HIPAA Compliance Built In

A signed BAA is executed with every dental practice before any PHI is accessed or stored.

• BAA is available on request and is executed before your practice enters any patient data
• Covers all permitted uses and disclosures of PHI under 45 CFR Part 164
• Subcontractors who handle PHI are required to sign their own BAAs
• BAA aligns with OCR model language and is reviewed by HIPAA counsel annually
• Executed electronically — no paper, no delays before go-live

AES-256-GCM encryption at rest, TLS 1.3 in transit, MFA, and complete audit logs on every PHI access.

• AES-256-GCM encryption at rest for all PHI and sensitive data
• TLS 1.3 enforced for all data in transit — no insecure protocols accepted
• Multi-factor authentication (MFA) supported and enforced by default
• Automatic session timeout after configurable inactivity period
• Tamper-evident audit logs: every PHI access logged with user, timestamp, and action
• Unique user IDs — shared credentials are not permitted
• Audit log retention for 6 years per 45 CFR § 164.312(b)

Designated Privacy Officer, annual workforce training, documented policies, and a full risk management program.

• Designated HIPAA Privacy Officer and Security Officer on staff
• All workforce members complete HIPAA training at hire and annually thereafter
• Documented access authorization and management procedures
• Background checks required for all personnel with PHI access
• Annual HIPAA risk analysis and risk management plan per 45 CFR § 164.308
• Incident response and breach notification procedures fully documented and rehearsed
• Security awareness training updated as threats evolve

SOC 2 Type II certified data centers with biometric access controls, surveillance, and redundant power.

• Hosted in SOC 2 Type II certified data center infrastructure
• Physical access restricted to authorized personnel via biometric and badge controls
• 24/7 security surveillance at all facilities
• Redundant power, cooling, and network connectivity for high availability
• Workstation security policies governing all staff who access PHI
• Device and media controls: secure disposal of all hardware before decommissioning
• No PHI is processed or stored on unmanaged personal devices

Automated breach detection, 60-day notification SLA, and a documented incident response team on call 24/7.

• Automated anomaly detection flags potential breaches in real time
• Security incidents triaged within 4 hours by on-call response team
• Breach notification to Covered Entity within 60 days of discovery, per 45 CFR § 164.410
• Notification includes: nature of breach, PHI involved, steps taken, and remediation plan
• Post-incident root cause analysis and corrective action plan delivered within 30 days
• Annual tabletop breach response exercises to keep team readiness current
• Full incident log maintained for regulatory review

Role-based access ensures clinicians see clinical data, billing staff see financial data — and nothing more.

• Role-based access control (RBAC) with predefined roles: dentist, hygienist, front desk, biller, admin
• Custom roles configurable to match your practice's internal access policies
• Clinical PHI (charts, X-rays, notes) restricted to clinical roles by default
• Financial and insurance data restricted to billing and admin roles by default
• Multi-location DSO groups: location staff see only their location's patients by default
• PHI access requests outside role scope require explicit practice-level override and are logged
• Access review reports available quarterly for compliance documentation