HIPAA Overview

1. HIPAA ROLES

Dental Boost provides software and related services to dental practices and other healthcare-related organizations. Depending on the customer relationship and the Services involved, our customers may act as Covered Entities or Business Associates, and Dental Boost may act as a Business Associate when we create, receive, maintain, or transmit PHI on behalf of a customer in a manner that gives rise to Business Associate obligations under HIPAA.

Where required by applicable law and our service configuration, a signed BAA must be in place before PHI-processing workflows are enabled.

2. PHI-ENABLED WORKFLOWS

Not all Services, features, integrations, or workflows are enabled for PHI by default.

Where required, PHI-related workflows may be activated only after:

• a BAA is in place; and
• any required contractual, technical, operational, or configuration prerequisites have been satisfied.

Dental Boost may suspend, limit, or decline PHI-related workflows until those requirements are met.

3. HOW DENTAL BOOST HANDLES PHI

Where Dental Boost processes PHI on behalf of a customer, Dental Boost uses and discloses PHI only as permitted by applicable law, the applicable BAA, the applicable customer agreement, and the customer's documented instructions.

Depending on the Services purchased and configured, Dental Boost may process PHI in connection with call handling, scheduling, reminders, patient communications, workflow automation, support, and related service delivery.

Dental Boost does not sell PHI. Dental Boost does not use PHI for cross-context advertising or marketing. Dental Boost does not use PHI to train public, shared, or generalized AI models.

4. SAFEGUARDS

Dental Boost maintains reasonable and appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information processed through the Services, consistent with the nature of the Services and Dental Boost's role under applicable law and contract.

These safeguards may include, as appropriate to the Services and systems in scope:

• access controls and authentication measures;
• logging and monitoring;
• backup and recovery measures;
• workforce confidentiality and security training;
• vendor and subprocessor controls; and
• incident response and escalation processes.

5. DE-IDENTIFICATION

Where Dental Boost de-identifies PHI, Dental Boost does so only where permitted by applicable law and, where required, authorized by the applicable BAA and customer agreement.

Dental Boost will treat properly de-identified information as de-identified and will not attempt to re-identify it except as expressly permitted by law or contract.

6. SUBPROCESSORS AND VENDORS

Dental Boost may use subprocessors, vendors, and service providers in connection with infrastructure, communications, telephony, scheduling, support, security, and other service delivery functions.

Where such providers handle PHI on Dental Boost's behalf, Dental Boost requires written obligations appropriate to the provider's role, including confidentiality, security, and, where applicable, downstream business associate obligations consistent with Dental Boost's responsibilities under the applicable BAA and law.

Additional information regarding material subprocessors may be made available upon reasonable request, subject to security and confidentiality considerations.

7. INCIDENT RESPONSE AND BREACH NOTIFICATION

Dental Boost maintains incident response processes for suspected or actual security events involving systems in scope for the Services.

If a breach of unsecured PHI occurs at or by Dental Boost in its role as a Business Associate, Dental Boost's PHI-related incident and breach reporting obligations will be governed by the applicable BAA and applicable law.

Where required, Dental Boost will provide information reasonably necessary to support the customer's assessment, mitigation, documentation, and compliance obligations. Unless otherwise expressly allocated in a signed BAA, the customer remains responsible for any required notifications to individuals, regulators, or other third parties.

8. CUSTOMER RESPONSIBILITIES

Customers remain responsible for their own HIPAA compliance obligations, including as applicable:

• determining whether a BAA is required for the intended workflow;
• executing a BAA before submitting PHI where required;
• using the Services in a lawful and HIPAA-compliant manner;
• obtaining any required notices, consents, or authorizations;
• configuring user access, integrated systems, and internal workflows appropriately; and
• promptly notifying Dental Boost of suspected misuse, incidents, or unauthorized disclosures involving PHI.

9. PATIENT RIGHTS REQUESTS

Individuals seeking access to medical or dental records, amendments, accountings, restrictions, or other patient-rights responses should generally contact their healthcare provider directly, except to the extent a signed agreement expressly provides otherwise.

Dental Boost does not independently act as the healthcare provider, records custodian, or designated contact for patient-rights requests except as expressly stated in a signed agreement.

10. RELATIONSHIP TO OTHER AGREEMENTS

This page is a general overview only.

For PHI-related matters, the applicable BAA controls to the extent of any conflict. The broader customer relationship is also governed, as applicable, by the MSA, Order Form, Terms of Service, Privacy Policy, and any other signed agreements.

Nothing on this page expands Dental Boost's obligations beyond those set forth in the applicable BAA or other written agreements.

11. CONTACT

For HIPAA-related questions or BAA requests, contact:

Dental Boost

Email: [email protected]

Website: https://www.dentalboost.ai