Last updated: June 2025
Schedulite is designed from the ground up to handle Protected Health Information (PHI) responsibly. While we are a technology platform and not a covered entity, we treat all patient data as if it were PHI and implement controls accordingly.
Patient name, phone, date of birth, email, and appointment notes are encrypted using AES-256 via Lockbox. Raw database access reveals only ciphertext. Encryption keys are stored separately from encrypted data.
All connections use TLS 1.2+. HSTS headers are enforced. Session cookies are marked secure and httponly. No PHI is ever transmitted over unencrypted channels.
SMS messages sent to patients contain only:
We never include in SMS:
This is enforced by a boot-time template linter that prevents deployment of any SMS template containing prohibited fields. It cannot be overridden.
Every read and write to Patient and Appointment records is logged with the user who made the change, a timestamp, and the old/new values. Audit logs are immutable — they cannot be modified or deleted by any user, including account owners.
We offer a BAA on our Pro and Enterprise plans. The application displays a reminder banner until a signed BAA is uploaded by the practice. Contact hipaa@schedulite.com to initiate the BAA process.
SMS delivery. Twilio offers a BAA on paid plans. Our SMS content never contains clinical PHI — only first names, appointment times, and status updates.
Payment processing. Stripe does not sign BAAs — our payment flows send only tokens and dollar amounts, never PHI. Card data is handled entirely by Stripe (PCI-DSS Level 1).