Privacy Policy

1. Overview & Who We Are

This Privacy Policy explains how SpecialtyDox LLC ("SpecialtyDox," "we," "us," or "our"), the operator of the SpecialtyDox brand at dox.care, collects, uses, shares, and protects information when you visit our website, become a SpecialtyDox practice customer, contact us, enroll as a patient at a SpecialtyDox-powered practice, or receive SMS / text messages from us.

SpecialtyDox is a healthcare technology platform serving licensed providers and practices across 22+ medical specialties. The platform includes EHR/EMR, scheduling, billing, AI-assisted clinical documentation (DoxScribe), remote therapeutic monitoring (DoxRTM), DME compliance tools, finance and HR modules, and patient-communication services delivered via SMS and voice.

Plain-English summary: We collect the minimum information needed to provide our platform and (for patients of SpecialtyDox-powered practices) the minimum needed to coordinate your care. We do not sell your data. We do not share your phone number or SMS opt-in with anyone for marketing. Reply STOP to any text to opt out.

2. Information We Collect

2.1 Practice / Provider Information

Practice name, NPI, Tax ID, specialty, mailing address.
Provider name, credentials, license numbers, contact information.
Account credentials (email and encrypted password).
Subscription, billing, and payment information.

2.2 Patient Information (collected by your practice through SpecialtyDox)

Demographics (name, DOB, address, mobile phone, email).
Insurance and billing information.
Clinical information you provide via intake forms, the patient portal, telehealth visits, or messaging — including symptoms, diagnoses, medications, allergies, assessment scores, and uploaded documents/images.
Device and remote-monitoring data (CPAP usage, glucose readings, BP readings, sleep diary entries) when your practice has enrolled you in remote monitoring.
Consent records (HIPAA acknowledgment, SMS consent, telehealth consent).

2.3 Automatically Collected Information

Device and browser information (user agent, IP address, referrer).
Usage data (pages viewed, links clicked, session timestamps).
First-party cookies for session management (see Cookies & Tracking).

2.4 SMS / Text Message Data

Your mobile phone number (collected at intake, online booking, web contact form, or by your practice).
Your SMS opt-in record (timestamp, source of consent, IP if web-collected).
The text content of messages exchanged between you and the SpecialtyDox-powered practice.

3. How We Use Your Information

Treatment — enable your practice to deliver and document clinical care, including AI-assisted documentation (DoxScribe).
Payment — verify insurance, generate claims, process patient payments.
Healthcare operations — appointment scheduling, reminders, quality measurement, care coordination.
SMS communications — appointment reminders, clinical check-ins, remote-monitoring prompts, results notifications, billing reminders, and other clinical messages you've opted in to receive.
Customer support — respond to questions, troubleshoot issues, fulfill requests from practices and patients.
Legal & safety — comply with HIPAA, state law, and regulatory obligations; investigate suspected fraud or abuse; protect patient safety in emergencies.
Service improvement — analyze de-identified usage trends to improve the SpecialtyDox platform.

We do NOT use your information, your mobile number, or your SMS content for advertising or marketing by third parties. We do NOT sell, rent, or trade any of your personal information or PHI.

4. SMS / Text Message Privacy (A2P 10DLC)

SpecialtyDox sends SMS / text messages via Twilio Inc. from registered A2P 10DLC sender +1 (512) 675-6718. Our SMS program is registered with The Campaign Registry (TCR) under SpecialtyDox LLC. Some SpecialtyDox-powered practices use their own A2P 10DLC sender numbers, which will be identified in the message body or sender name.

📨 Full SMS program details, sample messages, and the exact patient consent flow are documented at dox.care/sms.

4.1 No Sharing of Mobile Information for Marketing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of mobile-originated data — including your phone number, SMS opt-in/consent status, and the content of text messages you exchange with SpecialtyDox or a SpecialtyDox-powered practice — are excluded from any information-sharing for marketing, advertising, lead-generation, or affiliate promotion.

Information sharing with subprocessors that operate the SMS service on our behalf (Twilio Inc., for message delivery; AWS for hosting; Anthropic, PBC for AI-assisted responses) is permitted strictly to deliver the service. These subprocessors are bound by written agreements (and, where applicable, Business Associate Agreements) that prohibit them from using your information for their own marketing purposes.

4.2 How You Opt In

You can opt in to receive SMS messages from SpecialtyDox or a SpecialtyDox-powered practice in any of the following ways:

Patient intake form — by checking the SMS-consent box on the practice's paper or digital intake form when you become a patient.
Online appointment booking — by providing your mobile number and checking the SMS-consent box when you schedule a visit through a SpecialtyDox-powered practice's booking page.
Web contact form — by submitting a contact request at dox.care or at a SpecialtyDox-powered practice site with the SMS-consent checkbox selected.
Verbal consent — by giving documented verbal consent to a practice staff member during a phone call (the consent is recorded in your chart with timestamp and the staff member's identity).

Each opt-in source presents this exact disclosure: "By providing my mobile number and checking this box, I consent to receive SMS / text messages from [practice name] (powered by SpecialtyDox LLC) including appointment reminders, clinical check-ins, remote-monitoring prompts, results notifications, and other care-related messages. Message frequency varies. Message and data rates may apply. Reply STOP to opt out. Reply HELP for help. See our Privacy Policy and SMS Terms."

4.3 Categories of SMS Messages You May Receive

Category	Examples	Frequency
Appointment	Reminders, confirmations, rescheduling, no-show follow-up.	Up to 4 per appointment.
Remote Monitoring (RTM/RPM/CCM)	Daily symptom check-ins, device-data alerts, supply reminders, coaching messages.	Up to 2 per day during active monitoring.
Clinical Follow-up	Lab results, post-visit questions, prior-authorization status.	As clinically needed.
Account & Billing	Statements, payment confirmations, balance reminders.	As needed.
Onboarding & Referral	Intake links after a referral is received, scheduling follow-up.	Up to 3 per referral.

Overall message frequency varies by your clinical program and the practice. Most patients receive between 1 and 14 messages per week.

4.4 STOP, HELP, and Opt-Out

Reply STOP, END, QUIT, CANCEL, UNSUBSCRIBE, STOPALL, or REVOKE to any SpecialtyDox-originated text message to opt out of all non-emergency SMS communications. You will receive one confirmation message and then no further messages. Re-enroll at any time by replying START or by contacting your practice or SpecialtyDox.

Reply HELP to receive support contact information.

4.5 Costs & Carriers

SpecialtyDox does not charge for SMS messages. Message and data rates may apply based on your mobile plan. Supported carriers include AT&T, T-Mobile, Verizon Wireless, US Cellular, Boost, Cricket, MetroPCS, and most US-based MVNOs. Carriers are not liable for delayed or undelivered messages.

4.6 Privacy of Your Number

Your mobile number is stored in our HIPAA-compliant infrastructure on AWS RDS (encrypted at rest with AES-256).
Your number is used only to deliver the SMS communications you opted into and to authenticate you when you contact us.
Your number is shared only with Twilio Inc. (our SMS carrier) and, where applicable under your care, with your treating clinicians and authorized practice staff.
Your number is not shared, sold, or rented to data brokers, advertisers, affiliates, or any third party for marketing.

5. Information Sharing & Disclosure

We share information only in these limited circumstances:

With your treating practice and its authorized staff — for treatment, payment, and healthcare operations consistent with HIPAA.
With our service providers (subprocessors) — under written contracts and, where PHI is involved, Business Associate Agreements (BAAs). Current subprocessors include: Amazon Web Services, Inc. (hosting, database, storage, messaging); Twilio Inc. (SMS, voice, MMS delivery); Anthropic, PBC (AI text and voice agent responses, AI-assisted clinical documentation); Deepgram, Inc. (speech-to-text and text-to-speech for voice calling); AWS Transcribe Medical (medical speech-to-text for DoxScribe); Stripe, Inc. (payment processing, where used).
With other healthcare providers — for care coordination at your direction or as permitted by HIPAA.
With payers and clearinghouses — to verify eligibility, process claims, and obtain prior authorizations.
With legal and regulatory authorities — when required by law (subpoenas, court orders, public health reporting, law enforcement requests that meet HIPAA's requirements).
In an emergency — to prevent serious harm to you or others.
In a business transition — if SpecialtyDox LLC is acquired, merged, or reorganized, your information may transfer to the successor entity under the same privacy protections.

We never share information with data brokers, marketing networks, advertisers, social-media platforms for advertising targeting, or anyone for SMS lead-generation. We never sell your information.

6. HIPAA & Protected Health Information

SpecialtyDox LLC operates as a Business Associate (and, in certain configurations, a Covered Entity) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. Our use and disclosure of Protected Health Information (PHI) is governed by HIPAA, by our Business Associate Agreements with each practice, and by your treating practice's Notice of Privacy Practices.

You may exercise your HIPAA rights — including the right to access, amend, restrict, and request an accounting of disclosures of your PHI — through your treating practice. SpecialtyDox will support your practice in fulfilling these requests promptly.

In the event of a breach of unsecured PHI, we will notify affected practices and individuals — and, where required, the U.S. Department of Health and Human Services — within the timeframes mandated by HIPAA.

7. Data Security

TLS 1.2+ encryption for all data in transit (HTTPS).
AES-256 encryption for data at rest on AWS RDS (PostgreSQL), AWS S3 (documents), and AWS DynamoDB.
Hosting in AWS US-East-2 (Ohio) inside a HIPAA-eligible account with an executed BAA.
Role-based access controls; principle of least privilege.
Mandatory MFA for staff accounts with PHI access.
Full audit logging of PHI access.
Automatic session timeout on the patient portal and provider dashboards.
Incident response plan with defined breach-notification procedures.

No system can be made 100% secure. You can help protect your information by using a strong unique password, enabling MFA, signing out of shared devices, and notifying us immediately of any suspected unauthorized access.

8. Data Retention

We retain medical records on behalf of practices for the longer of (a) the period required by applicable state law, (b) HIPAA's six-year minimum, or (c) the period required by Medicare, Medicaid, or other payer contracts. We retain SMS opt-in records and message logs for at least the duration of the practice's relationship with SpecialtyDox plus 5 years thereafter for compliance and audit purposes.

Non-clinical web analytics data is typically retained for 14 months or less. You may request earlier deletion of non-PHI information you have provided through dox.care by contacting us; PHI deletion is subject to legal retention requirements and the policies of your treating practice.

9. Cookies & Tracking

dox.care uses a small number of cookies and similar technologies:

Strictly necessary cookies — to keep you signed in and to preserve session state. Cannot be disabled.
Functional cookies — to remember your preferences (e.g., language, accessibility settings).
Aggregate analytics — first-party, de-identified usage analytics. We do not use third-party advertising trackers and do not run pixels from Meta, TikTok, Google Ads, or similar advertising networks.

You can control cookies through your browser settings. Disabling cookies may prevent you from signing in or using portal features.

10. Children's Privacy

dox.care is intended for adults (18+). SpecialtyDox-powered practices may treat minor patients when a parent or legal guardian establishes care on the child's behalf. We do not direct marketing to children under 13 and do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us information without parental consent, contact us at support@dox.care and we will delete it.

11. Your Rights & Choices

Access — request a copy of the personal information we hold about you (PHI requests go through your treating practice).
Correction — ask us to fix inaccurate or incomplete information.
Deletion — ask us to delete information that is not subject to legal retention.
SMS opt-out — reply STOP to any text message, or contact us. Opting out of SMS does not affect your eligibility for treatment.
Email opt-out — use the unsubscribe link in any non-transactional email.
Complaints — file a complaint with us, with your practice, or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr or 1-800-368-1019.

12. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA), including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. SpecialtyDox does not sell or share personal information as those terms are defined under the CCPA. Most health information collected through SpecialtyDox is exempt from the CCPA because it is regulated by HIPAA, but you may still exercise your rights with respect to non-PHI by contacting us at support@dox.care.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top will reflect the most recent revision. Material changes will be communicated via the website, the practice portal, and (for active patients) via SMS or email. Your continued use of dox.care after the effective date constitutes acceptance of the revised policy.

14. Contact Us

SpecialtyDox LLC — Privacy & Compliance

📧 Email: support@dox.care · support@dox.care

📞 Phone / SMS: +1 (512) 675-6718

🌐 Web: dox.care

📍 Mailing Address: SpecialtyDox LLC, Austin, Texas, USA

For HIPAA complaints, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr or 1-800-368-1019.

Table of Contents