HIPAA Compliance

Last Updated: March 21, 2026

Purechart AI LLC (“Purechart”) is committed to meeting and exceeding the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and applicable international data protection regulations. This page outlines how we protect your patients' Protected Health Information (PHI) and maintain compliance across every aspect of our platform.

1. Our Role Under HIPAA

When dental practices, DSOs, and healthcare organizations use Purechart to store, process, or transmit Protected Health Information, Purechart operates as a Business Associate as defined under 45 CFR 160.103. We do not use or disclose PHI except as permitted by our Business Associate Agreement (BAA) and applicable law.

Purechart provides a standardized Business Associate Agreement to all customers. Our BAA is available upon request and is executed prior to processing any PHI.

2. Protected Health Information (PHI)

Under HIPAA (45 CFR 160.103), Protected Health Information includes any individually identifiable health information that is created, received, maintained, or transmitted in any form — electronic, paper, or oral. Within Purechart, this includes but is not limited to:

  • Patient names, addresses, dates of birth, and contact information
  • Appointment records and scheduling history
  • Treatment plans, clinical notes, and charting data
  • Digital consent forms and signed documents
  • Dental X-ray images and diagnostic records
  • Lab order details and tracking information
  • Insurance and billing information
  • Communication records (appointment reminders, messages)

3. HIPAA Privacy Rule Compliance

The HIPAA Privacy Rule governs the use and disclosure of PHI. Purechart implements the following measures to ensure Privacy Rule compliance:

  • Minimum Necessary Standard: Access to PHI is limited to the minimum necessary to accomplish the intended purpose. Role-based access controls ensure staff only see data relevant to their function.
  • Patient Rights: Our platform supports patient rights under HIPAA, including the right to access records, request amendments, and receive an accounting of disclosures.
  • Use and Disclosure Limitations: Purechart does not use or disclose PHI for marketing, sale of data, or any purpose not authorized by the BAA or applicable law.
  • De-identification: When data is used for analytics or product improvement, it is fully de-identified in accordance with the Safe Harbor or Expert Determination methods defined in 45 CFR 164.514.

4. HIPAA Security Rule Compliance

The HIPAA Security Rule establishes standards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). Purechart implements comprehensive safeguards across three categories:

4.1 Administrative Safeguards

  • Security Officer: Designated security officer responsible for overseeing all HIPAA security policies and procedures
  • Workforce Training: All employees and contractors with access to PHI complete mandatory HIPAA training upon hire and annually thereafter
  • Risk Analysis: Regular security risk assessments conducted in accordance with HHS guidance, with documented findings and remediation plans
  • Access Management: Formal procedures for granting, modifying, and revoking access to systems containing ePHI
  • Incident Response: Documented security incident response plan with defined roles, escalation procedures, and reporting timelines
  • Business Associate Management: All subcontractors and third-party service providers with access to PHI are bound by BAAs

4.2 Physical Safeguards

  • Data Center Security: All data is hosted in SOC 2 Type II certified data centers with 24/7 security, biometric access controls, and environmental monitoring
  • Workstation Security: Policies governing the use of workstations and devices that access ePHI, including screen lock requirements and secure disposal procedures
  • Media Controls: Policies for the secure disposal and re-use of electronic media containing ePHI

4.3 Technical Safeguards

  • Encryption: AES-256 encryption for data at rest; TLS 1.2+ encryption for all data in transit
  • Access Controls: Unique user identification, role-based permissions, automatic session timeouts, and multi-factor authentication (MFA)
  • Audit Controls: Comprehensive audit logging of all access to ePHI, including user identity, timestamp, action performed, and data accessed
  • Integrity Controls: Mechanisms to verify that ePHI has not been improperly altered or destroyed, including checksums and version controls
  • Transmission Security: All network communications are encrypted via TLS. API endpoints require authenticated and encrypted connections.

5. HITECH Act Compliance

The HITECH Act (ARRA sections 13401-13411) strengthened HIPAA enforcement and introduced additional requirements that Purechart fully adheres to:

  • Breach Notification: In the event of a breach of unsecured PHI, Purechart will notify affected Covered Entities without unreasonable delay and no later than 60 days following discovery, as required by 45 CFR 164.410
  • Restrictions on PHI Sales: Purechart does not sell PHI under any circumstances (ARRA section 13405(d))
  • Marketing Restrictions: PHI is never used for marketing communications without explicit patient authorization (ARRA section 13406)
  • Subcontractor Accountability: All subcontractors are held to the same HIPAA and HITECH standards as Purechart through executed BAAs

6. Security Risk Assessment

Purechart conducts comprehensive security risk assessments as required by the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)). Our risk assessment program includes:

  • Annual comprehensive risk analysis using frameworks aligned with NIST SP 800-30
  • Ongoing vulnerability scanning and penetration testing
  • Documented risk register with risk ratings, mitigation strategies, and remediation timelines
  • Regular review and updates following any significant change in systems, processes, or threat landscape
  • Executive-level reporting on risk posture and compliance status

7. International Compliance Standards

Purechart serves dental practices across the Americas and internationally. In addition to HIPAA, our platform is designed to meet or align with the following international data protection and security standards:

7.1 General Data Protection Regulation (GDPR)

  • Lawful basis for processing established for all data handling activities
  • Data subject rights supported: access, rectification, erasure, portability, restriction, and objection
  • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities
  • Standard Contractual Clauses (SCCs) for international data transfers
  • Data minimization and purpose limitation principles applied throughout the platform

7.2 Brazil — Lei Geral de Proteção de Dados (LGPD)

  • Alignment with LGPD principles including purpose, adequacy, necessity, and transparency
  • Support for data subject rights under LGPD including confirmation of processing, access, correction, and deletion
  • Data processing activities documented in accordance with LGPD requirements

7.3 Colombia — Ley 1581 de 2012 (Habeas Data)

  • Compliance with Colombian data protection principles for the processing of personal and sensitive health data
  • Authorization-based data collection and processing
  • Support for data subject rights including access, correction, and deletion

7.4 Mexico — Ley Federal de Protección de Datos Personales (LFPDPPP)

  • Privacy notices provided in accordance with Mexican data protection requirements
  • Consent mechanisms for the collection and processing of sensitive personal data
  • ARCO rights supported (Access, Rectification, Cancellation, Opposition)

7.5 ISO/IEC 27001 Alignment

  • Information security management system (ISMS) aligned with ISO/IEC 27001:2022 framework
  • Risk-based approach to identifying, assessing, and treating information security risks
  • Continuous improvement cycle for security controls and processes

7.6 SOC 2 Type II

  • Infrastructure hosted on SOC 2 Type II certified cloud platforms
  • Controls mapped to the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy

8. Business Associate Agreement (BAA)

Purechart provides a standardized Business Associate Agreement to all customers who process PHI through our platform. The BAA outlines:

  • Permitted uses and disclosures of PHI
  • Safeguards Purechart implements to protect PHI
  • Breach notification obligations and timelines
  • Requirements for subcontractors handling PHI
  • Obligations upon termination of the agreement
  • Responsibilities for return or destruction of PHI

To request a BAA, please contact privacy@purechart.com.

9. Data Backup & Disaster Recovery

  • Automated daily backups of all data including ePHI
  • Geographically redundant backup storage across multiple availability zones
  • Point-in-time recovery capabilities with retention periods compliant with regulatory requirements
  • Documented disaster recovery plan with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
  • Regular disaster recovery testing and validation

10. Employee & Contractor Compliance

  • Background checks for all employees and contractors with access to PHI
  • Mandatory HIPAA training upon hire and annual refresher training
  • Signed confidentiality agreements and acceptable use policies
  • Principle of least privilege enforced for all system access
  • Immediate access revocation upon termination of employment or contract

11. Your Responsibilities as a Covered Entity

While Purechart maintains robust security and compliance measures, dental practices and healthcare organizations using our platform are responsible for:

  • Conducting your own security risk assessments as required by HIPAA
  • Implementing appropriate access controls and user management within your account
  • Training your workforce on HIPAA policies and proper use of the platform
  • Maintaining appropriate physical security of devices used to access Purechart
  • Obtaining required patient authorizations and consents
  • Reporting any suspected security incidents to Purechart promptly

12. Reporting Security Concerns

If you become aware of a security vulnerability, potential breach, or any concern related to the protection of PHI within Purechart, please contact us immediately: