Is doxy.me HIPAA Compliant?
On paper, doxy.me is HIPAA compliant and – subject to an organization subscribing to a business plan that supports HIPAA compliance – can be used to create, receive, store, and share Protected Health Information. However, concerns exist about the vendor’s understanding of HIPAA compliance and that the platform is unreliable for delivering quality patient care.
Doxy.me is telemedicine platform that enables healthcare professionals to communicate remotely with patients via video, audio, and secure text messaging. The platform has been designed for ease-of-use, and – when subscribed to the premium service – healthcare professionals can take advantage of text and email notifications, secure payments, screen sharing, and group calling.
In the context of is doxy.me HIPAA compliant, the perception a user might get from reviewing the HIPAA compliant video conferencing page on the doxy.me website is that it is. The page provides an explanation of the HIPAA requirements (albeit incorrect) and a list of capabilities that appears to fulfil these requirements. Doxy.me will also enter into a Business Associate Agreement.
Concerns that doxy.me may not be HIPAA Compliant
However, there are multiple inaccuracies and omissions on the HIPAA compliant video conferencing page that raise concerns doxy.me might not know what it is talking about. For example: In the opening paragraph, doxy.me states HIPAA was enacted to preserve patient privacy (it wasn’t) and that HIPAA compliance requires that devices used to store or transmit confidential health details conform to strict protection and privacy requirements (HIPAA compliance involves a lot more).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Further inaccuracies include incorrect definitions of covered entities and Protected Health Information, while the technical safeguards of the Security Rule are misrepresented to suit the capabilities of the platform. While these inaccuracies and misrepresentations are not unique to doxy.me (plenty of vendors do this), it appears the site acquired its knowledge of HIPAA from inaccurate online sources rather than studying the Administrative Simplification Requirements.
Possibly of more concern that doxy.me may not be HIPAA compliant is that nowhere on the HIPAA compliance page – nor on any of the site’s support pages – is automatic logoff mentioned (§164.312). Although an addressable implementation specification of the Security Rule’s technical safeguards, the omission of an automatic logoff function (or an equally as effective alternative), makes one wonder – along with the previous inaccuracies – what else doxy.me may have omitted.
Concerns that doxy.me is a Reliable Platform
Doxy.me generally receives above-average scores from review websites, but has been known to solicit positive reviews from users in return for Amazon vouchers. The volume of positive reviews can obscure the negative reviews on some sites, but not on Trustpilot, where the many negative reviews about doxy.me tend to highlight the same issue – unstable connections causing disrupted and disconnected sessions with patients.
Doxy.me blames this issue on poor Internet connectivity between healthcare providers and patients. However, many of the negative comments on Trustpilot describe how healthcare professionals have had to abandon telemedicine sessions on doxy.me and conclude them using Zoom, Skype, or FaceTime – implying that connectivity is not the issue because healthcare professionals are able to connect to patients using alternate platforms.
While the reliability of the platform may not appear to be an issue that affects whether or not doxy.me is HIPAA compliant, it can become an issue if healthcare professionals have to abandon sessions with patients to conclude consultations via platforms that are not HIPAA compliant or with which Business Associate Agreements are not in place. Using any platform without a Business Associate Agreement in place is a HIPAA violation.
Is doxy.me HIPAA Compliant? Conclusion
Concerns whether doxy.me knows what Protected Health Information is may not be relevant to some when contemplating is doxy.me HIPAA compliant, and the omission of automatic logoff can be overcome by ensuring the function is enabled on any devices used to access the platform. However, the issue of connectivity is one that is possibly more concerning for covered entities due to the risk healthcare professionals may switch to unsecure or non-compliant channels of communication.
One way to determine whether this issue may affect your organization’s HIPAA compliance is to register for a free doxy.me account and use the free account to run test consultations on the platform that do not disclose Protected Health Information. This will give your organization an opportunity to use the platform and conduct due diligence on the vendor by asking as many questions as necessary to determine is doxy.me HIPAA compliant.
Finally, using doxy.me in your own environment not only helps answer the question is doxy.me HIPAA compliant, but whether the platform can be used in compliance with HIPAA. Whereas doxy.me claims it provides HIPAA compliant communications, in reality it only facilitates HIPAA compliant communications. As with any software implemented by a Covered Entity, it is how the software is configured and used that determines HIPAA compliance.
