What Is a BAA?
A Business Associate Agreement (BAA) is a contract required by HIPAA between a Covered Entity (your dental practice) and a Business Associate (Treatment Plan). It establishes the permitted uses and disclosures of Protected Health Information (PHI) and ensures both parties understand their responsibilities for safeguarding patient data.
Treatment Plan executes a BAA with every practice before any patient data enters our system. No exceptions.
Why It Matters
When you use Treatment Plan to send treatment plans to patients, you are sharing PHI with us — including patient names, treatment details, and contact information. HIPAA requires a BAA to be in place before this sharing can happen. Without one, both parties risk regulatory penalties.
Our BAA ensures:
- Clear boundaries on how we may use patient data (only to provide the Service)
- Your practice retains ownership and control of all patient information
- We are legally obligated to protect PHI with appropriate safeguards
- Defined procedures for breach notification and incident response
- Your compliance obligations are supported, not undermined
Key Terms Summary
Below is a plain-language summary of the key provisions in our standard BAA:
| Provision | Summary |
|---|---|
| Permitted Uses | We may use PHI only to provide the Treatment Plan service to your practice — creating plan pages, delivering messages, generating analytics, and supporting your account. |
| Prohibited Uses | We will never sell PHI, use it for marketing, share it with other practices, or use it for any purpose beyond providing the Service. |
| Safeguards | We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule. See our HIPAA Compliance page for details. |
| Sub-processors | Any subcontractors that handle PHI on our behalf operate under equivalent BAA protections (AWS, Twilio, SendGrid). |
| Breach Notification | We will notify your practice within 72 hours of discovering any breach of unsecured PHI, including the nature and scope of the breach. |
| Access & Amendment | We will make PHI available to you for patient access requests and support amendments as required under HIPAA. |
| Accounting of Disclosures | We maintain audit logs and will provide an accounting of disclosures upon request. |
| Return/Destruction | Upon termination of our agreement, we will return or securely destroy all PHI within 30 days, unless retention is required by law. |
| Term | The BAA remains in effect for the duration of our service relationship and survives termination with respect to any PHI still in our possession. |
How to Get Your BAA
Our BAA is included as part of every new practice onboarding. Here's how it works:
- You express interest and we schedule an onboarding call
- We send you our standard BAA for review before any data is exchanged
- Both parties sign electronically
- Only after the BAA is fully executed do we begin setting up your account
If you're an existing customer and need a copy of your executed BAA, or if you'd like to review our standard BAA template before signing up, contact us below.
Request a Copy of Our BAA
Whether you're evaluating Treatment Plan or already a customer, we're happy to provide our BAA for review.
Request BAAFrequently Asked Questions
Do I need a BAA with Treatment Plan?
Yes. If you are a HIPAA-covered dental practice sharing patient information with us, a BAA is legally required. We will not onboard any practice without one.
Can I use my own BAA template?
We prefer to use our standard BAA as it's been reviewed by healthcare privacy counsel and is tailored to our service. However, we're open to discussing modifications for enterprise customers.
Is there an additional cost for the BAA?
No. The BAA is included at no additional cost for all Treatment Plan customers. HIPAA compliance is a baseline requirement, not a premium feature.
What happens to patient data if I cancel?
Per our BAA, we will return or securely destroy all PHI within 30 days of termination. We provide a data export during the transition period. Patient-facing treatment plan pages are deactivated immediately upon cancellation.
Do your sub-processors also have BAAs?
Yes. AWS, Twilio, and SendGrid each operate under BAAs with us. Additionally, our architecture minimizes PHI exposure to sub-processors — for example, SMS messages contain only a link, never clinical information.
Legal or compliance questions?
Email us at legal@treatmentplan.com