HIPAA Compliance - DentalBoost.AI

HIPAA Compliance

Last Updated: November 8, 2025

DentalBoost.AI ("Dental Boost," "we," "our," or "us") is committed to protecting Protected Health Information (PHI) entrusted to us by our customers.

This page summarizes how we support HIPAA compliance. It is not legal advice and does not replace the obligations in our Business Associate Agreement (BAA).

1. HIPAA Roles

Our customers (dental practices) are typically Covered Entities (CEs) under HIPAA.

DentalBoost.AI is a Business Associate (BA).

We process PHI only:

  • under CE instructions,
  • to deliver Services, and
  • in accordance with HIPAA and our BAA.

A signed BAA is required before PHI is processed.

2. Compliance Commitments

We comply with applicable HIPAA rules, including:

  • Privacy Rule – protect PHI and limit its use to minimum necessary
  • Security Rule – maintain safeguards to ensure confidentiality, integrity, and availability
  • Breach Notification Rule – notify customers of confirmed breaches within required timelines

3. Security Safeguards

We apply administrative, technical, and physical safeguards including:

Technical Protections

  • Encryption in transit (TLS 1.2+) & at rest (AES-256)
  • Role-based access control and least-privilege access
  • Logging and monitoring
  • Multi-factor authentication
  • Segmentation and network protections
  • Testing and vulnerability scanning
  • Encrypted backups and availability processes

Administrative Protections

  • HIPAA-aware policies and procedures
  • workforce training on privacy/security
  • risk assessments and periodic control reviews
  • subcontractor vetting and contractual controls
  • incident response and escalation processes

Physical Protections

  • secure U.S-based cloud hosting facilities
  • restricted facility access
  • secured device management practices

4. PHI Handling and Usage

We:

  • process PHI only to provide Services such as call handling, scheduling, messaging, reminders, and automation;
  • do not sell PHI;
  • do not use PHI for marketing or cross-context advertising;
  • do not use PHI to train public/shared AI models;
  • maintain auditable access trails;
  • retain PHI only as long as needed and securely delete or de-identify it thereafter.

We may use de-identified data—consistent with HIPAA de-identification standards—to improve accuracy and functionality.

5. Subprocessors and Vendors

We may engage subprocessors for infrastructure, telephony, AI processing, support, or scheduling.

Subprocessors are required to:

  • implement HIPAA-appropriate safeguards;
  • limit access/use to service delivery;
  • maintain confidentiality; and
  • execute BAAs or equivalent agreements where PHI may be involved.

A list of core subprocessors can be provided upon request.

6. Business Associate Agreements (BAAs)

A BAA is executed with each CE before PHI is processed.

The BAA governs:

  • permitted uses/disclosures of PHI;
  • safeguards;
  • breach reporting processes;
  • retention/deletion requirements;
  • termination procedures.

In any conflict between this page or other policies and the BAA regarding PHI, the BAA controls.

7. Workforce Access and Policies

Only personnel with a legitimate business need receive access to PHI.

Workforce members undergo confidentiality and HIPAA/security training.

Access is logged, monitored, and revoked immediately as appropriate.

8. Incident Response and Breach Notification

We maintain an incident response program for suspected or actual security events.

In the event of a confirmed breach of unsecured PHI, we will notify affected Covered Entities without unreasonable delay and no later than required by HIPAA.

We assist Covered Entities in mitigation and documentation.

CEs are responsible for required patient notifications, unless allocated differently in a signed BAA.

9. Customer Responsibilities

Covered Entities must:

  • obtain all required patient authorization/consent;
  • ensure data submitted to the Services complies with HIPAA and applicable law;
  • secure integrated systems (e.g., EHR, PMS, staff systems);
  • report suspected PHI misuse to Dental Boost promptly;
  • maintain their internal HIPAA compliance programs.

10. Relationship to Terms, Privacy Policy, and BAA

This page provides a high-level overview. It works together with:

Where there is conflict regarding PHI:

  • the BAA governs, then
  • this page and the Privacy Policy are interpreted consistently with the ToS.

11. Contact

For HIPAA compliance requests or BAA inquiries: