ddsally

HIPAA BAA · v1.0.1

Business Associate Agreement

Download PDFDownload DOCX
About this document. This Business Associate Agreement governs how DDSALLY LLC creates, receives, maintains, or transmits Protected Health Information on behalf of your dental practice. By creating a DDSALLY account and checking the BAA acceptance box at signup, you electronically accept this BAA on behalf of your Practice; no separate signature is required. The Date of Acceptance and Version Accepted are recorded automatically in DDSALLY’s audit log.

DDSALLY LLC Business Associate Agreement

For Dental Practices, Dental Providers, Specialists, and Authorized Dental Office Users

Attorney Review Required. This document is provided for business planning and attorney review. It is not legal advice and should not be used as a final Business Associate Agreement without review by qualified healthcare/HIPAA counsel. Align this document with DDSALLY LLC's Terms of Service, Privacy Policy, security program, and onboarding workflow before use.

Effective Date. The date the Practice or authorized representative clicks "I Agree," checks the acceptance box, creates an account, activates DDSALLY services, or otherwise electronically accepts this BAA.

Business Associate. DDSALLY LLC ("DDSALLY," "we," "us," or "Business Associate").

Covered Entity / Practice. The dental practice, dental provider, specialist, dental office, or HIPAA-covered dental entity that creates an account, subscribes to, accesses, or uses the DDSALLY platform.

Primary Agreement. This BAA is incorporated into DDSALLY's Terms of Service, subscription agreement, order form, online account registration, or other agreement governing the use of DDSALLY services.

1. Electronic Acceptance

By checking the box stating that you agree to this BAA, clicking "I Agree," creating a DDSALLY account, activating DDSALLY services, or using DDSALLY to send, receive, store, or manage Protected Health Information ("PHI"), you represent and agree that:

  • You are authorized to bind the Practice to this BAA;
  • The Practice is a Covered Entity or otherwise has HIPAA obligations with respect to PHI submitted through DDSALLY;
  • The Practice agrees to this BAA electronically;
  • The electronic acceptance of this BAA has the same legal effect as a handwritten signature;
  • The Practice will use DDSALLY only in accordance with HIPAA, this BAA, and DDSALLY's Terms of Service.

If you do not agree to this BAA, you must not use DDSALLY to create, receive, maintain, transmit, upload, send, or store PHI.

DDSALLY may maintain electronic records showing the date, time, user, account, IP address, email address, version number, or other acceptance details associated with the Practice's acceptance of this BAA.

2. Purpose of this BAA

DDSALLY provides a dental referral and communication platform that allows general dentists, dental specialists, dental offices, and authorized dental staff to securely communicate, coordinate referrals, exchange records, upload files, transmit images, send messages, and manage referral-related workflows.

In providing these services, DDSALLY may create, receive, maintain, or transmit PHI on behalf of the Practice. This BAA governs how DDSALLY may use and disclose that PHI and how DDSALLY will protect it.

This BAA is intended to satisfy the requirements of HIPAA, including the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and applicable HITECH requirements.

3. Definitions

Capitalized terms not defined in this BAA have the same meaning as under HIPAA.

  • "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations.
  • "PHI" means Protected Health Information, including electronic Protected Health Information, that DDSALLY creates, receives, maintains, or transmits on behalf of the Practice.
  • "Platform" or "Service" means the DDSALLY website, application, portal, software, referral system, secure messaging tools, file-storage functions, workflow tools, audit logs, support services, and related technology.
  • "Authorized Users" means dentists, specialists, employees, contractors, office managers, treatment coordinators, referral coordinators, dental assistants, hygienists, billing personnel, or other individuals authorized by the Practice to use DDSALLY.
  • "Patient-Submitted Data" means medical, dental, clinical, imaging, diagnostic, treatment, or other PHI submitted directly by a patient into DDSALLY.
  • "Subcontractor" means a third-party vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of DDSALLY.

4. DDSALLY's Role

DDSALLY acts as a Business Associate when it creates, receives, maintains, or transmits PHI on behalf of the Practice.

DDSALLY is not a dental provider, treating provider, referral decision-maker, diagnostic service, payer, health plan, or healthcare clearinghouse.

DDSALLY does not independently determine whether a patient should be referred, diagnosed, treated, contacted, accepted, scheduled, or managed. Those decisions remain the responsibility of the Practice and the participating dental providers.

5. Scope of DDSALLY Services

DDSALLY's services include, but are not limited to:

  • Sending and receiving dental referrals;
  • Communication between general dentists and specialists;
  • Communication between dental offices and authorized staff;
  • Uploading, storing, viewing, and transmitting referral-related files;
  • Sending clinical records, radiographs, photographs, CBCT images, treatment notes, medical histories, dental histories, referral forms, consultation requests, reports, and other dental information;
  • Referral tracking and workflow management;
  • Secure messaging and care coordination;
  • Audit logging and activity tracking;
  • Technical support and account administration;
  • Security monitoring, backup, maintenance, and platform improvement;
  • Sending PHI to patients when directed by the Practice or an authorized dental provider.

6. Important Platform Limitation: Patients Cannot Directly Submit Medical Data

DDSALLY is designed primarily for dentist-to-dentist communication, general dentist-to-specialist communication, specialist-to-general dentist communication, dental office-to-dental office communication, and dental provider-to-patient communication when initiated by the Practice or authorized provider.

DDSALLY is not designed to receive medical, dental, diagnostic, clinical, imaging, or other PHI directly from patients.

The Practice must not instruct patients to upload, submit, message, or send PHI directly into DDSALLY unless DDSALLY has expressly enabled that feature in writing and provided the appropriate privacy, security, and workflow controls.

DDSALLY may allow a Practice or authorized provider to send PHI to a patient. However, unless separately enabled in writing, patients may not send medical or dental data back into DDSALLY.

If DDSALLY inadvertently receives Patient-Submitted Data, DDSALLY may notify the Practice and handle the information in accordance with this BAA, HIPAA, and DDSALLY's applicable privacy and security procedures.

7. Permitted Uses and Disclosures by DDSALLY

DDSALLY may use and disclose PHI only as permitted by this BAA, DDSALLY's Terms of Service, the Practice's instructions, and HIPAA. Permitted purposes include:

  • To provide, operate, maintain, secure, support, troubleshoot, and improve the Platform;
  • To transmit referrals, messages, files, images, forms, clinical records, and related PHI between authorized dental providers and dental offices;
  • To send PHI to a patient at the direction of the Practice or authorized provider;
  • To maintain referral records, communication logs, audit logs, activity logs, and administrative records;
  • To provide customer support and technical support;
  • To perform backup, disaster recovery, security monitoring, vulnerability management, and system maintenance;
  • To carry out DDSALLY's legal responsibilities;
  • For DDSALLY's proper management and administration, as permitted by HIPAA;
  • To provide data aggregation services related to the Practice's healthcare operations, if permitted by HIPAA;
  • To de-identify PHI in accordance with HIPAA;
  • As Required by Law.

DDSALLY will not use or disclose PHI in a way that would violate HIPAA if done by the Practice, except as permitted for DDSALLY's proper management, administration, legal responsibilities, or data aggregation.

8. Prohibited Uses and Disclosures

DDSALLY will not:

  • Use or disclose PHI except as permitted by this BAA, the Terms of Service, the Practice's instructions, or applicable law;
  • Sell PHI;
  • Use PHI for marketing without required authorization;
  • Use PHI for advertising, retargeting, or unrelated commercial profiling;
  • Use PHI to identify, target, or contact patients outside the scope of DDSALLY services;
  • Use PHI to train generalized artificial intelligence or machine learning models unless separately authorized in writing and permitted by HIPAA;
  • Disclose PHI to unauthorized third parties;
  • Permit patients to directly submit PHI into DDSALLY unless DDSALLY has expressly enabled that function in writing;
  • Send PHI to payment processors, analytics tools, advertising tools, or support tools unless those vendors are authorized for PHI and covered by appropriate HIPAA-compliant agreements;
  • Use PHI in a manner inconsistent with HIPAA.

9. Practice Responsibilities

The Practice is responsible for its own HIPAA compliance and for the actions of its Authorized Users. The Practice will:

  • Use DDSALLY only for lawful and HIPAA-permitted purposes;
  • Authorize only appropriate workforce members and dental personnel to access DDSALLY;
  • Maintain accurate user access and promptly deactivate users who no longer need access;
  • Submit only PHI reasonably necessary for referral, treatment, communication, payment, operations, or other permitted purposes;
  • Confirm that each recipient is authorized to receive the PHI being sent;
  • Obtain any required patient consents, authorizations, acknowledgments, or permissions;
  • Maintain its own Notice of Privacy Practices and HIPAA policies;
  • Determine what information belongs in the Practice's Designated Record Set;
  • Maintain clinical records as required by federal and state law;
  • Notify DDSALLY of any restrictions, revocations, confidential communication requests, or limitations that may affect DDSALLY's use or disclosure of PHI;
  • Not instruct patients to send PHI directly to DDSALLY unless DDSALLY has expressly enabled that function in writing;
  • Not upload unnecessary PHI, payment card information, passwords, or unrelated sensitive information into DDSALLY.

10. Provider-to-Provider Referral Communications

DDSALLY may be used to transmit PHI from one dental provider or dental office to another dental provider or dental office for treatment, referral, consultation, care coordination, or related healthcare operations.

The sending Practice is responsible for determining that the disclosure is permitted.

The receiving Practice or provider is responsible for determining how received referral information is incorporated into its own clinical records, treatment records, referral records, or Designated Record Set.

DDSALLY serves as the technology platform that facilitates the communication. DDSALLY does not independently verify the clinical accuracy, completeness, appropriateness, or legal sufficiency of the referral information.

11. Provider-to-Patient Communications

DDSALLY may allow a Practice or authorized provider to send PHI to a patient.

When the Practice uses DDSALLY to send PHI to a patient, the Practice is responsible for:

  • Confirming the patient's identity;
  • Confirming the patient's correct email address, phone number, portal access, or other contact information;
  • Determining whether the communication is permitted;
  • Obtaining any required consent or authorization;
  • Determining whether the communication method is appropriate;
  • Ensuring that the content is accurate and appropriate;
  • Maintaining any required record of the communication.

DDSALLY is not responsible for errors caused by incorrect patient contact information, wrong recipient selection, inaccurate PHI uploaded by the Practice, or misuse of the Platform by the Practice or its Authorized Users.

12. Minimum Necessary

DDSALLY will make reasonable efforts to use, disclose, or request only the minimum PHI necessary to accomplish the intended purpose, except where HIPAA does not require the minimum necessary standard, such as certain treatment-related disclosures.

The Practice is responsible for limiting the PHI it submits to DDSALLY to what is reasonably necessary for the intended purpose.

13. Safeguards and Security Controls

DDSALLY will implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI and electronic PHI.

DDSALLY's safeguards may include:

  • Written HIPAA privacy and security policies;
  • Workforce privacy and security training;
  • Role-based access controls;
  • Unique user identification;
  • Authentication controls;
  • Administrative access controls;
  • Encryption of PHI in transit;
  • Encryption of PHI at rest where supported and appropriate;
  • Audit logs and activity logs;
  • Security monitoring;
  • Vulnerability management and patch management;
  • Backup and disaster recovery procedures;
  • Access review and user deactivation procedures;
  • Subcontractor review and vendor management;
  • Incident response procedures;
  • Periodic risk analysis and risk management activities.

DDSALLY will use commercially reasonable efforts to mitigate, to the extent practicable, any harmful effect known to DDSALLY from a use or disclosure of PHI not permitted by this BAA.

14. Reporting Unauthorized Uses, Disclosures, Security Incidents, and Breaches

DDSALLY will report to the Practice any unauthorized use or disclosure of PHI of which DDSALLY becomes aware.

DDSALLY will notify the Practice of a Breach of Unsecured PHI without unreasonable delay and no later than seventy-two hours after discovery, unless a different timeframe is required by law or agreed in writing.

DDSALLY's notice may include, to the extent known:

  • A brief description of what happened;
  • The date of the incident and date of discovery, if known;
  • The types of PHI involved;
  • The Individuals affected or reasonably believed to be affected, if known;
  • Steps DDSALLY has taken or plans to take to investigate and mitigate harm;
  • Steps DDSALLY has taken or plans to take to reduce the risk of recurrence;
  • Information reasonably needed by the Practice to meet its breach notification obligations.

DDSALLY will also report successful Security Incidents involving electronic PHI without unreasonable delay.

The Parties acknowledge that unsuccessful security events, such as routine scans, pings, unsuccessful login attempts, malware probes, firewall blocks, or similar events, may occur regularly. These unsuccessful events may be reported in a periodic or general manner unless required otherwise by law.

15. Subcontractors and Cloud Service Providers

DDSALLY may use third-party vendors, cloud service providers, hosting providers, infrastructure providers, support vendors, software vendors, security vendors, or other subcontractors to provide the Platform.

DDSALLY will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of DDSALLY agrees in writing to substantially the same restrictions, conditions, and safeguards that apply to DDSALLY with respect to PHI.

DDSALLY may use services such as Amazon Web Services, Google Cloud, Google Workspace, or similar providers only to the extent that DDSALLY has appropriate agreements in place when PHI is involved and only to the extent that the applicable services are configured for HIPAA-appropriate use.

DDSALLY may maintain a list of PHI-touching Subcontractors and may provide that list through its website, account portal, onboarding materials, or upon reasonable request.

16. Patient Rights Support

To the extent DDSALLY maintains PHI in a Designated Record Set on behalf of the Practice, DDSALLY will reasonably assist the Practice with HIPAA-required patient rights requests.

This may include support for access to PHI, amendment of PHI, accounting of disclosures, restrictions on certain uses or disclosures where supported by the Platform, and confidential communication requests where supported by the Platform.

If a patient contacts DDSALLY directly to request access, amendment, deletion, restriction, accounting, or other rights relating to PHI, DDSALLY may direct the patient to the Practice unless DDSALLY is required by law to respond directly.

The Practice remains responsible for verifying the patient's identity, determining whether the request should be granted or denied, and responding to the patient as required by law.

17. Access, Amendment, and Accounting

DDSALLY will make PHI available to the Practice as reasonably necessary for the Practice to meet its HIPAA access obligations.

DDSALLY will make PHI available for amendment and will incorporate amendments as directed by the Practice, to the extent the amendment is technically feasible within the Platform and required by HIPAA.

DDSALLY will document disclosures of PHI made by DDSALLY as necessary for the Practice to respond to a patient's request for an accounting of disclosures and will provide such information upon reasonable written request.

The Parties acknowledge that certain disclosures, including many disclosures for treatment, payment, and healthcare operations, may be excluded from accounting requirements to the extent permitted by HIPAA.

18. Access by the U.S. Department of Health and Human Services

DDSALLY will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by DDSALLY on behalf of, the Practice available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining HIPAA compliance.

19. Referral Records and Retention

DDSALLY may retain referral-related PHI as necessary to support treatment, referral history, audit logs, legal compliance, security, backup, dispute resolution, and record-retention obligations.

Referral communications may involve more than one dental provider or Practice. Information sent by one Practice may become part of another provider's clinical, referral, or Designated Record Set.

If PHI is transmitted to a receiving dental provider or dental office through DDSALLY, DDSALLY may retain that PHI on behalf of the receiving provider or Practice even if the sending Practice later terminates its account or requests deletion.

DDSALLY is not required to delete PHI if deletion would impair another provider's clinical record, referral record, legal retention obligation, audit record, or professional responsibility.

If return or destruction of PHI is not feasible, DDSALLY will continue to protect the PHI under this BAA and will limit further uses and disclosures to the purposes that make return or destruction infeasible.

Because dental record-retention periods vary by state and by type of record, the Practice should consult qualified legal counsel regarding its record-retention obligations.

20. De-Identified Information

DDSALLY may de-identify PHI in accordance with HIPAA.

Once information has been properly de-identified under HIPAA, it is no longer PHI and may be used by DDSALLY for lawful purposes, including analytics, product improvement, security, reliability, research, benchmarking, and business operations.

DDSALLY will not attempt to re-identify de-identified information except as permitted by HIPAA.

21. Artificial Intelligence and Analytics

DDSALLY will not use identifiable PHI to train generalized artificial intelligence models, machine learning systems, diagnostic models, advertising systems, or unrelated analytics tools unless the Practice separately authorizes such use in writing and the use is permitted by HIPAA.

DDSALLY may use de-identified data, technical metadata, operational data, and usage analytics to improve security, reliability, usability, and Platform performance, provided such use complies with HIPAA and this BAA.

If DDSALLY offers AI-assisted features in the future, DDSALLY will implement appropriate privacy, security, contractual, and user-facing disclosures before using such features with PHI.

22. Term and Termination

This BAA begins when the Practice electronically accepts it and remains in effect for as long as DDSALLY creates, receives, maintains, or transmits PHI on behalf of the Practice.

This BAA will terminate when the Practice's DDSALLY account or Services Agreement terminates, except for provisions that must survive termination, including confidentiality, breach cooperation, retention, return or destruction, access to records, indemnification, limitation of liability, and continued protection of retained PHI.

If either Party materially breaches this BAA, the non-breaching Party may provide written notice and a reasonable opportunity to cure.

If the breach is not cured within thirty days, or if cure is not reasonably possible, the non-breaching Party may terminate the affected services or this BAA, as permitted by law and the Terms of Service.

23. Return or Destruction of PHI

Upon termination, DDSALLY will return or destroy PHI received from, or created, received, maintained, or transmitted on behalf of, the Practice, if feasible.

Return or destruction may not be feasible where PHI:

  • Is part of another provider's referral or clinical record;
  • Must be retained for legal, regulatory, audit, backup, security, litigation, or compliance purposes;
  • Exists in routine backup or disaster recovery systems;
  • Must be retained to protect DDSALLY's legal rights or comply with law;
  • Is required by a receiving Practice or provider for record-retention purposes.

If return or destruction is not feasible, DDSALLY will continue to protect the PHI under this BAA and will limit further uses and disclosures to the purposes that make return or destruction infeasible.

24. Indemnification

Subject to DDSALLY's Terms of Service and applicable law, DDSALLY will be responsible for third-party claims, damages, penalties, liabilities, costs, or reasonable attorneys' fees to the extent caused by DDSALLY's material breach of this BAA, violation of HIPAA, or unauthorized use or disclosure of PHI caused by DDSALLY.

Subject to DDSALLY's Terms of Service and applicable law, the Practice will be responsible for third-party claims, damages, penalties, liabilities, costs, or reasonable attorneys' fees to the extent caused by the Practice's misuse of DDSALLY, unauthorized disclosure of PHI, failure to obtain required patient permissions, incorrect recipient selection, inaccurate contact information, unlawful instructions, or HIPAA violation caused by the Practice or its Authorized Users.

25. Limitation of Liability

Any limitation of liability, exclusion of damages, or allocation of risk in DDSALLY's Terms of Service applies to this BAA to the extent permitted by law.

Nothing in this BAA is intended to limit either Party's obligation to comply with HIPAA.

26. Notices

DDSALLY may provide notices under this BAA by email, through the Platform, through the Practice's account, by mail, or through another method permitted by the Terms of Service.

DDSALLY Notice Contact. DDSALLY LLC, Attn: Privacy Officer, privacy@ddsally.com. Address: 5757 Wilshire Blvd, PR5, Los Angeles, CA 90036, USA.

Practice Notice Contact. The email address, account owner, administrator, mailing address, or other notice contact provided by the Practice during account registration or updated in the Practice's DDSALLY account. The Practice is responsible for keeping its notice information current.

27. Updates to this BAA

DDSALLY may update this BAA from time to time to reflect changes in law, regulation, technology, services, security practices, or business operations.

If DDSALLY makes material changes, DDSALLY may provide notice through the Platform, by email, or through another reasonable method.

Continued use of DDSALLY after the effective date of an updated BAA may constitute acceptance of the updated BAA, unless a separate written agreement states otherwise.

If the Practice does not agree to an updated BAA, the Practice must stop using DDSALLY for PHI and may terminate its account according to the Terms of Service.

28. Relationship to Terms of Service

This BAA is incorporated into and forms part of DDSALLY's Terms of Service or other applicable Services Agreement.

If this BAA conflicts with DDSALLY's Terms of Service regarding PHI, HIPAA, privacy, or security obligations, this BAA controls only with respect to PHI and HIPAA-related obligations.

All other terms of the Terms of Service remain in effect.

29. Miscellaneous

No Third-Party Beneficiaries. This BAA does not create rights for any third party, including any patient, except as required by law.

Assignment. DDSALLY may assign this BAA in connection with a merger, acquisition, reorganization, sale of assets, transfer of the Platform, or other business transaction, provided that the successor assumes DDSALLY's obligations regarding PHI. The Practice may not assign this BAA except as permitted by the Terms of Service or with DDSALLY's written consent.

Severability. If any provision of this BAA is found invalid or unenforceable, the remaining provisions will remain in effect to the fullest extent permitted by law.

Governing Law. This BAA is governed by HIPAA and other applicable federal law. To the extent state law applies and is not preempted by HIPAA, this BAA is governed by the law stated in DDSALLY's Terms of Service. If the Terms of Service do not identify governing law, the governing law shall be the law of the state where DDSALLY LLC is organized, unless otherwise required by law.

Entire Agreement Regarding PHI. This BAA, together with DDSALLY's Terms of Service and any applicable subscription agreement or order form, is the complete agreement between DDSALLY and the Practice regarding the use, disclosure, protection, and handling of PHI.

Electronic Acceptance Statement

By checking the box below, clicking "I Agree," creating an account, activating DDSALLY services, or using DDSALLY to send, receive, maintain, transmit, upload, store, or manage PHI, I acknowledge and agree that:

  • I am authorized to accept this Business Associate Agreement on behalf of the Practice;
  • I have read and understand this Business Associate Agreement;
  • The Practice agrees to be legally bound by this Business Associate Agreement;
  • The Practice agrees that electronic acceptance has the same legal effect as a handwritten signature;
  • The Practice will use DDSALLY in compliance with HIPAA, this BAA, and DDSALLY's Terms of Service.

The Date of Electronic Acceptance and the Version Accepted are automatically recorded by DDSALLY at the moment of acceptance, along with the accepting user's account, email address, and IP address.

Back to home