DentSignal
LegalBusiness Associate Agreement

HIPAA Business Associate Agreement betweenDentSignal and the Covered Entity.

This BAA satisfies the written-contract requirements of the HIPAA Privacy and Security Rules at 45 CFR 164.504(e) and 164.314(a). It is incorporated by reference into the Master Agreement and takes effect when the Customer accepts it during account signup.

Jump to sectionsTerms of ServicePrivacy NoticeSecurity Page

Acceptance record

Your acceptance of this BAA is recorded with a timestamp, originating IP address, and the BAA version shown above. Persisted acceptance records are available on request to your account owner.

Effective date

April 23, 2026

BAA version

2026-04-23

Regulatory basis

45 CFR 164.504(e)

Section 01

Definitions

Capitalized terms follow 45 CFR Parts 160 and 164 (HIPAA Privacy, Security, Breach Notification, and Enforcement Rules) unless defined below.

  • "Business Associate" means DentSignal ("DentSignal," "we," "us") when performing services for the Covered Entity under the Master Agreement.
  • "Covered Entity" means the dental practice, dental service organization, or other HIPAA-regulated entity ("you," "Customer") that accepts this Business Associate Agreement ("BAA").
  • "PHI" means Protected Health Information, as defined at 45 CFR 160.103, that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.
  • "Services" means the call coverage platform, dashboards, and related software provided under the Master Agreement.
  • "Security Incident" has the meaning given in 45 CFR 164.304.
  • "Breach" has the meaning given in 45 CFR 164.402.

Section 02

Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as permitted by this BAA, the Master Agreement, or required by law.

  • Business Associate may use and disclose PHI only to perform the Services, for the proper management and administration of Business Associate, to carry out its legal responsibilities, or as required by law.
  • Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
  • Business Associate may de-identify PHI in accordance with 45 CFR 164.514(a)-(c). De-identified data is no longer PHI and may be used for service improvement, benchmarking, and model evaluation.
  • Business Associate will not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except as expressly permitted in this BAA.
  • Business Associate will not sell PHI or use PHI for marketing except as permitted by 45 CFR 164.502(a)(5).

Section 03

Safeguards

Business Associate will implement administrative, physical, and technical safeguards to protect PHI.

  • Business Associate will implement and maintain administrative, physical, and technical safeguards in accordance with 45 CFR 164.308, 164.310, 164.312, and 164.316 that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI.
  • PHI at rest is encrypted using Fernet (AES-128-CBC + HMAC-SHA256) or an equivalent approved algorithm. PHI in transit is encrypted using TLS 1.2 or greater.
  • Access to PHI is restricted to workforce members with a documented need-to-know and is gated by authentication, role-based access control, and audit logging.
  • Business Associate maintains HIPAA audit logs of PHI access, modification, and disclosure events. Logs are retained for at least six (6) years in accordance with 45 CFR 164.316(b)(2)(i).

Section 04

Subcontractors and Downstream Agents

Business Associate ensures subcontractors that handle PHI execute written BAAs imposing the same obligations.

  • Business Associate will enter into a written agreement with each subcontractor that creates, receives, maintains, or transmits PHI on its behalf that binds the subcontractor to the same restrictions and obligations that apply to Business Associate under this BAA, as required by 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).
  • Current subcontractors handling PHI include Microsoft (Azure App Service, Azure PostgreSQL Flexible Server, Azure Container Registry, Azure OpenAI Service, Azure Communication Services) and Deepgram Inc. (speech-to-text and text-to-speech). Each has a HIPAA BAA in place.
  • Business Associate will update the list of subcontractors upon request.

Section 05

Reporting and Breach Notification

Business Associate reports Security Incidents and Breaches to Covered Entity without unreasonable delay.

  • Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 CFR 164.410.
  • Notification of a Breach will be made without unreasonable delay and in no case later than sixty (60) calendar days after discovery, and will include the information required by 45 CFR 164.410(c) to the extent known at the time.
  • Business Associate will report successful Security Incidents to Covered Entity in the same timeframe. Unsuccessful Security Incidents (pings, port scans, malformed packets, and similar events that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI) are reported in aggregate upon request.

Section 06

Access, Amendment, and Accounting

Business Associate supports Covered Entity's obligations under the HIPAA Privacy Rule for individual rights requests.

  • Business Associate will make PHI maintained in a Designated Record Set available to Covered Entity as necessary to respond to an individual's request for access under 45 CFR 164.524.
  • Business Associate will make PHI available for amendment and incorporate amendments as directed by Covered Entity under 45 CFR 164.526.
  • Business Associate will maintain and make available the information required for an accounting of disclosures under 45 CFR 164.528.
  • Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.

Section 07

Term, Termination, and Return or Destruction of PHI

On termination, Business Associate returns or destroys PHI, or extends protections when return or destruction is infeasible.

  • This BAA takes effect on the Effective Date and remains in effect until the Master Agreement ends or until terminated as provided below.
  • Covered Entity may terminate the Master Agreement and this BAA if Business Associate materially breaches this BAA and fails to cure the breach within thirty (30) days of written notice, or immediately if cure is not feasible, as required by 45 CFR 164.504(e)(2)(iii).
  • On termination, Business Associate will return or destroy all PHI received from, or created or received on behalf of, Covered Entity, in accordance with 45 CFR 164.504(e)(2)(ii)(J). If return or destruction is infeasible, Business Associate will extend the protections of this BAA to the PHI and limit further use and disclosure to the purposes that make return or destruction infeasible.

Section 08

Miscellaneous

Interpretation, amendment, and relationship with the Master Agreement.

  • This BAA supplements and does not replace the Master Agreement. In the event of a conflict between this BAA and the Master Agreement regarding PHI, this BAA controls.
  • The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary to comply with the requirements of the HIPAA Rules.
  • Any ambiguity in this BAA will be resolved to permit the parties to comply with the HIPAA Rules.
  • There are no third-party beneficiaries to this BAA.