HIPAA, handled as your business associate

When you back up dental-practice systems with DDSArk, those backups may contain protected health information (PHI). In that work we act as your business associate under HIPAA: we handle PHI only to provide backup and recovery, only as your agreement permits, and never for our own purposes.

We sign a Business Associate Agreement (BAA) with every customer that handles PHI, at no additional cost. The BAA is a binding contract that sets out how we protect PHI, what we may and may not do with it, how we report incidents, and what happens to PHI when our relationship ends. It satisfies the business-associate requirements of the HIPAA Privacy and Security Rules.

HIPAA requires layered safeguards. Here is how we meet them:

• AES-256 encryption of PHI at rest and TLS in transit
• Immutable, object-locked backups that ransomware cannot destroy
• Role-based access with mandatory multi-factor authentication
• Append-only audit logging of access to PHI
• HIPAA-aligned safeguards and a signed BAA
• Documented breach-notification and incident-response procedures

If a breach of unsecured PHI occurs, we notify you without unreasonable delay and within the timeframes required by HIPAA and our BAA, with the information you need to meet your own notification obligations. Because PHI in DDSArk is encrypted, much of it qualifies for HIPAA’s safe-harbor treatment.

HIPAA compliance is a partnership. We secure the backup and recovery platform; you remain responsible for who you grant access to, for configuring retention to match your obligations, and for the security of the practice systems you protect. Our Security overview details the controls we own.

Need a signed BAA, our security documentation, or a completed security questionnaire for your compliance file? Email [email protected] and we’ll turn it around within two business days.