Doximity BAA: Does Doximity Sign a Business Associate Agreement for HIPAA Compliance?

Short answer: Doximity generally makes a Business Associate Agreement (BAA) available to eligible enterprise healthcare organizations as part of its contracting process. Individual or ad‑hoc use typically does not include a standalone BAA. Always confirm the current policy and terms during procurement to ensure your HIPAA obligations are met.

Business Associate Agreements Overview

A Business Associate Agreement is a HIPAA-required contract between a covered entity and a vendor that creates, receives, maintains, or transmits Protected Health Information (PHI). The BAA allocates responsibilities for safeguarding PHI, defines permitted uses and disclosures, and sets breach-notification rules.

When your organization uses Doximity for clinical outreach or telehealth workflows involving PHI, a BAA is usually necessary. If your use is strictly non-PHI (for example, networking without patient identifiers), a BAA may not apply—but validate this via a risk assessment and legal review.

What a BAA typically covers

• Permitted and required uses/disclosures of PHI by the business associate.
• Compliance safeguards aligned to the HIPAA Security Rule, including administrative, physical, and technical controls.
• Incident and breach reporting obligations, cooperation in investigations, and timelines.
• Subcontractor oversight and flow-down of BAA terms.
• Return or destruction of PHI at contract termination and data retention limits.

Do not confuse a BAA with a Data Use Agreement (DUA). A DUA governs limited data sets for research, public health, or operations. You may need a DUA in addition to a BAA when sharing a limited data set for secondary purposes.

HIPAA Compliance Requirements

HIPAA compliance rests on demonstrable Risk Management. Conduct a documented risk analysis, prioritize threats to confidentiality, integrity, and availability of PHI, and implement reasonable and appropriate controls. Reassess whenever your environment, vendors, or data flows change.

Core obligations under the HIPAA Security Rule

• Administrative safeguards: risk analysis, workforce training, sanction policies, vendor oversight, and contingency planning.
• Physical safeguards: facility access controls, device/media protections, and secure disposal of PHI.
• Technical safeguards: access controls, authentication, audit logs, integrity protections, and encryption for data in transit and at rest.

Under the Breach Notification Rule, business associates must notify covered entities of any breach of unsecured PHI without unreasonable delay (no later than 60 days). Your BAA should specify notification channels, required details, and responsibilities for patient notices and regulatory filings.

Apply “minimum necessary” across all PHI Handling Procedures: limit identifiers shared through Doximity to what’s essential for the task, and keep the system of record in your EHR.

Doximity’s Data Protection Measures

Organizations evaluating a Doximity BAA should confirm the platform’s compliance safeguards and how they map to the HIPAA Security Rule. Request current documentation and assess whether controls meet your security and privacy standards.

Controls to confirm during due diligence

• Encryption: strong TLS for data in transit and encryption at rest for stored data and backups.
• Identity and access: role-based access controls, optional SSO/SAML, multi-factor authentication, session management, and least-privilege provisioning.
• Auditability: event logging, administrator access logs, and retention appropriate for investigations.
• Secure development and operations: vulnerability management, patching cadence, change management, and segregation of environments.
• Data lifecycle: data minimization, retention schedules, deletion processes, and procedures for return or destruction of PHI at contract end.
• Third-party oversight: subprocessor inventory, contractual flow-down, and ongoing monitoring.

Document these items in your vendor file and map each control to your internal policies. Where gaps exist, add compensating controls or restrict use cases until risks are reduced.

Responsibilities Under Doximity BAA

Typical business associate commitments

• Use/disclose PHI only as permitted by the BAA and applicable law.
• Implement safeguards commensurate with risk and maintain written policies.
• Promptly report security incidents and potential breaches, cooperate on investigations, and support mitigation.
• Flow down BAA obligations to subcontractors that access PHI.
• Provide information needed for audits or regulatory inquiries and support termination, return, or destruction of PHI.

Typical covered entity responsibilities

• Define permissible purposes and minimum necessary PHI for Doximity-enabled workflows.
• Provide workforce training on PHI Handling Procedures specific to Doximity features.
• Maintain an accurate user roster, promptly remove access, and enforce device security requirements.
• Monitor vendor performance and address nonconformities identified through audits or incidents.

Secure Communication Features

Doximity is often used for masked calling and video outreach to patients. These capabilities can support HIPAA-compliant operations when paired with a signed BAA and disciplined user practices.

Practical safeguards for clinical outreach

• Identity verification: at the start of calls or video sessions, confirm patient identity using two identifiers.
• Minimum necessary: avoid transmitting full medical histories via voice mail or SMS; move detailed PHI into the EHR.
• Messaging hygiene: treat standard SMS as sensitive; do not include diagnoses, lab values, or images containing PHI.
• Environment checks: conduct calls in private spaces, use headsets when appropriate, and prevent on-screen PHI exposure.
• Documentation: capture clinical details in the EHR immediately after the interaction; do not store PHI in personal notes on mobile devices.

Implementation Process for Healthcare Providers

Step-by-step rollout

1. Scope and risk analysis: define use cases that involve PHI and assess threats, likelihood, and impact.
2. Due diligence: request Doximity’s BAA template, security whitepaper, and data-flow details; evaluate against your Risk Management criteria.
3. Contracting: finalize the Business Associate Agreement and, where applicable, a Data Use Agreement for limited data sets.
4. Configuration: enable SSO, enforce MFA, restrict features as needed, set retention, and disable device-level backups for app data where feasible.
5. Provisioning: implement least-privilege access, MDM/EMM controls, and automatic deprovisioning tied to HR events.
6. Training: deliver role-based instruction on permitted uses, privacy etiquette, and incident reporting.
7. Pilot and validate: run a limited rollout, review audit logs, and correct issues before wider deployment.
8. Operate and monitor: review metrics, perform periodic access recertification, and retest controls after major updates.

Managing PHI with Doximity

Embed clear PHI Handling Procedures into daily workflows so the technology and your policies work together. Define what identifiers may be shared via Doximity, where detailed content must be recorded (the EHR), and how users escalate privacy concerns.

Operational guardrails

• Data classification: label Doximity interactions as “transient PHI” and route all substantive content to the EHR.
• Device posture: require OS encryption, biometric/PIN, auto-lock, and remote wipe; prohibit local screenshots of PHI.
• Recordkeeping: store call reasons and outcomes in the EHR; avoid storing PHI in the app beyond operational necessity.
• Incident response: publish a one-page playbook for misdirected communications, lost devices, or suspected exposure.
• Periodic review: quarterly checks of audit trails, user lists, and adherence to minimum-necessary standards.

Conclusion

A Doximity BAA helps formalize roles, safeguards, and breach-handling so your organization can use the platform for patient outreach with confidence. Pair the agreement with rigorous Risk Management, clear PHI Handling Procedures, and technical controls to maintain HIPAA compliance throughout the lifecycle of your communications.

FAQs

Does Doximity provide a BAA to all healthcare organizations?

Not universally. In practice, Doximity offers a Business Associate Agreement to eligible enterprise customers as part of contracting. Individual users or informal use cases typically do not include a standalone BAA. Confirm availability and scope with Doximity during vendor onboarding.

Is Doximity compliant with HIPAA regulations?

HIPAA compliance is shared. With a signed BAA and proper configuration, Doximity can be used within a HIPAA-compliant program. Your organization must still implement complementary administrative, physical, and technical safeguards and enforce minimum-necessary use.

How does Doximity ensure the security of Protected Health Information?

Doximity’s security posture should be documented through platform safeguards such as encryption, access controls, audit logging, vendor oversight, and data lifecycle management. During due diligence, request current security documentation and align it with your Risk Management standards and PHI Handling Procedures before enabling PHI-related workflows.