Doxy.me Terms of Service What Users Need to Know (Employees and/or Owners)
With the changes in legislation and the FCCs ruling Doxy.me an online telehealth portal (among others) are updating their terms of service.
When we did the free panel discussion with an attorney and Person-Centered Tech regarding updated terms of services across tools we were purposefully broad because we knew this as going to continue to happen.
As we shared in the panel discussion, we don’t need to panic, but we do need to be aware, and we need to step up as the stewards of our client’s protected health information. So, let’s dive into what is happening with Doxy.me and their updated terms of service and privacy policies.
As a quick aside, we believe this is important to understand whether you are an employee using Doxy.me or the business owner. As the steward of the health information you are meant to be an advocate, and unfortunately, that may mean informing your employer of needed changes.
What Doxy.me is sending out to providers
Here is a shortened version of the email received from Doxy.me from a reader:
On November 17, 2023, we will be updating our Terms of Service and Privacy Policies and also creating an Acceptable Use Policy. To keep things simple, we’ll refer to these terms and policies as “Terms” in this email.
You may preview the new terms here.
The key changes are below. By continuing to use doxy.me after the new Terms become effective, you accept these new Terms.
When you click the link you will see links to eight different terms of services some of which relate to the state or country with which you access the service. Doxy.me says “The main reason we’re changing our Terms is to comply with changing state and country laws as well as post-pandemic rules.”
So, what does that actually mean? And, more importantly…
Is there anything you need to do if you are using Doxy.me as your telehealth platform?
First, the biggest regulations that have been coming down the way with GDPR in Europe, CCPA in California, PIPEDA in Canada, and other legislations have been related to transparency in how people are using data. Data includes your location, your viewing habits, your interests, and so much more. These regulations are applicable to everyone accessing the internet under these jurisdictions.
However, as telehealth providers and online therapists, your patients are accessing this service for mental health and medical services. So, in most, if not all, cases the data that is being transmitted is held to even higher standard. In the United States, the way that information is protected is largely lined out via the Health Insurance Portability and Accountability Act (HIPAA).
While HIPAA was originally focused on regulations regarding Insurance, over the last decade many of the regulations lined out have become so commonplace that they are becoming the standard even for non-HIPAA covered entities. And, in many cases, therapists who were not previously HIPAA-covered entities have become so. Private pay therapists could move into becoming a HIPAA covered entity by something as simple as emailing a superbill.
Under HIPAA, your patient’s basic data including where they are accessing the website from (IP address) and/or why they are accessing this website (health treatment) would be considered Protected Health Information (PHI) and is protected under HIPAA and other international regulations.
So, since Doxy.me is changing its terms of service, we have a responsibility to read, understand, and make decisions related to those changes. Yuck! We know, we know, we don’t want to read more terms of services or privacy policies either! But, here we are.
Can’t we just assume that any platform that is HIPAA-compliant is ok to use without worry?
Unfortunately, what we saw with some other platforms like the changes with SimplePractice Terms and Conditions, and the FCC’s $7.9 million dollar fine of BetterHelp for sharing PHI, we can’t assume anything. It is important for us as providers to start to more deeply understand the terms and what kinds of agreements we are entering into and exposing our client’s PHI to whether we own a private practice, or even as employees.
We know, it is exhausting. We felt tired just clicking over to the eight options for applicable changes to the Doxy.me terms of services. Here is what we did and hopefully it can help you create a plan of action if you use, or plan to use Doxy.me for your online therapy appointments.
What you need to understand as a therapist before reading the updated Doxy.me terms
In December of 2022, the U.S. Department of Health and Human Services released some updated guidance regarding the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” We do recommend you give it a read, even if your eyes glaze over a bit. Or, at the very least put it on your to-do list to take a training with Person Centered Tech to help you understand it.
Here are the areas of this bulletin that we think are most applicable to the updated Doxy.me terms of service and privacy policy:
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI [like their IP address] to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures. 1 ”
In other words, if you are a HIPAA-covered entity, your patient’s PHI being shared with tracking technology vendors (Google Analytics, Squarespace Analytics, Facebook Analytics, basically any third party), for marketing purposes, without your client’s HIPAA-compliant authorization would be a no-no.
In addition, any third-party entity where that PHI would be shared would need to sign a Business Associate Agreement (BAA). Google, Facebook, Squarespace, etc. do NOT provide a BAA for their analytics services.
Take a breath, I know that may seem like a lot. But, there is more. This is NOT just for people who are logged into a patient portal or actively in telehealth sessions. Check this out:
“Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a healthcare provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.1 ”
Read that again. Honestly, I was shocked when I read this and how far it reached. So, as a patient searching for your Doxy.me your patient’s PHI, like their IP Address being accessible even without them logged in and shared with third-party analytics without a HIPAA-compliant authorization is enough for the HIPAA rules to apply.
So, what does that mean for you? For Doxy.me? This is where we think there are some things that are still getting sorted out. As the provider, we think it may be up to YOU to understand that your patient’s PHI is being shared as part of being a guest of the website and shared with third-party analytics tracking and that YOU need to include that in your informed consent and/or privacy policy and ensure your clients understand how to contact Doxy.me to have such information wiped from their servers.
It may also mean as a telehealth provider you may want to provide tutorials about how to access services using a VPN to fully protect all PHI when accessing mental health services. Person Centered Tech recommends Nord VPN to telehealth providers. I wonder if there is space for some service providers to come in who are set themselves apart by NOT using third party analytics and making life a LOT easier for you as the provider.
Below, Miranda, one of the private practice business coaches at zynnyme gives her take on the privacy policy specific to California the broad one that impacts the rest of the United States. Feel free to skip the California video if you don’t live or are not licensed in California.
Reviewing Doxy.me updated California Residents' Privacy Rights
Reviewing Doxy.Me New Privacy Policy as of November 17. 2023
Miranda here: With my therapist, non-attorney hat on, the questions I’d be asking of Doxy.me is about guests and the fact that your patients would be considered guests. Remember the material we reviewed above? “For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply. 1 ”
So, what did you notice? What were your takeaways and questions?
It is ok if you need some time to process and have questions. Write down your initial questions on paper or type them out. And then go for a walk (trust us) and then come back and look at it again. It can get a bit easier if you give yourself some time to process. This may seem like a big headache, but it doesn’t have to be. It might be as simple as using a different service, updating your terms and conditions, or just asking some questions to clarify.
We don’t believe anyone is out to get you in private practice. But, we do believe as providers with what is coming to light regarding data and privacy, we are being asked to step up and be protective of our client’s data.
Steps to take if you are using Doxy.me before November 17th, 2023
Read over the terms of service to make sure you understand it and agree with it.
Ask any questions or verbalize any concerns before November 17th, 2023.
If you do not agree with the updated terms do NOT use it past November 17th, 2023.
If you DO agree with the terms, make sure you understand the impact on your privacy policy and informed consent, update those accordingly, and get consent from clients.
Did you learn something new about third-party analytics? Consider doing a review of how you are using Analytics in your private practice.
Resources for further support regarding HIPAA and/or private practice
Check out the solo and group practice resources at Person Centered Tech that dive deeply into HIPAA and have weekly office hours to dive into specific topics like this one.
Check out our Business School for Therapists where we walk you step-by-step through all aspects of growing, revamping, or launching your solo or group practice as a therapist. We dive into aspects of HIPAA like the article above, but Person Centered Tech are the in-depth experts! We are experts on all things business vision, finances, profitability, marketing, processes, expansion, and getting great clinical outcomes while living a balanced life!
If you haven’t watched the free panel discussion about terms of services here, you might find it helpful.
Have additional questions? Comment below. While we don’t think we’ll be able to pull together another panel discussion like the one above, we’ll do our best to provide direction as we can.
