Compliance Comparison
Last updated: May 28, 2026
Urgent care clinics handle PHI every day. Your scheduling software is a HIPAA business associate — it must sign a BAA. Here is how the four most common workforce schedulers stack up on legal and compliance features.
Deputy officially refuses to sign a BAA
Deputy's published policy states: "Deputy does not enter into a Business Associate Agreement." OnShift states it is "not a healthcare provider" and similarly does not offer a BAA. If your clinic is using either product and handling PHI, you may be operating without a required HIPAA safeguard.
| Feature | EquaSched | Deputy | OnShift | When I Work |
|---|---|---|---|---|
| HIPAA & PHI Protection | ||||
HIPAA Business Associate Agreement (BAA) | ✓ Available on all paid plans — sign at signup | ✗ "Deputy does not enter into a BAA" — official policy | ✗ "We are not a healthcare provider" — BAA not available | ★ Enterprise plan only — pricing not disclosed |
PHI encryption at rest (AES-256) | ✓ | ✓ | ✓ | ✓ |
PHI encryption in transit (TLS 1.2+) | ✓ | ✓ | ✓ | ✓ |
| Compliance Certifications | ||||
SOC 2 Type II certified | ◎ Audit in progress — report expected Q2 2027 | ✓ | ? Not publicly disclosed | ✓ |
FLSA-aware scheduling engine | ✓ Overtime and break rules enforced at schedule-build time — violations blocked before they happen | ◎ Overtime alerts after the fact — not enforced at scheduling | ✓ | ◎ Overtime alerts only — no build-time enforcement |
CCPA compliance (California) | ✓ | ✓ | ✓ | ✓ |
GPC / Do Not Sell signal honored | ✓ GPC middleware live — auto-opts out tracking on browser signal | ? | ? | ? |
| Access & Security Controls | ||||
Role-based access controls (RBAC) | ✓ | ✓ | ✓ | ✓ |
Audit log / activity trail | ✓ | ✓ | ✓ | ✓ |
SSO / MFA support | ✓ Available on Professional and Enterprise plans | ★ Enterprise plan only | ✓ | ★ Enterprise plan only |
Breach notification within 72 hours | ✓ Committed in DPA — notification within 72 h of discovery | ? | ? | ? |
| Data Rights & Agreements | ||||
Enterprise Data Processing Agreement (DPA) | ✓ | ✓ | ? | ✓ |
Data residency in the USA | ✓ US regions only — Vercel + Neon Postgres | ◎ Multi-region (US / AU / EU) — US-only may require Enterprise | ? | ? |
Right to deletion (CCPA / GDPR) | ✓ | ✓ | ✓ | ✓ |
Staff data portability (CSV/JSON export) | ✓ | ✓ | ? | ✓ |
Security questionnaire on request | ✓ Contact hello@equasched.com | ✓ | ? | ✓ |
Methodology: Competitor data is based on publicly available documentation, published policies, and official vendor statements as of May 2026. "Not documented" means the feature could not be confirmed in public-facing materials — contact the vendor directly to verify. EquaSched data reflects current product capabilities.
Ready to get your BAA?
EquaSched includes a Business Associate Agreement on every paid plan. Start your free trial — no call required.
Questions about HIPAA compliance? hello@equasched.com