HIPAA Compliance & Data Security
Last updated: December 10, 2025
At a glance
- βHIPAA-aligned US infrastructure and security controls
- βBusiness Associate Agreement (BAA) executed electronically for US Covered Entities
- βUS-only hosting on AWS (us-east-1, N. Virginia)
- βComplete data isolation from UK/EU systems
- βAES-256 encryption at rest, TLS 1.2+ in transit
- β6+ year audit log retention via AWS CloudTrail Lake
- βNo raw audio stored: real-time transcription only
- βUS-based AI processing: Azure & Google resources in US data centers
- βThreat detection via AWS GuardDuty & Macie
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that establishes national standards for protecting sensitive patient health information, known as Protected Health Information (PHI).
Any software that processes, stores, or transmits PHI must implement specific administrative, physical, and technical safeguards. This includes dental practice software that handles patient records, clinical notes, and appointment data.
HIPAA violations can result in significant civil penalties that depend on the nature of the violation, the level of culpability, and inflation-adjusted penalty schedules. Criminal penalties can apply for willful neglect.
Our Approach: Isolated US Infrastructure
We didn't simply add HIPAA features to our existing system. Instead, we built a completely separate US environment using a "shared-nothing" architecture. Your data is physically and logically isolated from our UK/EU infrastructure.
What "Shared-Nothing" Means:
- Separate database: US data is stored in a dedicated MySQL instance, not the same database as UK/EU users
- Separate storage: Files are stored in a US-only S3 bucket with no connection to EU storage
- Separate AI services: Dedicated Azure Speech and Google AI resources in US data centers
- Separate credentials: No shared API keys or access between regions
Where Your Data Lives
Database
AWS RDS (MySQL) in us-east-1 (N. Virginia). AES-256 encryption at rest. Private subnet with no public internet access.
File Storage
AWS S3 in us-east-1. Server-side encryption. All public access blocked.
Speech-to-Text
Azure AI Speech in East US. Real-time transcription. No audio retention.
AI Processing
Google Vertex AI (Gemini) in US Central. Note formatting and structuring.
Security Measures
Encryption at Rest
AES-256 encryption for all stored data using AWS-managed keys.
Encryption in Transit
TLS 1.2+ for all data transmission between your browser and our servers.
Access Controls
Role-based permissions with least-privilege access principles.
Audit Logging
AWS CloudTrail Lake with 6+ year retention for complete audit trails.
Threat Detection
AWS GuardDuty for continuous threat monitoring and alerting.
PHI Scanning
AWS Macie for automated detection of sensitive health information.
Private Network
Database resides in a private subnet with no direct public internet access. All connections go through secure internal networking.
Business Associate Agreement (BAA)
Under HIPAA, any vendor that handles PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). This legally binds us to HIPAA compliance standards.
Our BAA Coverage:
- AWS: We have an active BAA with Amazon Web Services covering all US infrastructure
- Azure: BAA in place for Azure AI Speech services
- Google Cloud: BAA in place for Vertex AI services
- Your Practice: Our BAA is provided electronically and must be accepted before PHI is entered into the system
View our full Business Associate Agreement. Contact info@dentistrydashboard.com for a copy or questions.
Your Rights Under HIPAA
- Access: Request access to your practice's stored data at any time.
- Amendment: Request corrections to any inaccurate information.
- Accounting: Request an accounting of disclosures of PHI.
- Restriction: Request restrictions on certain uses of PHI.
- Deletion: Delete saved notes, chats, and patient data from our system.
- Breach Notification: We will notify you promptly of any security incident affecting your data.
What Dentistry Dashboard Does NOT Do
- βWe don't store raw audio recordings from transcription sessions.
- βWe don't share, sell, or use patient data for marketing or training AI models.
- βWe don't make clinical decisions. AI Notes is for documentation support only.
- βWe don't transfer US patient data to UK/EU systems by design.
- βWe are designed to avoid logging PHI in application logs and error reports, and configure logging to minimise sensitive data capture.
Frequently Asked Questions
Is my data really separate from UK/EU users?
Yes. We use a "shared-nothing" architecture. Your database, file storage, and AI processing are all on dedicated US infrastructure with no connection to our EU systems.
Do I need a BAA?
Yes. A BAA is required for US Covered Entities that use the Services with PHI. Our BAA is provided electronically and must be accepted before PHI is entered into the system.
Where exactly is my data stored?
All data is stored in AWS us-east-1 (N. Virginia) data centers, which are HIPAA-eligible and covered by our BAA with Amazon.
What about the AI processing?
Our AI services (speech-to-text and language processing) run on dedicated Azure and Google resources in US data centers. The US environment is designed to keep PHI within US-based infrastructure.
How long do you retain audit logs?
Audit logging is retained for at least 6 years via AWS CloudTrail Lake. HIPAA-required security documentation is also retained for at least 6 years.
What happens if there's a data breach?
We have incident response procedures in place. In the unlikely event of a breach, we will notify affected customers promptly as required by HIPAA's Breach Notification Rule.
Ready to Get Started?
Join US dentists who trust Dentistry Dashboard for HIPAA-compliant AI clinical notes.
Start Your Free TrialQuestions? Talk to Us
Email: info@dentistrydashboard.com
Privacy Policy: View Privacy Policy
Terms: Terms & Conditions
UK/EU Compliance: GDPR Compliance Page