Heads upThis is the standard Business Associate Agreement we sign with every dental practice that uses Dentadex. It is not a click-wrap agreement— it’s executed during contracting. To request a counter-signed copy for your practice, email legal@dentadex.com.
v1 — under lawyer review. We’ll post the reviewed version here when it’s ready.
- Effective date
- May 26, 2026
- Last updated
- May 26, 2026
1. Background
Dentadex Inc.(“Business Associate” or “Dentadex”) provides a dental billing platform to dental practices (“Covered Entity” or “Customer”). To deliver the service, Business Associate may receive, create, maintain, or transmit Protected Health Information (“PHI”) on behalf of Covered Entity. The parties enter this Business Associate Agreement (“BAA”) to comply with the HIPAA Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164, as amended by HITECH and other applicable law.
2. The agreement
This BAA is between Covered Entity and Business Associate. It takes effect on the date both parties sign and lasts as long as Business Associate holds PHI from Covered Entity. If the BAA and the Master Services Agreement disagree about handling of PHI, this BAA wins.
3. Definitions
Terms used here have the meaning given in the HIPAA rules at 45 CFR Parts 160 and 164. Key terms: PHI, Electronic PHI, Security Incident, Breach, Unsecured PHI, Designated Record Set, Required by Law, Secretary (of HHS), Subcontractor.
4. Permitted uses and disclosures of PHI
Business Associate may use and disclose PHI only:
- To perform the services described in the Master Services Agreement and any order form.
- For Business Associate’s proper management and administration, or to carry out its legal responsibilities, provided the use or disclosure is required by law or the recipient agrees in writing to protect the PHI and to report breaches to Business Associate.
- To provide data aggregation services to Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).
- As Required by Law.
Business Associate will not use or disclose PHI in any way that would violate HIPAA if Covered Entity did it directly. Business Associate will not sell PHI and will not use or disclose PHI for marketing without written authorization.
Minimum necessary. Business Associate will limit uses, disclosures, and requests of PHI to the minimum necessary to accomplish the intended purpose, consistent with 45 CFR 164.502(b) and 42 USC 17935(b).
5. Safeguards
Business Associate will use appropriate administrative, physical, and technical safeguards, and will comply with Subpart C of 45 CFR Part 164 (the Security Rule), to prevent the use or disclosure of Electronic PHI other than as this BAA allows. The controls in place include role-based access, multi-factor authentication, encryption at rest with AWS-managed keys, encryption in transit with TLS 1.2+, tenant isolation through row-level security, immutable audit logging, and a HIPAA Security Officer designated under 45 CFR 164.308(a)(2).
6. Reporting
Business Associate will report to Covered Entity:
- Security Incidents: reported without unreasonable delay, as required by 45 CFR 164.314(a)(2)(i)(C). Aggregate reporting of unsuccessful, low-impact attempts (such as pings, port scans, denied authentication attempts) is by request only.
- Breaches of Unsecured PHI: reported in writing without unreasonable delay and no later than 60 calendar daysafter discovery, consistent with 45 CFR 164.410(b). The report will include the information Covered Entity needs to meet its own notification obligations under 45 CFR 164.404 (to the extent known at the time, with updates as more is learned): what happened, when, who was affected, what types of PHI were involved, and what we’re doing about it.
- Uses or disclosures of PHI not permitted by this BAA, in writing, without unreasonable delay.
7. Mitigation
Business Associate will mitigate, to the extent practicable, any harmful effect known to Business Associate caused by a use or disclosure of PHI in violation of this BAA.
8. Subcontractors
Business Associate will require any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf to agree in writing to restrictions and conditions substantially similar to those that apply to Business Associate under this BAA, in line with 45 CFR 164.502(e)(1)(ii), 45 CFR 164.504(e)(1)(ii), and 45 CFR 164.308(b)(2). The current list of Subcontractors is published in our Privacy Policy. Business Associate will give Covered Entity at least 30 days’ notice before adding or replacing a Subcontractor that will handle PHI; Covered Entity may object in good faith and the parties will work in good faith to resolve the objection.
9. Individual access
Within 20 calendar daysof receiving Covered Entity’s written request, Business Associate will make PHI in a Designated Record Set available to Covered Entity (or to the individual, if Covered Entity directs) as needed for Covered Entity to meet its 30-day obligation under 45 CFR 164.524.
10. Amendment
Within 45 calendar daysof receiving Covered Entity’s written request, Business Associate will make amendments to PHI in a Designated Record Set as Covered Entity directs, so Covered Entity can meet its 60-day obligation under 45 CFR 164.526.
11. Accounting of disclosures
Within 45 calendar daysof receiving Covered Entity’s written request, Business Associate will provide an accounting of disclosures of PHI as needed for Covered Entity to meet its 60-day obligation under 45 CFR 164.528. Business Associate will keep the records needed to make this possible for at least six (6) years.
12. Books and records available to HHS
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity’s compliance with HIPAA. This does not waive any applicable privilege.
13. Covered Entity’s responsibilities
Covered Entity will:
- Notify Business Associate of any limitation in its Notice of Privacy Practices that affects Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any change in, or revocation of, an authorization by an individual that affects Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to under 45 CFR 164.522.
- Not ask Business Associate to do anything with PHI that wouldn’t be allowed if Covered Entity did it directly, unless an exception under 45 CFR 164.504(e)(2)(i) applies.
- Obtain any individual authorization required by 45 CFR 164.508 before directing Business Associate to use or disclose PHI in a way that requires such authorization (for example, marketing communications, sale of PHI, or uses or disclosures of psychotherapy notes).
14. Data ownership
PHI is and stays Covered Entity’s property. Business Associate is a service provider acting under Covered Entity’s direction. Business Associate may use de-identified information (de-identified under 45 CFR 164.514(b)) for product improvement and for the aggregated metrics Dentadex publishes about its own service performance.
15. Term and termination
This BAA takes effect on the Effective Date and stays in effect until terminated as described here, or until Business Associate no longer holds any of Covered Entity’s PHI — whichever comes later.
Termination for material breach
If either side believes the other has materially breached this BAA, the non-breaching party will give written notice. The breaching party has 30 calendar days to cure. If the breach is not cured in that window, the non-breaching party may terminate this BAA and the underlying Master Services Agreement on written notice.
16. Effect of termination
On termination, Business Associate will return or destroy all PHI it holds, if feasible, and will keep no copies. Where Business Associate determines that return or destruction is infeasible, it will:
- Extend the protections of this BAA to that PHI for as long as Business Associate keeps it.
- Limit further uses and disclosures of that PHI to the purposes that make return or destruction infeasible.
- Identify the PHI in writing, the reason return or destruction is infeasible, and the planned timeline for return or destruction.
17. Regulatory references
References in this BAA to a section of the HIPAA Rules mean that section as it reads on the Effective Date. If a section is renumbered or amended in a way that changes the obligation, the updated text applies on its compliance date.
18. Notices
Written notices under this BAA go to Business Associate by email at legal@dentadex.com. Email is the agreed notice method for this BAA. Notices to Covered Entity go to the email listed in the Master Services Agreement.
19. Amendments to this BAA
The parties agree to work together in good faith to amend this BAA as needed to keep it compliant with HIPAA, HITECH, and other applicable law. Amendments take effect when both sides sign.
20. HITECH compliance
Business Associate will comply with the HITECH Act provisions applicable to business associates, including (without limitation) the direct application of the Security Rule administrative, physical, and technical safeguards to business associates under 42 USC 17931 and 42 USC 17934; the breach notification requirements at 42 USC 17932 and 45 CFR 164.410; and the minimum-necessary obligation at 42 USC 17935(b).
21. Signatures
This BAA is executed by an authorized representative of each party. The signed copy is held by both parties and supersedes any on-page version.
Business Associate
Dentadex Inc.
By: __________________________
Name: ________________________
Title: ________________________
Date: ________________________
Covered Entity
____________________________ (practice name)
By: __________________________
Name: ________________________
Title: ________________________
Date: ________________________
Questions about this BAA: legal@dentadex.com.