Doxy.me
Doxy.me | Free for individual patient use, $35 per month and up for providers

Doxy.me

Review Date 04/23/2020

Doxy.me is a popular telemedicine platform use by doctors and therapists that bills itself as "simple, free, and secure." This program works through your web browser – like Firefox, Chrome, or Safari – rather than as an app you download to your smartphone or computer. This means keeping your browser updated is crucial to protecting your privacy while online with your doctor. The telemedicine app is free for patients. Health providers and clinics must pay for the service. One thing we found in our research that raised an eyebrow is the fact that providers are able to use the very weak password of '123' for their accounts. Weak passwords are never good, especially on sensitive video calls with your therapist.

Minimum Security Standards

Five basic steps every company should take to protect consumer privacy. Learn more.

Overall Security Rating
4.5/5 star
Encryption
Yes
All calls on Doxy.me use end-to-end encryption.
Security updates
N/A
Doxy.me is accessed only through web browsers like Firefox, Chrome, and Safari. This puts the onus of security on the web browser. That means keeping your web browser updated so its security is always up-to-date is extremely important when using Doxy.me.
Strong password
Yes
Doxy.me recently updated their password requirement so that new users are required to sign up with a strong password. Only health providers are required to login to accounts using a password. Patients are not required to make accounts. Existing users were able to sign up with a weak password such as "123".
Manages vulnerabilities
Yes
UPDATE 6/29.2020: Doxy.me has now added a bug bounty program
Privacy policy
Yes
https://doxy.me/privacy-policy

What is required to sign up?

Medical practitioners are required to sign in to Doxy.me using an email or with third-party Facebook or Google accounts. Patients and clients are not required to sign in at all and are unable to create an account.

How does it handle privacy?

How does it share data?
Doxy,me is very clear that they do not store patient data. While Doxy.me does collect user (users in this case are providers, not patients) data like email address, full name, phone number, address, company name, location, and academic background, it does not appear to explicitly share data this data with third parties. Although it does give California Consumers the option of opting out of the sale of their data, which implies that Doxy.me retains that right generally. It does note that it retains the right to advertise on its site and that clicks on the icon or banner posted on Doxy.me are tracked.
How are your recordings handled?
Doxy.me does not allow video recording. For paid accounts, practitioners can use photo capture, which they must save to their computer hard drive.
Alerts when calls are being recorded?
N/A
Doxy.me does not allow video recording. Third party apps do exist that allow for recording potentially without notifying other users, however.
Does the platform say it is compliant with US medical privacy laws?
Yes
Doxy.me can be HIPAA compliant. Please check with your healthcare provider to make sure the version of Doxy.me they use meets all the requirements.
Links to privacy information

Can I control it?

Host controls
Host can put patients on hold, send patients back to a waiting room, mute audio and video, use the "photo capture" tool, screenshare, and do group calls.
Is it easy to learn and use the features?
Yes
Clients or patients don't have any controls other than "pin to main screen," "mute myself," "turn off camera" and "hide my preview." Practitioner controls are easy to find and explained at https://help.doxy.me
😮

What could happen if something went wrong

We’re afraid a number of things could go wrong. Doxy.me doesn't require a strong password when health care professionals set up an account. And two-factor authentication is not an option, so accounts could easily be hacked. That means a bad person could pretend to be your doctor. Also, there is no requirement to prove you are the actual patient who is supposed to join the call, meaning doctors or therapists who don't have a previously established relationship with a patient might not know if the person who joins their virtual appointment is really who they say they are. Similarly, because the meeting starts when the provider admits the client from the waiting room (after typing their name) anyone who guesses potential patient names could be admitted, but it would only be one person at a time and the provider could end the call. This is all a bit frightening for a video call app targeted at doctors, therapists, and their potentially vulnerable patients.

Updates

Medical Privacy Gets Complicated as Doctors Turn to Video Chats
Consumer Reports
Health comes first, privacy experts say, but when you have a choice, it's best to use a service that complies with HIPAA

Compare products