If any positives resulted from the Covid-19 pandemic and the associated chaos surrounding it, count the accelerated acceptance of telehealth services as one of them. Patients today in underserved areas or with busy schedules can now schedule an appointment with a healthcare provider from the privacy of their home at a time that best fits their needs.
While some providers use business-oriented tools like Zoom, FaceTime, and Microsoft teams, Doxy.me offers a no-download-required browser-based option that claims to be a proper telemedicine solution. But is Doxy.me truly HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
Regarding software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance really boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the device is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate PHI’s proper uses and disclosures.
Physical safeguards, such as locks and alarm systems, protect an organization’s physical location.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. You should check for technical safeguards, including encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable.
Is Doxy.me HIPAA Compliant?
Doxy.me has an entire page detailing the security and privacy standards and specific examples of how their service meets HIPAA requirements with citations to HIPAA regulations. They also are willing to sign BAAs with clients and only work with third parties who are also HIPAA compliant.
Based upon this information, Doxy.me appears to be HIPAA compliant.