Denticode Inc. — HIPAA Business Associate Agreement
This Business Associate Agreement (this "Agreement" or "BAA") is entered into by and between Denticode Inc. ("Business Associate" or "Denticode") and the customer identified in the applicable order form, subscription agreement, master services agreement, statement of work, or similar written agreement ("Covered Entity" or "Customer"). Denticode and Customer may each be referred to as a "Party" and collectively as the "Parties."
This Agreement is effective as of the date Customer first subscribes to, accesses, or uses Denticode's services, unless a separate effective date is stated in an executed agreement between the Parties.
Customer is a dental practice, dental service organization, provider group, or other healthcare entity that may be a "Covered Entity" under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended from time to time, including the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and applicable provisions of the HITECH Act.
Denticode provides AI-assisted dental software and related services, including clinical dictation, audio capture, transcription, clinical note generation, dental documentation support, CDT code guidance, insurance attachment logic, claim-readiness workflows, patient record organization, PMS integration, scheduling support, patient intelligence features, analytics, implementation, support, and related administrative and technical services.
In connection with providing these services, Denticode may create, receive, maintain, transmit, access, process, or store Protected Health Information on behalf of Customer. The Parties therefore enter into this Agreement to comply with HIPAA requirements applicable to business associate relationships.
Capitalized terms used but not otherwise defined in this Agreement have the same meaning as those terms have under HIPAA.
For purposes of this Agreement:
"Breach" has the meaning given to the term "breach" under 45 CFR § 164.402.
"Designated Record Set" has the meaning given to such term under 45 CFR § 164.501.
"Electronic Protected Health Information" or "ePHI" means Protected Health Information that is created, received, maintained, or transmitted electronically.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, the HITECH Act, and their implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule, as amended from time to time.
"Protected Health Information" or "PHI" has the meaning given to such term under 45 CFR § 160.103, limited to PHI that Denticode creates, receives, maintains, or transmits on behalf of Customer.
"Security Incident" has the meaning given to such term under 45 CFR § 164.304.
"Services" means the Denticode software, platform, applications, integrations, workflows, support, implementation, analytics, and related services provided to Customer.
"Subcontractor" means any person or entity to whom Denticode delegates a function, activity, or service involving PHI, other than members of Denticode's workforce.
"Unsecured PHI" has the meaning given to such term under 45 CFR § 164.402.
Denticode may use and disclose PHI only as permitted or required by this Agreement, the underlying agreement between the Parties, or as Required by Law.
Denticode may use and disclose PHI as reasonably necessary to provide the Services to Customer, including to:
Denticode may use PHI for Denticode's proper management and administration and to carry out Denticode's legal responsibilities, provided that such use is permitted by HIPAA and this Agreement.
Denticode may disclose PHI for Denticode's proper management and administration or to carry out Denticode's legal responsibilities only if the disclosure is Required by Law or Denticode obtains reasonable assurances from the recipient that the PHI will be kept confidential, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Denticode of any known breach of confidentiality.
Denticode shall not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except to the extent expressly permitted for a Business Associate under HIPAA.
Denticode shall not:
Denticode shall use, disclose, and request only the minimum necessary PHI to accomplish the intended purpose, except where the minimum necessary standard does not apply under HIPAA.
Customer acknowledges that Denticode provides software tools that assist with clinical documentation, dictation, transcription, CDT code guidance, attachment guidance, narratives, claim-readiness workflows, and related administrative processes.
Denticode does not independently diagnose patients, prescribe treatment, make final clinical determinations, make final billing determinations, submit claims unless separately authorized, or replace the professional judgment of licensed dental professionals or Customer's billing team.
Customer remains solely responsible for reviewing, validating, approving, correcting, finalizing, and submitting all clinical documentation, treatment records, CDT codes, claim information, narratives, attachments, and insurance submissions generated, suggested, organized, or supported by the Services.
Denticode may use automation, machine learning, artificial intelligence, rule-based logic, natural language processing, and other computational methods to provide the Services, provided that Denticode's use of PHI complies with this Agreement.
Denticode may de-identify PHI in accordance with HIPAA. Once information has been de-identified in accordance with HIPAA, it is no longer PHI and may be used and disclosed by Denticode for lawful purposes, including product improvement, analytics, benchmarking, model improvement, documentation logic, CDT code library improvement, insurance attachment logic, workflow optimization, fraud/waste/abuse detection support, research and development, operational analysis, and development of claim-readiness systems.
Denticode may also create and use aggregated statistical or analytical data derived from Customer's use of the Services, provided such data does not identify Customer's patients and does not constitute PHI.
Nothing in this Section permits Denticode to disclose identifiable PHI except as otherwise permitted by this Agreement.
Denticode shall implement and maintain appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of ePHI that Denticode creates, receives, maintains, or transmits on behalf of Customer.
Such safeguards may include, as applicable:
Denticode shall comply with the HIPAA Security Rule with respect to ePHI.
Denticode shall report to Customer any Breach of Unsecured PHI involving Customer's PHI without unreasonable delay and, in no event, later than ten business days after Denticode discovers the Breach.
Denticode's notice shall include, to the extent known at the time:
Denticode shall supplement the notice as additional relevant information becomes available.
Denticode shall report Security Incidents involving Customer's ePHI as required by HIPAA. The Parties acknowledge and agree that unsuccessful Security Incidents, including pings, scans, unsuccessful login attempts, denial-of-service attempts, malware probes, and other routine unsuccessful attempts to access systems, are deemed reported through this Agreement and do not require separate notice unless they result in unauthorized access, use, disclosure, modification, destruction, or loss of PHI.
Denticode may use Subcontractors to provide, support, host, secure, maintain, analyze, or improve the Services.
Denticode shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on Denticode's behalf agrees in writing to restrictions, conditions, and safeguards that are at least as protective of PHI as those applicable to Denticode under this Agreement.
Denticode remains responsible for the acts and omissions of its Subcontractors to the extent required by HIPAA and applicable law.
Upon Customer's written request, Denticode shall provide Customer with a list or description of material Subcontractors that may process PHI in connection with the Services, subject to Denticode's reasonable confidentiality and security requirements.
To the extent Denticode maintains PHI in a Designated Record Set on behalf of Customer, Denticode shall make such PHI available to Customer as reasonably necessary for Customer to satisfy its obligations under 45 CFR § 164.524.
Denticode shall not be required to provide direct access to individuals unless required by the underlying agreement between the Parties or otherwise agreed in writing.
Customer is responsible for receiving, evaluating, approving, denying, and responding to requests from individuals for access to PHI.
To the extent Denticode maintains PHI in a Designated Record Set on behalf of Customer, Denticode shall make such PHI available to Customer for amendment as reasonably necessary for Customer to satisfy its obligations under 45 CFR § 164.526.
Customer is responsible for receiving, evaluating, approving, denying, and responding to individual requests to amend PHI.
Denticode shall document disclosures of PHI and make information regarding such disclosures available to Customer as reasonably necessary for Customer to satisfy its obligations under 45 CFR § 164.528.
Denticode is not required to account for disclosures that are exempt from accounting under HIPAA, including disclosures for treatment, payment, or healthcare operations, except to the extent otherwise required by law.
Denticode shall make its internal practices, books, and records relating to the use and disclosure of Customer's PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Customer's or Denticode's compliance with HIPAA.
Nothing in this Section requires Denticode to disclose privileged information, confidential information of other customers, trade secrets, or information unrelated to HIPAA compliance.
Customer shall:
Upon termination or expiration of the underlying agreement, Denticode shall make Customer's PHI reasonably available for export for a commercially reasonable period, unless otherwise agreed in writing.
Following the export period, Denticode shall return or destroy Customer's PHI where feasible, except to the extent Denticode is required or permitted to retain PHI by law, regulation, backup retention, archival systems, legal hold, dispute resolution, audit, compliance, security, or legitimate business continuity requirements.
If return or destruction is not feasible, Denticode shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
Backup copies may be retained in accordance with Denticode's standard backup and disaster recovery procedures, provided such copies remain protected and are not used for any purpose other than backup, recovery, security, compliance, or legal purposes.
Denticode shall not improperly block Customer's access to PHI maintained by Denticode on behalf of Customer where such access is necessary for Customer to meet its obligations under HIPAA, including obligations related to individual access requests.
This Section does not limit Denticode's right to suspend access to the Services to address security threats, unauthorized access, misuse, legal requirements, nonpayment, or violations of the underlying agreement, provided that Denticode makes PHI reasonably available to Customer as required by HIPAA and applicable law.
This Agreement shall remain in effect for as long as Denticode creates, receives, maintains, or transmits PHI on behalf of Customer, unless terminated earlier in accordance with this Agreement.
Customer may terminate the underlying agreement and this Agreement if Customer determines that Denticode has materially breached this Agreement and Denticode fails to cure the breach within a reasonable cure period after written notice, if cure is possible.
Denticode may terminate the underlying agreement and this Agreement if Customer requests or requires Denticode to use or disclose PHI in a manner that would violate HIPAA or applicable law.
Termination of this Agreement shall not relieve either Party of obligations that expressly or by their nature survive termination, including confidentiality, data protection, return/destruction, limitation of use, and compliance obligations.
Denticode shall mitigate, to the extent practicable, any harmful effect known to Denticode resulting from a use or disclosure of PHI by Denticode in violation of this Agreement.
Customer shall mitigate, to the extent practicable, any harmful effect known to Customer resulting from Customer's misuse of the Services, improper configuration, unauthorized user access, or impermissible instruction to Denticode.
Any indemnification, limitation of liability, exclusion of damages, insurance, dispute resolution, and related commercial terms shall be governed by the underlying agreement between the Parties, unless the Parties expressly agree otherwise in writing.
If no such terms exist, each Party shall be responsible for its own acts and omissions and those of its workforce, agents, contractors, and representatives to the extent required by applicable law.
If there is a conflict between this Agreement and the underlying agreement between the Parties with respect to the use, disclosure, protection, return, destruction, or handling of PHI, this Agreement shall control to the extent necessary to comply with HIPAA.
All other terms of the underlying agreement remain in effect.
A reference in this Agreement to a section of HIPAA means the section as currently in effect or as amended in the future.
The Parties agree to take such action as is reasonably necessary to amend this Agreement from time to time as necessary for compliance with HIPAA and applicable law.
This Agreement shall be interpreted as broadly as necessary to permit the Parties to comply with HIPAA.
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with HIPAA.
Notices under this Agreement shall be delivered in accordance with the notice provisions of the underlying agreement between the Parties.
If the underlying agreement does not include notice provisions, notices shall be delivered by email and/or nationally recognized courier to the contact information provided by the receiving Party.
This Agreement, together with the applicable underlying agreement, constitutes the entire agreement between the Parties regarding Denticode's use, disclosure, protection, and handling of PHI on behalf of Customer.
The Parties may execute this Agreement electronically, including through an order form, click-through acceptance, online subscription process, or separate written signature page, to the extent permitted by applicable law.