Is Doxy.me’s Free Plan HIPAA‑Compliant? What You Need to Know

Overview of HIPAA Compliance

HIPAA compliance is not a product you buy; it is a program you run. For telehealth, that program must implement administrative, physical, and technical safeguards that protect Protected Health Information (PHI) under the HIPAA Privacy Rule and Security Rule.

A platform can support compliance, but only your policies, risk analysis, Business Associate Agreements (BAAs), workforce training, and ongoing monitoring make your use of the platform compliant. In short, “HIPAA‑ready” technology is necessary, but never sufficient on its own.

Telehealth Security Standards emphasize secure transmission, identity management, access controls, and incident response. Your evaluation should confirm that the tool’s features align with those controls and that you can configure them to meet your risk tolerance.

Features of Doxy.me Free Plan

Core capabilities relevant to compliance

• Browser‑based, link‑driven video visits intended for 1:1 clinical encounters without requiring patient downloads.
• Virtual waiting room to control session admission and reduce accidental disclosures.
• Encrypted audio/video transport, with no routine storage of call content by default.
• Basic tools for patient engagement during the session (for example, chat), subject to your configuration and policies.

Typical constraints to consider

• Limited administrative controls compared with enterprise tiers (for example, granular audit trails, role‑based access, or single sign‑on may be unavailable).
• Restricted customization and reporting, which can affect documentation and auditing obligations.
• No guarantee that features required by your internal policies—such as formal uptime SLAs or advanced user management—are included.

The practical takeaway: the free plan can facilitate secure sessions, but you must verify whether it provides the governance features your compliance program requires.

Security Measures and Encryption

Encryption and session security

Doxy.me uses standards‑based encryption for data in transit. Video and audio typically traverse WebRTC using protocols that provide End‑to‑End Encryption of media between participants, while signaling travels over TLS. This design helps prevent interception and supports confidentiality during sessions.

Because workflows vary, confirm how content (chat messages, files, screenshots, or metadata) is protected, retained, or deleted. Ensure that no recordings are made without explicit policy controls and patient consent.

Independent assurance and good‑practice controls

Request current security attestations to evaluate the vendor’s control environment. SOC 2 Compliance (ideally Type II) provides detailed auditor testing of security, availability, and confidentiality controls; a SOC 3 Compliance report, when available, offers a public summary suitable for stakeholders who do not need full SOC 2 details.

Combine these artifacts with your own risk assessment to confirm that technical safeguards align with your threat model and regulatory obligations.

Importance of a Business Associate Agreement

Under the HIPAA Privacy Rule, a Business Associate Agreement is mandatory before a vendor can create, receive, maintain, or transmit PHI on your behalf. The BAA sets the legal terms for safeguarding PHI, breach notification, subcontractor management, and permitted uses and disclosures.

Whether a plan is free or paid is irrelevant; without an executed BAA naming your organization, you should not use the platform with PHI. With a properly executed BAA and appropriate safeguards, the platform can be used as part of a compliant program.

Verifying Compliance with Doxy.me

Step‑by‑step validation

• Confirm BAA status: locate the Business Associate Agreement in your account or obtain it from the vendor. Ensure it is fully executed for your legal entity and retain the signed copy.
• Map PHI data flows: document what PHI may be displayed, transmitted, or logged during sessions, including metadata and support interactions.
• Validate encryption: verify TLS versions, WebRTC security (e.g., DTLS‑SRTP), and whether any relays or services can access unencrypted content.
• Review independent assurance: request current SOC 2 Compliance reporting and any available SOC 3 Compliance summary; address any gaps in your risk register.
• Harden configurations: use waiting rooms, strong meeting links, admission controls, and policies that prohibit sharing unnecessary identifiers in chat.
• Fortify endpoints: ensure clinician and staff devices use disk encryption, updated operating systems, and secured networks; apply least‑privilege access.
• Train the workforce: teach staff to verify patient identity, manage screen sharing safely, and avoid storing screenshots or chat content containing PHI.
• Document everything: keep your risk analysis, vendor due diligence, configuration records, and incident response procedures up to date.

Limitations of the Free Plan

Free tiers often lack enterprise governance features that larger compliance programs expect. You may find limited audit logging, restricted role‑based access control, no single sign‑on, and fewer administrative settings for policy enforcement.

Support and service commitments may also be modest compared with paid plans. If your risk assessment requires deeper auditing, formal SLAs, or advanced user lifecycle management, the free plan may not satisfy those controls without compensating safeguards.

Best Practices for Telehealth Compliance

• Obtain and archive a fully executed Business Associate Agreement before handling PHI on the platform.
• Limit PHI to the minimum necessary; avoid placing sensitive identifiers in chat or file transfers.
• Use strong, unique meeting links; admit only verified participants from the waiting room.
• Enable device‑level protections: full‑disk encryption, strong authentication, and automatic screen locking.
• Conduct and document a risk analysis; reassess after any feature changes or workflow updates.
• Train clinicians and staff on telehealth etiquette, identity verification, and PHI minimization.
• Prepare an incident response plan for misdirected invitations, disrupted sessions, or suspected breaches.
• Review and update your Notice of Privacy Practices to reflect telehealth workflows under the HIPAA Privacy Rule.
• Request current security attestations (e.g., SOC 2 Compliance) and, if available, a SOC 3 Compliance overview for stakeholders.
• Periodically test configurations against your Telehealth Security Standards and remediate gaps promptly.

Conclusion

Is Doxy.me’s free plan HIPAA‑compliant? It can be used within a compliant program if—and only if—you secure a signed BAA and implement the required safeguards. The platform’s encryption and controls may support compliance, but your policies, configurations, and verification steps ultimately determine whether your telehealth use meets HIPAA expectations.

FAQs

Does Doxy.me free plan include a Business Associate Agreement?

Availability can depend on your account and organization type. Some users can obtain a BAA at no additional cost, but you must confirm this in your account or with the vendor and retain a fully executed copy that names your legal entity before using PHI.

How does Doxy.me protect patient data?

Sessions use standards‑based encryption for data in transit, with WebRTC providing End‑to‑End Encryption of media and TLS securing signaling. You should verify retention settings, confirm that recordings are disabled unless authorized, and review available security attestations to ensure controls align with your program.

Can the free version be used legally for telehealth under HIPAA?

Yes—if you have an executed Business Associate Agreement and you operate the platform within a documented HIPAA compliance program (policies, training, risk analysis, and technical safeguards). Without a BAA and proper controls, you should not use it for PHI.

What are the risks of using the free plan without a BAA?

Without a BAA, you lack the required legal assurances for a business associate handling PHI. That exposes you to HIPAA violations, breach notification obligations, potential fines, contractual non‑compliance with payers or partners, and reputational harm.