Re: Doximity contract questions

["Menne, Michael S" <michael.menne () MNSU EDU>]

I don’t have any experience with this vendor specifically, but I recently worked with a vendor that was similarly 
difficult in a different way. They refused to update their HECVAT (they were using an incredibly old version). When we 
asked them specific questions, they answered with documents that were not relevant to the questions asked.  Eventually, 
they walked away.  The questions / suggestions below are generic and may or may not be viable in your situation.  You 
may have already thought of many of them as well.

With other vendors that we’ve tried to negotiate with, we’ve either enforced an addendum or stricken the clauses 
entirely so that they have to be litigated should it come to that.  This one is a little different in that your 
physicians are already using it and some of the clauses aren’t something I would be comfortable striking from a 
contract.  How bad does this vendor want your business?  Is there some leverage you could use on your end to push them 
into negotiation?

Is there a provision within HIPAA / HITECH / Omnibus update that talks about data ownership and addresses the BAA 
concerns?  Is there an outside resource that could force the vendors hand in negotiation?  We have had lawyers talk to 
lawyers in the past as well. Sometimes it goes well, sometimes it doesn’t. Our software contracts attorney is very 
strict on contact language.

We have a standard contract template that we use that has our required language. Do you have something similar from the 
University that can be used?

Until you are able to get a decent contract with them, I would open a dialogue with the physicians and CMO (or 
equivalent) and explain the data and HIPAA risks of continuing to use these services.  If there is patient data, the 
University and the physicians are in violation of HIPAA by not having a BAA.  Some (or many) of the physicians are 
probably not aware of the risks they have opened the University up to by accepting the terms that are in place in the 
standard EULA and not having a BAA.

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
Cell: (507) 405-0717
https://mankato.mnsu.edu/cyberaware

[signature_1196775440]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Burns, Denis" 
<denis.burns () MED FSU EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 4, 2021 at 1:32 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Doximity contract questions

If you are on the AAMC CoF, I apologies that you are seeing this again.

Hi all,

So, many organizations who were tempted by the relaxed enforcement and free offerings of Doximity are likely coming 
into the new year to find out that they are taking their “free hit of crack” away and want to be paid now.  Our 
physicians have been using them w/o authorization and so we are working to secure an appropriate license for continued 
(acceptable) use.  Their contract is short and lacking many details (zero data ownership language) and their BAA is 
incredibly one sided.  They make it clear that they will never return of destroy any data you give them and they claim 
rights to do with it as they please until specifically told otherwise.

Can anyone who is licensed and went through a regular contract/legal review shed some light on how you addressed these 
issues?  Generally I would redline and/or attach an addendum, but the conversation that I have had with them was not 
pleasant and didn’t leave any warm fuzzies.  I can’t help but feel that they are on the border of being hostile to work 
with.

I look forward to any input that others may have.

Thank you and happy New Years!
-d

Denis Burns
Information Security and Privacy Officer - College of Medicine - Florida State University
(850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu>

DO NOT provide your username, password, or any personal information requested by any email.
FSU/MED WILL NEVER ask you for your username or password via email.
DO NOT CLICK links or attachments unless you are positive the content is safe.


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C6c4994436fd9470e379308d8b0e767ca%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637453855219632761%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Wm0DF3nCtaYUz7bUwOSQhDdmfBvptph54aIGZmGpttQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community