About this page: This page describes DocsMD™'s HIPAA Business Associate practices and provides access to our standard Business Associate Agreement template. A signed BAA is required before DocsMD accesses, processes, or stores any Protected Health Information ("PHI") on behalf of a healthcare practice.
What is a Business Associate Agreement?
Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and implementing regulations at 45 C.F.R. Parts 160 and 164, a healthcare practice ("Covered Entity") that engages a third-party service provider to perform functions involving Protected Health Information must enter into a written Business Associate Agreement with that service provider ("Business Associate"). The BAA is a legally required contract that ensures the Business Associate will safeguard PHI in accordance with HIPAA.
DocsMD operates as a HIPAA Business Associate to every contracted healthcare practice. We execute a BAA with each Practice before any PHI is transmitted, accessed, or stored.
DocsMD's HIPAA Commitments
As a Business Associate, DocsMD agrees to:
- Use and disclose PHI only as permitted by the BAA and by HIPAA
- Implement administrative, physical, and technical safeguards to protect PHI
- Comply with the HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318)
- Comply with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–164.414)
- Report any security incident or breach affecting PHI to the Practice without unreasonable delay
- Ensure that all subcontractors handling PHI execute equivalent agreements
- Make PHI available to the Practice for access, amendment, and accounting of disclosures as required by HIPAA
- Return or destroy PHI upon termination of the agreement
Subprocessor Business Associate Agreements
DocsMD has executed Business Associate Agreements with all subprocessors that handle PHI:
| Subprocessor | Function | BAA Status |
|---|---|---|
| Airtable, Inc. | Database / data store | BAA executed (Business plan) |
| Make.com (Celonis) | Workflow automation | BAA executed (Team plan) |
| Twilio Inc. | SMS / telephony | HIPAA-eligible configuration; BAA via Twilio HIPAA program |
| Anthropic, PBC | AI / LLM processing | Per Anthropic enterprise terms; PHI minimized in prompts |
Standard BAA Template
DocsMD's standard Business Associate Agreement covers the following provisions in alignment with 45 C.F.R. § 164.504(e):
- Permitted Uses and Disclosures of PHI
- Obligations and Activities of Business Associate
- Safeguards (Administrative, Physical, Technical)
- Reporting of Breaches and Security Incidents
- Subcontractor Obligations
- Access, Amendment, and Accounting of PHI
- HHS Audit Cooperation
- Term and Termination
- Return or Destruction of PHI Upon Termination
- Indemnification and Liability
- Governing Law (Arizona)
- Survival of Obligations
Request the BAA: Practices ready to engage DocsMD will receive the standard BAA via DocuSign as part of onboarding. To request a copy in advance for legal review, contact hello@docsmd.com.
Patient Rights Under HIPAA
Patients have the following rights with respect to their PHI:
- Right of Access: Request a copy of your medical record from your healthcare practice
- Right to Amend: Request corrections to your medical record
- Right to an Accounting of Disclosures: Request a list of disclosures of your PHI
- Right to Request Restrictions: Request limits on uses and disclosures
- Right to Confidential Communications: Request communications by alternative means or to alternative addresses
- Right to Notice of Privacy Practices: Receive your practice's notice of privacy practices
- Right to Notification of Breach: Be notified if your PHI is breached
To exercise these rights, contact your healthcare practice directly. DocsMD processes PHI only at the direction of and on behalf of the practice.
Reporting a Privacy Concern
If you believe your privacy rights have been violated, you may file a complaint with:
- Your healthcare practice's Privacy Officer (preferred first step)
- DocsMD at hello@docsmd.com
- The U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/ocr
You will not be retaliated against for filing a complaint.
Contact
DocsMD™ HIPAA Compliance
DocsMD LLC
HIPAA Privacy Officer
24871 S Ellsworth Rd, Suite 100-170
Queen Creek, Arizona 85142, USA
Email: hello@docsmd.com