Is Doxy.me a HIPAA compliant telehealth service?

Is Doxy.me a HIPAA compliant telehealth service? | Paubox

We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Today we will determine if Doxy.me is a HIPAA compliant service or not.

About Doxy.me

Doxy.me is a telemedicine platform that enables healthcare providers to conduct virtual visits with their patients. It is designed to be easy to use and allows healthcare providers to connect with patients through video, audio, or text-based messaging.

Doxy.me can be accessed from any device with a web browser and an internet connection, making it convenient for both healthcare providers and patients. It also includes features such as appointment scheduling, secure messaging, and the ability to share documents and images.

Doxy.me is often used in situations where it is not possible or practical for a patient to visit a healthcare provider in person, such as during the COVID-19 pandemic or when a patient is located in a remote area.

Doxy.me and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked the Doxy.me site and found a help center article called, “Is Doxy.me HIPAA-Compliant?

It states:


Doxy.me complies with all relevant HIPAA rules and regulations.

Covered Entities using our platform are compliant with HIPAA, because doxy.me: 

  • does not permanently store Protected Health Information.
  • operates according to the Privacy and Security Rules.
  • conducts risk analysis and management. 
  • has disaster mitigation plans in place.
  • conducts in ongoing HIPAA training for all staff and contractors.
  • has a Privacy and Security officer.
  • utilizes an IDS (Intrusion Detection System) to monitor our infrastructure; Intrusion attempts are immediately blocked.
  • actively employs file integrity monitoring, log monitoring, rootchecks and process monitoring across our infrastructure.
  • performs a nightly scan of our infrastructure to check for malware against signatures that updated daily.
  • uses for all servers and images the baseline configurations recommended by industry standard CIS Benchmarks and Security Content Automation Protocol (SCAP).
  • automatically encrypts stored data using full volume encryption and 256-bit AES encryption keys and use Amazon Web Services EBS encryption backed by an FIPS 140-2 key management infrastructure.
  • conducts regular penetration testing using both internal and third-party testers.
  • will sign a Business Associates Agreement acknowledging us as a Business Associate.

This is a well done page.

Notification of Enforcement Discretion

When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Amazon Chime
  • Apple FaceTime
  • Doxy.me
  • Facebook Messenger
  • Google Hangouts video
  • Google Hangouts
  • iMessage
  • Jabber
  • Signal
  • Skype
  • Spruce Health Care Messenger
  • Updox
  • VSee
  • WhatsApp
  • Zoom

See also: HIPAA privacy and security guidelines as they relate to telehealth

Is Doxy.me HIPAA compliant?

The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.

As we noted earlier, Doxy.me is willing to sign a BAA with its customers.

In addition, Doxy.me is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it would allow healthcare entities to use Doxy.me and not be liable for HIPAA fines even if they did not offer a BAA to their customers.

Conclusion: Doxy.me is HIPAA compliant.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant email solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport