Trust & HIPAA
Who operates Doctalink
Doctalink is an end-to-end encrypted messaging service for verified U.S. healthcare providers, operated as a sole proprietorship by Nithin Jay Dodla (Texas, USA). Security and privacy questions: doctalinksupport@gmail.com.
HIPAA business-associate status
When a healthcare provider or practice (a HIPAA covered entity) uses Doctalink to transmit Protected Health Information (PHI), Doctalink acts as their Business Associate. We sign a Business Associate Agreement (BAA) with each such customer before any real PHI is exchanged. To request a BAA, email us.
How we protect your data
- End-to-end encryption. Messages are encrypted on your device with the Signal Protocol. We store only ciphertext we cannot read; lock-screen notifications never contain message content.
- Encryption in transit and at rest. Modern TLS with HSTS in transit; encrypted at rest on U.S.-based HIPAA-compliant cloud infrastructure.
- Access controls. Provider verification (NPI + institutional email + phone), optional biometric unlock, session auto-lock, and device/app attestation.
- Audit logging. Security-significant events are logged (without message content) and retained for six years per the HIPAA Security Rule.
- Administrative safeguards. Documented risk analysis, incident-response and breach-notification plans, contingency/backup plan, sanction policy, and workforce access controls.
Subprocessors
We use the following categories of service providers. Those that may process PHI on our behalf are covered by a signed Business Associate Agreement.
| Category | Purpose | BAA |
|---|---|---|
| Cloud infrastructure (U.S.) | Hosting, database, authentication, notification routing, storage, logging | Yes, executed |
| Push-notification services | Mobile push delivery (no PHI in payload) | Carrier (no PHI) |
| National Provider Identifier (NPI) registry | Verifies the NPI you provide against public records | Public data (no PHI) |
We do not sell or share your information for advertising, and we use no third-party advertising or analytics SDKs.
Named-provider details, ciphersuite specifics, and a copy of our executed BAAs are available to enterprise and health-system reviewers under NDA. Contact us at doctalinksupport@gmail.com.
Reporting a security concern
To report a suspected vulnerability or security incident, email doctalinksupport@gmail.com. We investigate all good-faith reports.
Policies
Privacy Policy · Terms of Service · Business Associate Agreement