HIPAA Compliance

1. What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that establishes national standards for the protection of sensitive patient health information. While MyDentalPractice primarily serves West African markets, we implement HIPAA-aligned security measures to ensure our platform meets the highest international standards for healthcare data protection.

HIPAA compliance demonstrates our commitment to protecting Protected Health Information (PHI) through comprehensive technical, administrative, and physical safeguards.

2. Our HIPAA Compliance Measures

MyDentalPractice has implemented comprehensive security measures aligned with HIPAA requirements:

• Risk assessments and security evaluations performed annually
• Documented policies and procedures for handling PHI
• Employee training on privacy and security requirements
• Incident response procedures for potential breaches
• Business Associate Agreements (BAAs) with all service providers
• Regular audits of access logs and security controls

3. Technical Safeguards

3.1 Encryption

3.2 Access Controls

• Unique User Identification: Each user has a unique account with individual credentials
• Role-Based Access: Permissions tailored to job functions (dentist, receptionist, billing, etc.)
• Multi-Factor Authentication: Optional MFA for enhanced security
• Automatic Session Timeout: Inactive sessions terminate after 15 minutes
• Password Requirements: Minimum 8 characters with complexity requirements
• Failed Login Lockout: Accounts locked after 5 failed attempts

3.3 Audit Controls

• Complete audit trail of all PHI access, including who, when, and what was accessed
• Logging of all login attempts, successful and failed
• Record of data modifications with before/after values
• Export and report history tracking
• Audit logs retained for 7 years

3.4 Transmission Security

• All data transmitted over HTTPS with TLS 1.3
• Secure API endpoints with token-based authentication
• Email communications encrypted where supported
• SMS notifications sent through secure gateways

3.5 Integrity Controls

• Data validation on all inputs
• Checksums for file integrity verification
• Database transaction logging
• Automatic backup verification

4. Administrative Safeguards

4.1 Security Management

• Designated Security Officer responsible for HIPAA compliance
• Annual risk assessments to identify vulnerabilities
• Documented security policies reviewed annually
• Incident response procedures and escalation paths

4.2 Workforce Training

• Security awareness training for all employees
• Annual HIPAA compliance refresher training
• Background checks for employees with PHI access
• Documented acknowledgment of privacy policies

4.3 Access Management

• Principle of minimum necessary access
• Regular access reviews and deprovisioning
• Immediate termination of access upon employee departure
• Documented access authorization procedures

4.4 Contingency Planning

• Data backup procedures with encrypted off-site storage
• Disaster recovery plan with defined RTO/RPO
• Business continuity procedures for critical operations
• Regular testing of backup and recovery procedures

5. Physical Safeguards

5.1 Data Center Security

• SOC 2 Type II certified data center facilities
• 24/7 physical security with surveillance
• Biometric access controls for server rooms
• Environmental controls (fire suppression, climate control)
• Redundant power and network connectivity

5.2 Workstation Security

• Documented workstation use policies
• Screen lock requirements after inactivity
• Encryption requirements for devices accessing PHI
• Remote wipe capability for mobile devices

5.3 Device and Media Controls

• Procedures for secure disposal of storage media
• Hardware inventory and tracking
• Secure data destruction certificates

6. Patient Rights Under HIPAA

Our platform provides tools to help you support patient rights under HIPAA:

6.1 Right to Access

Patients can request copies of their health records. Our platform provides export functionality to generate patient records in standard formats within the required 30-day timeframe.

6.2 Right to Amendment

Patients can request amendments to their records. The platform maintains complete audit trails of all modifications, preserving the original data while documenting any changes.

6.3 Right to Accounting of Disclosures

Our audit logs track all PHI disclosures, enabling you to provide patients with a complete accounting of who has accessed their information.

6.4 Right to Request Restrictions

The platform supports marking records with disclosure restrictions and alerts staff to patient-requested limitations on information sharing.

7. Breach Notification Procedures

7.1 Detection and Response

• 24/7 security monitoring for breach detection
• Automated alerts for suspicious activity
• Documented incident response procedures
• Designated incident response team

7.2 Your Notification Responsibilities

As the covered entity, you are responsible for notifying:

• Affected individuals within 60 days of discovery
• HHS (if applicable) for breaches affecting 500+ individuals
• Media outlets for breaches affecting 500+ individuals in a state

We will provide you with all necessary information and support to fulfill these obligations.

8. Business Associate Agreements

8.1 Our Role as Business Associate

When you use MyDentalPractice to store or process PHI, we act as your Business Associate under HIPAA. We are prepared to execute Business Associate Agreements (BAAs) with covered entities.

8.2 BAA Provisions

Our standard BAA includes:

• Permitted uses and disclosures of PHI
• Required safeguards we implement
• Breach notification procedures
• Termination and data return provisions
• Audit and compliance verification rights

8.3 Requesting a BAA

To request a Business Associate Agreement, contact us at compliance@mydentalpractice.ng. BAAs are included at no additional cost for Professional and Enterprise plan subscribers.

9. Your Compliance Responsibilities

As a dental practice using our platform, you are the Covered Entity and remain responsible for:

• Implementing appropriate physical safeguards at your practice
• Training your staff on HIPAA requirements
• Managing user access and promptly deactivating departed employees
• Responding to patient requests for their health information
• Reporting suspected breaches to us immediately
• Maintaining your own HIPAA policies and procedures

10. Contact Information

For HIPAA compliance questions or to request a BAA: