HIPAA & PHI — CHAIRSIDE

01 Overview

CHAIRSIDE is built for dental practices, and dental practices handle some of the most sensitive information in healthcare. We treat HIPAA compliance as a foundational requirement, not a feature. This page explains how CHAIRSIDE handles Protected Health Information (PHI), the safeguards we maintain, and the contractual framework that governs every practice using the platform.

In Plain Terms Your practice owns its patient data. CHAIRSIDE acts as your Business Associate under HIPAA. We handle PHI only as needed to deliver the Service, with technical, administrative, and physical safeguards required by the HIPAA Security Rule — and we sign a Business Associate Agreement with every practice before going live.

02 Our Role as a Business Associate

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act:

Your dental practice is a Covered Entity under 45 C.F.R. § 160.103.
CHAIRSIDE is a Business Associate that creates, receives, maintains, or transmits PHI on behalf of the practice.
The relationship is governed by a written HIPAA Business Associate Agreement (BAA) executed between the practice and CHAIRSIDE before any PHI is exchanged.

This means CHAIRSIDE is contractually and legally bound to handle PHI only as the practice authorizes, to maintain HIPAA-required safeguards, and to report breaches according to HIPAA rules.

03 What is PHI?

Protected Health Information includes any individually identifiable health information transmitted or maintained in any form. In a dental context, that typically means:

Patient names, addresses, phone numbers, dates of birth
Clinical notes, charts, and treatment history
Dental imaging (X-rays, intraoral photos, panoramic images)
Insurance information and benefits eligibility data
Appointment and scheduling records
Billing and account history tied to identifiable individuals

De-identified information — data from which all identifiers have been removed in accordance with 45 C.F.R. § 164.514 — is not PHI and is not subject to HIPAA.

04 Our Safeguards

CHAIRSIDE maintains administrative, physical, and technical safeguards required by the HIPAA Security Rule, including:

Technical Safeguards

Encryption of PHI at rest using managed key infrastructure
Encryption of PHI in transit using industry-standard transport encryption
Multi-factor authentication for all administrative access
Role-based access controls and least-privilege provisioning
Audit logging of access to and modification of PHI
Automatic session timeouts and credential rotation

Administrative Safeguards

Workforce training on HIPAA, PHI handling, and security awareness
Designated privacy and security officials
Documented policies and procedures covering PHI
Periodic risk assessments and remediation
Subcontractor due diligence and BAA execution
Incident response and breach notification procedures

Physical Safeguards

Hosting in SOC 2 Type II- and HIPAA-aligned cloud data centers
No PHI stored on portable or removable media
Workstation security policies for all team members handling PHI

05 BAA Process for Practices

Every practice that subscribes to CHAIRSIDE signs a HIPAA Business Associate Agreement before any PHI is exchanged. The BAA is provided alongside the SaaS Subscription Agreement and covers:

Permitted and required uses and disclosures of PHI
Required safeguards and the Security Rule
Reporting of unauthorized uses, disclosures, and breaches
Subcontractor requirements and flow-down obligations
Patient rights of access, amendment, and accounting of disclosures
Return or destruction of PHI upon termination

If you are evaluating CHAIRSIDE for your practice and need to review the BAA in advance, request a copy at support@bit9itsolutions.com.

06 Breach Notification

If CHAIRSIDE discovers a breach of unsecured PHI, we will notify the affected practice without unreasonable delay and no later than 30 calendar days after discovery, in accordance with 45 C.F.R. § 164.410. The notification will include:

Identification of each affected individual (to the extent reasonably available)
A description of what happened and when
The types of unsecured PHI involved
Steps taken to investigate, mitigate harm, and protect against further breaches
Contact information for follow-up

The practice retains responsibility for any required notifications to affected individuals, the U.S. Department of Health and Human Services, and the media (where applicable) under 45 C.F.R. §§ 164.404, 164.408, and 164.406.

07 Subprocessor BAAs

CHAIRSIDE relies on a small number of subprocessors to deliver the Service. Where these subprocessors handle PHI, CHAIRSIDE has executed or is executing the appropriate Business Associate Agreement, with one exception noted below: Sikka Software provides its BAA directly to your practice as part of the practice authorization process. The detailed status for each subprocessor:

Subprocessor	Function	BAA Status
Amazon Web Services	Cloud infrastructure, database hosting, encrypted object storage	Executed with CHAIRSIDE
Anthropic PBC	AI processing for treatment planning, summaries, decision support	Executed or in process; will be in place prior to any practice onboarding
Sikka Software Corporation	Practice management system integration and data ingestion	Provided directly to practice at authorization (separate from CHAIRSIDE BAA)

For full subprocessor disclosure, see the Subprocessors page.

08 How Data Flows

Understanding how PHI moves through the Service:

Authorization. The practice authorizes CHAIRSIDE — and Sikka Software Corporation acting on our behalf — to access the practice management system at the practice’s server.
Ingestion. The Sikka integration agent reads patient records, schedules, clinical notes, imaging, and billing data from the PMS database, encrypts the connection, and transmits to CHAIRSIDE.
Storage. Data is stored in HIPAA-aligned cloud infrastructure with strict practice-level data isolation. All Customer Data is encrypted at rest and in transit using managed key infrastructure.
Processing. The Service processes data to render dashboards, summaries, AI-assisted treatment plan suggestions, and analytics for the practice. AI processing routes structured data to Anthropic PBC. The CHAIRSIDE-Anthropic BAA will be in place prior to any practice onboarding, and the AI provider does not retain or train on practice data.
Access. Authorized users at the practice access the data via the CHAIRSIDE web interface, secured by authentication, session controls, and audit logging.

09 AI & PHI

CHAIRSIDE uses AI to deliver clinical decision support. Our AI handling policies are specifically designed for PHI:

AI processing of PHI is governed by a BAA with our AI provider (Anthropic PBC), executed or in process and in place prior to any practice onboarding.
The AI provider does not use practice PHI to train its general-purpose models.
Cross-practice AI improvements are made only using de-identified data, in accordance with 45 C.F.R. § 164.514.
AI Outputs are decision support — clinicians retain full clinical responsibility (see Terms of Service §07).

10 For Patients

If you are a patient of a dental practice that uses CHAIRSIDE and have questions about your dental records:

Direct your questions to your dental practice. Your practice is the Covered Entity that maintains your medical record and is the proper party to respond to access, amendment, and accounting-of-disclosure requests under HIPAA.
Your dental practice has its own Notice of Privacy Practices that explains how it handles your PHI.
If you believe your PHI has been used or disclosed in violation of HIPAA, you may file a complaint with your dental practice or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr.

11 HIPAA Contact

CHAIRSIDE Privacy & Security Official: Bit9 IT Solutions LLC d/b/a CHAIRSIDE; Colorado; Email: support@bit9itsolutions.com

For BAA requests or to report a suspected security incident affecting PHI, email support@bit9itsolutions.com.