Client Confidentiality in Online Scheduling: Best Practices for Therapists
TL;DR
- Hidden Risk: Default calendar settings expose session details to anyone viewing the calendar.
- Quick Fix: Use discreet event titles ("Appointment" not "Therapy Session").
- Tool Choice: Use privacy-focused schedulers like OnlyCaly that do this by default.
- Beyond Scheduling: Email confirmations, text reminders, and payment receipts all need privacy review.
We spend years learning about confidentiality in graduate school. Informed consent. Mandated reporting. Session notes. HIPAA regulations.
But then we set up a scheduling tool and accidentally broadcast "Therapy Session with Dr. Smith" to our client's shared family calendar.
Oops.
Where Confidentiality Leaks Happen
1. Calendar Invitations
When a client books a session, most scheduling tools automatically create a calendar event.
The problem: that event title shows up in the client's calendar. If they share that calendar with a spouse, employer, or family—everyone sees it.
Default behavior of most tools:
📅 Therapy Session - Individual (60 min) with Dr. Sarah Mitchell
What their spouse sees: "Honey, what's this therapy thing on Tuesday?"
2. Email Confirmations
Confirmation emails often include:
- Service name ("Anxiety Therapy Session")
- Full practitioner credentials
- Sometimes even the presenting concern
If clients share email accounts or have emails forwarded, this becomes a privacy leak.
3. Text Reminders
SMS reminders are effective for reducing no-shows. But they also appear on lock screens.
Problematic reminder:
Reminder: Therapy session with Dr. Mitchell tomorrow at 3pm
Anyone glancing at the phone sees it.
4. Payment Receipts
Credit card statements and payment receipts often show:
- Business name (sometimes includes "Therapy" or "Counseling")
- Invoice descriptions
A client's partner reviewing finances might see charges they weren't meant to know about.
5. Booking Page URLs
If your booking page URL is:
calendly.com/dr-sarah-therapy-practice
That URL appears in browser history and can auto-complete when someone types in the browser bar.
Best Practices for Each Touchpoint
Calendar Events
Best approach: Use neutral event titles that don't reveal the nature of the appointment.
| Instead of | Use |
|---|---|
| Therapy Session | Appointment |
| Counseling - Anxiety | Medical Appointment |
| Couples Therapy 90min | Meeting |
OnlyCaly defaults to neutral titles. Other tools require manual configuration.
How to configure in common tools:
Calendly: Settings → Event Types → Calendar Display → Custom Event Name
Acuity: Edit Appointment Type → Advanced → Calendar Event Title
OnlyCaly: Automatic. Events display as "Appointment with [Name]" by default.
Email Confirmations
- Use a neutral business name if possible
- Avoid service-specific details in subject lines
- Consider offering a "concise email" option for privacy-sensitive clients
OnlyCaly approach: Emails use your business name only from subject line. Service details are inside the email, not in preview text.
Text Reminders
- Keep reminder text generic
- Avoid specific service names
- Consider letting clients opt out of SMS
Good:
Reminder: Appointment tomorrow at 3pm. Reply HELP for assistance.
Bad:
Reminder: Your Individual Therapy Session with Dr. Mitchell is tomorrow.
Payments
- Use a neutral business name on payment processor
- Configure Stripe/Square statement descriptors carefully
- Consider a professional but non-specific name
Statement descriptor examples:
- ✅ "SM Wellness" or "Dr S Mitchell"
- ❌ "Sarah Mitchell Therapy" or "Anxiety Counseling LLC"
Booking Page URLs
- Choose neutral slugs
- Avoid words like "therapy," "counseling," or "mental health"
Better:
onlycaly.com/dr-sarah
mybooking.com/sarah-mitchell
Worse:
calendly.com/sarah-therapy
acuity.as/therapy-with-sarah
Having the Privacy Conversation
Some clients want discretion. Others don't care. The key is to ask.
During Intake
Add a simple question to your intake form:
"Do you have any privacy concerns about appointment reminders or calendar invitations? (e.g., shared calendar with family, work email use)"
If yes, you know to use extra caution.
In Your Policies
Include a brief statement in your informed consent:
"We use online scheduling for appointment management. Calendar invitations and reminders will be titled neutrally (e.g., 'Appointment') to protect your privacy. If you have specific concerns, please let us know."
Tool Comparison: Privacy Features
| Feature | Calendly | Acuity | OnlyCaly |
|---|---|---|---|
| Custom event titles | Manual setup | Manual setup | Default neutral |
| Generic email subjects | ❌ | Configurable | ✅ Default |
| SMS content control | Limited | Limited | ✅ Customizable |
| Statement descriptor | Stripe-level | Stripe-level | ✅ Guidance provided |
| EU data hosting | ❌ | ❌ | ✅ Available |
Special Situations
Couples Therapy
Multiple people on the same booking. If one partner books for both, calendar invites go to both emails. Consider:
- Using a single contact for bookings
- Manual calendar event creation
- Discussing logistics in first session
Minor Clients
Parents often have access to teen's email/calendar. Discuss privacy boundaries early:
- Who receives appointment reminders?
- Is there a private communication channel for the teen?
Workplace EAP Clients
Employees using employer-provided mental health services may be extra concerned about workplace visibility. Neutral everything.
When Clients Specifically Request Discretion
Some clients explicitly ask for maximum privacy. For these clients:
- Manual booking — No automated emails, you send a manual confirmation
- No text reminders — Email only or phone call
- Cash payments — No credit card trail
- Neutral follow-ups — "Re: Our meeting" not "Re: Therapy session"
This takes more effort but builds trust.
Frequently Asked Questions
Is any of this required by HIPAA?
HIPAA requires protection of Protected Health Information (PHI). What constitutes PHI in scheduling is debatable, but appointment existence and timing can be considered PHI. Best practice is to minimize exposure.
Do I need a BAA with my scheduling tool?
For strict HIPAA compliance, yes. Some tools offer BAAs only on expensive plans. Privacy-focused tools like OnlyCaly are designed with healthcare privacy in mind from the start.
What if a client doesn't care about privacy?
Some clients are completely open about therapy. Great. But default to privacy-protective settings for everyone, then relax them if requested.
Can I use Google Calendar for this?
Google Calendar works for calendar sync, but it doesn't control what your scheduling tool sends. Focus on configuring the scheduling tool, not the destination calendar.
The Bottom Line
Confidentiality doesn't stop at your office door. Every email, text, calendar invitation, and payment receipt is a potential privacy leak.
Most general scheduling tools weren't built with this in mind. They were built for sales calls and business meetings where no one cares if "Demo Call with Acme Inc" shows up on a calendar.
Therapy is different.
Choose tools that default to privacy. Configure what needs configuring. And have the conversation with clients about what level of discretion they need.
Your clients trust you with their mental health. Trust includes protecting their privacy—everywhere.
