HIPAA posture
This page documents Dental Refer's engineering and operational controls for HIPAA. It is informational; the binding document for any covered-entity subscriber is the executed Business Associate Agreement.
Administrative safeguards
Designated Security Officer + Privacy Officer (combined role today; separable when org size requires). Workforce sanction policy. Information access management with role-based authorization. Security awareness training for engineering hires. Documented incident response runbook with on-call rotation.
Technical safeguards
Unique user identifier per workforce member. Automatic session logoff (30-minute idle, 12-hour absolute). Encryption + decryption of PHI at rest (AES-256-GCM envelope encryption, Phase C runtime-proven) and in transit (TLS 1.2+ minimum). Audit controls: immutable, hash-chained audit_log on every PHI read, write, and attachment download.
Physical safeguards
Production infrastructure hosted on Vercel (SOC 2 Type 2) + Neon Postgres (HIPAA-ready, BAA available) + Cloudflare R2 (SOC 2 Type 2 + HIPAA-eligible) + AWS SES (HIPAA-eligible, BAA available). No PHI on developer laptops; remote work uses encrypted endpoints with corporate-grade access policies.
Minimum necessary
API responses scope PHI fields to the operation. Roles see only what their role needs. Audit metadata uses hashed identifiers (hashRecipient, hashEmail, hashId) — never raw PHI. PHI is never included in logs, error messages, or external API payloads (including AI services until BAA execution).
Business associate agreements (BAAs)
BAAs in place with downstream PHI processors: Neon (DB), Cloudflare (storage + CDN), AWS SES (email), Twilio (SMS), SRFax (eFax). Anthropic (Claude API) BAA pending — all AI features ship inert until executed. We will provide a BAA to subscribers on request; contact [email protected].
Patient rights
Patients have rights to access, amend, accounting of disclosures, and restrictions on use. Implementation supports patient view of their referral status (patient portal) and structured audit log queries by the patient's referring office. Requests to access or delete patient records are routed through the referring office under the Privacy Rule's designated record set rules.
Breach response
Defined incident response runbook with 24/72-hour triage SLAs. Notification within 60 days of discovery for breaches affecting > 500 individuals (HHS + media); within 60 days for smaller breaches (HHS annual report). Subscribers notified per BAA terms. Mandatory documentation retained for 6 years.
Requesting a BAA or breach disclosure
Email [email protected] with your organization details. We countersign BAAs within 5 business days under standard terms; custom terms reviewed case-by-case.