Doctor's Clinic
Start free trial

Trust & compliance

Last updated: March 29, 2026

Doctor's Clinic is built for clinics that must protect sensitive health and personal data. This page summarizes how we approach HIPAA-aligned and GDPR-ready practices. It does not replace legal advice, a formal risk analysis, or signed agreements.

HIPAA (United States)

Under HIPAA, covered entities and business associates must safeguard electronic PHI (ePHI). When you useDoctor's Clinic to create, receive, maintain, or transmit ePHI on behalf of your organization, you remain responsible for the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule as they apply to you.

  • Separate clinic data: Information for each organization is kept apart so one clinic cannot see another’s records.
  • Access control: Staff use individual accounts; sign-in is protected in production. Roles limit sensitive actions to the right people.
  • Encryption in transit: Production use should rely on encrypted connections for all access to the service.
  • Minimum necessary: Features such as internal notes and staff-only fields help separate patient-facing content from operational commentary.
  • Business Associate Agreement: Where Doctor's Clinic acts as a business associate for your ePHI, we can provide a BAA. Request one at contact@doctorsclinic.services.

GDPR & UK GDPR (EEA / UK)

For clinics with patients or staff in the European Economic Area, UK, or Switzerland, the General Data Protection Regulation (and UK GDPR) may apply. We support a GDPR-oriented posture:

  • Transparency: Our Privacy Policy describes processing, purposes, and rights.
  • Data subject rights: We respond to access, rectification, erasure, and other requests as described in the Privacy Policy and applicable law.
  • Processor terms: Where we process personal data on your instructions, a Data Processing Agreement (DPA) can be provided to meet Article 28 requirements—contact us to execute one.
  • International transfers: We use appropriate safeguards (e.g. Standard Contractual Clauses) when personal data leaves the EEA/UK, as required.
  • Registration consent: New organizations must accept our Terms and Privacy Policy before creating an account, documenting acknowledgment of how data is handled.

Security operations

We follow secure development practices, keep dependencies current, and limit who can access production systems. Additional protections against common web risks are applied where appropriate.

What you should still do

  • Execute a BAA or DPA where legally required before processing regulated data.
  • Train staff on policies, passwords, and device security.
  • Define retention and deletion policies for records you store.
  • Review vendors who host services or send email on your behalf against your risk tolerance.

Related documents

Privacy Policy · Terms of Service

Contact

Compliance questions: contact@doctorsclinic.services. Return to the home page or read more on our blog for small clinics.