Does Doxy.me Sign a HIPAA Business Associate Agreement?
By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Yes on paid plans only — Professional ($35/mo) and Clinic ($50/seat/mo) include a HIPAA BAA
- ✓ No on the free plan — the free tier does NOT include a BAA and must not be used for PHI
- ✓ The free plan lacks encryption audit logs required for HIPAA compliance
- ✓ BAA is available via your account dashboard after upgrading to a paid plan
Doxy.me is a popular telehealth video platform valued for its simplicity — no app download required for patients. However, its free tier creates a significant HIPAA compliance risk that many providers overlook. Understanding exactly which plan level includes the required BAA is critical before conducting any telehealth session with patients.
Doxy.me Plan BAA Coverage
The BAA availability varies dramatically by plan. This is the most important table to understand before using Doxy.me in a clinical setting.
| Plan | Price | HIPAA BAA | Notes |
|---|---|---|---|
| Free | $0 | NO | No BAA, no encryption audit logs; do not use for PHI |
| Professional | ~$35/mo per provider | YES | BAA available via account dashboard settings |
| Clinic | ~$50/seat/mo | YES | Multi-provider organizations; full HIPAA compliance package |
Why the Free Plan Is a Critical Compliance Gap
The Doxy.me free plan is widely used because it requires no credit card, no installation, and lets patients join via a simple link. These features make it attractive for small practices and solo providers who want to minimize overhead. However, the free plan is missing two essential HIPAA requirements:
- No Business Associate Agreement: HIPAA requires a signed BAA before any covered entity or business associate transmits PHI to a vendor. The free plan offers no BAA.
- No encryption audit logs: The HIPAA Security Rule requires audit controls — records of who accessed PHI and when. The free plan does not include the audit logging features required for technical safeguard compliance.
Providers who conduct telehealth sessions using the free Doxy.me plan — even if they believe the sessions are encrypted — are operating without the required HIPAA safeguards. This is a compliance violation regardless of whether a breach occurs.
How to Get a HIPAA BAA from Doxy.me
Getting a BAA from Doxy.me is straightforward once you are on a paid plan:
- Upgrade your Doxy.me account to the Professional or Clinic plan
- Log in to your Doxy.me account dashboard
- Navigate to Settings
- Locate the HIPAA / Business Associate Agreement section
- Review and execute the BAA electronically
Keep a copy of the signed BAA in your compliance documentation files. It should be reviewed any time Doxy.me updates their terms or when you renew your subscription.
What Happens If You Use Doxy.me Free for HIPAA Sessions?
Using the free Doxy.me plan for telehealth sessions involving PHI creates two distinct HIPAA problems. First, there is no BAA in place, which means the arrangement violates the business associate requirements of the HIPAA Privacy Rule. Second, without the audit controls present in paid plans, you cannot demonstrate compliance with the HIPAA Security Rule's technical safeguard requirements.
If OCR investigated your practice and found that you were conducting telehealth sessions without a BAA from your video platform, it could result in a corrective action plan or financial penalty — even if no patient data was actually compromised. See our guide on which vendors sign a HIPAA BAA and our resource on BAA requirements for telehealth platforms for more context.
Frequently Asked Questions
Does Doxy.me free plan include a HIPAA BAA?
No — the free Doxy.me plan does not include a HIPAA BAA. The free tier also lacks the encryption audit logs and administrative controls required for HIPAA compliance. Providers using the free plan for telehealth sessions involving PHI are operating without required HIPAA safeguards and without the necessary Business Associate Agreement.
Does Doxy.me sign a BAA for telehealth?
Yes — but only on the Professional ($35/month) or Clinic ($50/seat/month) paid plans. On these plans, Doxy.me provides a HIPAA BAA and includes the technical safeguards required for HIPAA-compliant telehealth. The BAA is available through your account dashboard after upgrading.
What plan do I need for Doxy.me HIPAA compliance?
You need at minimum the Professional plan (~$35/month per provider) to get a HIPAA BAA from Doxy.me. The Clinic plan (~$50/seat/month) is designed for multi-provider organizations. Both plans include encryption audit logs, advanced security features, and BAA availability. The free plan is not HIPAA compliant.
Can I use Doxy.me free for HIPAA-covered sessions?
No — you should not use the free Doxy.me plan for telehealth sessions involving PHI. The free plan does not include a BAA, which is required by HIPAA before transmitting PHI to a business associate. Using the free plan for covered sessions creates HIPAA violation exposure. Upgrade to the Professional or Clinic plan before conducting PHI-involved telehealth sessions.
Need a BAA for your Doxy.me integration?
Generate a HIPAA-compliant Business Associate Agreement in minutes — covers all vendor types, free to start.
Generate Your BAA Free →