create this type and then assign specific permissions for:

Data fields (what they can see/edit)
System features (what they can access/use)

🛠️ How to Create or Manage Staff/Advisor Types

Go to More > Lists > Advisor/Staff Types
Click Add New
Enter the new role’s name and configure the appropriate permissions

This gives you the flexibility to align access with your organization’s operational and compliance needs.

Step 5: Creating Staff Members

Click here to see how to create staff members

When adding a new staff member to your account, it's essential to assign the correct Staff Member Type—such as Staff, Manager, or a Custom Type—based on that person’s role and responsibilities.

🔐 Why Staff Type Matters

The Staff Member Type determines each user's level of access to Protected Health Information (PHI) within the system.

Staff will only be able to view or interact with PHI in appointment and customer records based on the permissions set for their assigned role.
This ensures each team member has access only to the information relevant to their job—helping maintain both privacy and HIPAA compliance.

✅ Best Practice

Always double-check that the correct Staff Member Type is assigned before saving the staff record. This helps:

Prevent unauthorized access
Support proper system behavior
Maintain data security and compliance

If a staff member is not assigned a Staff Member Type and tries to log in, they’ll see the following error message:

"Please reach out to your Admin, looks like your account is not set up properly."

To avoid this, be sure every new staff member has a valid type assigned during setup.

Step 6: Audit Reporting Access

Click here to review Audit Reporting Access

Access to audit log reports is tightly controlled to protect sensitive data and support compliance with HIPAA and other regulatory requirements.

🔐 Who Can Access Log Reports?

Only users who meet both of the following criteria can view audit reports:

Have the HQ Admin role
Are assigned the ‘Manager’ Staff Member Type

This ensures that only authorized personnel with elevated privileges can monitor system activity and access history.

Note: Audit log access cannot be granted to non-HQ Admin users.

📊 Understanding Audit Log Data

Audit reports track specific user actions (called Action Types) performed on different parts of the system (called Resource Types).

The audit table helps HQ Admins understand:

Which actions (e.g., View, Edit, Delete) are tracked
Which resources (e.g., Appointments, Customer Records) those actions apply to

🧾 Example

If an HQ Admin pulls an audit report for Appointments, the log may include actions like:

Viewed
Created
Edited
Deleted
Printed

However, selecting Download as an action type for Appointments will return no results, because that action is not tracked for that resource.

Step 7: SMS Template Update - Protecting PHI

Click here to view SMS Template updates made to the software for HIPAA

To help protect Protected Health Information (PHI) and reduce the risk of accidental exposure, PHI data is intentionally excluded from all SMS message templates.

🔒 What This Means

SMS messages will not contain sensitive fields such as:

Service details
Appointment notes
Customer notes

This precaution ensures that no PHI is shared through unsecured channels like text messaging, helping your organization stay aligned with HIPAA compliance standards.

📧 Email Template Update – Customer Communications

To further protect Protected Health Information (PHI), all customizable sections of customer-facing email templates have been designed to exclude PHI data.

🔐 No PHI in Email Content

PHI fields such as appointment notes, service details, or other sensitive information are not included in the email body. This helps prevent the unintentional disclosure of private information.

🔗 Secure Access via Customer View

Instead of displaying PHI in the email:

A secure link is included in the template
This link takes recipients directly to the Customer View login page
From there, they can safely log in and view their appointment details in a protected environment

Below is an example of how the email appears to the customer:

📩 Staff Email Template – Secure Access for Team Members

The updated staff email template now includes a secure link to the staff login page, making it easier and safer for team members to access their information.

🔐 Key Enhancements

With this update, staff members can:

Securely authenticate through the designated login page
Access appointment details directly within the application, without exposing sensitive information via email

This ensures that internal communications stay protected, while still enabling staff to efficiently manage their schedules and appointments.

Step 8: HIPAA Account Filter in the Portal

Click here to view the HIPAA Account Filter in the Portal

To help internal users manage accounts more efficiently, a new HIPAA Account Filter has been added to the portal interface.

✅ What This Filter Does

A simple checkbox option now allows internal users to:

Quickly identify and view only HIPAA-designated accounts
Exclude non-HIPAA accounts when they’re not relevant to the task at hand

🚀 Why It Matters

This update helps streamline internal workflows and ensures that teams can focus on accounts requiring HIPAA compliance, without unnecessary clutter.

Step 9: Role-Based Access Control for Picture & Document Upload and Viewing

Click here to learn more about role-based access control for picture & document upload and viewing

To ensure the secure handling of sensitive files, Role-Based Access Control (RBAC) has been implemented for managing access to pictures and documents, while still allowing flexibility in upload permissions.

📤 Upload Permissions – Open for All Staff

All staff members are allowed to upload pictures and documents, regardless of role.
This supports common workflows such as:

Documenting appointments
Attaching files to customer interactions
Sharing internal communications

🔐 Viewing & Downloading – Controlled by Role

While uploads are open, access to view or download files is restricted based on staff roles:

Staff can only view files they personally uploaded
Managers and HQ Admins generally have access to all documents within the account

This ensures that sensitive content is only visible to those who are authorized to access it.

📝 Audit Logging for Compliance

All file interactions are fully tracked to support audit requirements, including:

Who uploaded or accessed a file
When the action occurred
What action was taken (e.g., viewed, deleted)

You can a: Settings > Document Viewer

🔧 Custom Advisor Type with Restricted Access

A new Advisor Type is created, called ‘Supervisor’
This type is assigned to a staff member named ‘Supervisor’
Permissions are configured to allow access to only:
1. First Name
2. Last Name
3. Address

👁️ What the Supervisor Sees

When this staff member accesses an appointment, only the fields they have permission to view are visible:

Visible Fields: First Name, Last Name, Middle Name
Masked Fields: All other fields, including Notes, are hidden to protect PHI

🧑‍💼 Example: Manager Access

A staff member named ‘Srin’ is assigned the ‘Manager’ Staff Member Type.

Managers have full access to all PHI fields across the application
They can view and edit appointments without restrictions

✏️ Editing Appointments – Role Enforcement

When a staff member edits an appointment:

If they lack permission to view a field (e.g., Service), a pop-up warning will appear, indicating they do not have access.
If they have the proper role (e.g., Manager), they can edit all fields without interruption.

This RBAC framework ensures that data security, operational control, and compliance are maintained throughout your system workflows.

HIPAA Upgrade for Appointments