Our Commitment
Treatment Plan is designed from the ground up to be HIPAA-compliant. We act as a Business Associate to the dental practices we serve, meaning we handle Protected Health Information (PHI) on their behalf and are directly subject to HIPAA regulations.
We take this responsibility seriously. Patient trust is the foundation of healthcare, and we build every feature with privacy and security as non-negotiable requirements.
We execute a Business Associate Agreement (BAA) with every practice before any patient data enters our system.
Technical Safeguards
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encrypted database connections
- Encrypted backups
Access Controls
- Role-based access (Owner, Doctor, TC, Admin)
- JWT token authentication with expiry
- Patient DOB verification before plan access
- Maximum 5 verification attempts per link
Audit Logging
- All PHI access is logged with timestamps
- User identity recorded for every action
- Audit logs stored separately and immutably
- No PHI stored in log metadata
Application Security
- No PHI in URLs — opaque short codes only
- No PHI in SMS/email message bodies
- Presigned URLs for all media access
- Input validation and SQL injection prevention
Administrative Safeguards
- Workforce training: All team members complete HIPAA training before accessing any systems that handle PHI
- Access management: Access to production systems is restricted to authorized personnel on a need-to-know basis
- Incident response: We maintain a documented incident response plan with defined roles and procedures
- Risk assessments: We conduct regular risk assessments to identify and address potential vulnerabilities
- Policies and procedures: Written policies govern data handling, access, breach notification, and disposal
- Sub-processor management: All third-party vendors that handle PHI are vetted and operate under BAAs
Physical Safeguards
- Infrastructure: Our platform runs on Amazon Web Services (AWS), which maintains SOC 2 Type II, HITRUST, and FedRAMP certifications
- Data center security: AWS facilities feature 24/7 security, biometric access, video surveillance, and environmental controls
- Data residency: All patient data is stored in US-based AWS regions
- No local storage: PHI is never stored on employee laptops or personal devices
Patient-Facing Protections
- Identity verification: Patients must verify their date of birth before viewing any treatment plan
- Opaque links: Treatment plan URLs contain random codes — no patient name, ID, or clinical info is exposed in the link
- Minimal SMS content: Text messages contain only the practice name and a secure link — never diagnoses, procedures, or costs
- Link lockout: After 5 failed verification attempts, the link is locked and the practice is notified
- No app required: Patients access plans via a secure web page — no app download that could cache PHI on their device
Sub-Processors
We use the following third-party services to operate our platform. Each operates under a BAA or equivalent data protection agreement:
- Amazon Web Services (AWS) — Infrastructure, compute, database, and file storage
- Twilio — SMS message delivery (message content contains no PHI)
- SendGrid — Transactional email delivery (email content contains no PHI)
Breach Notification
In the event of a breach of unsecured PHI, we will:
- Notify affected practices within 72 hours of discovery
- Provide a detailed description of the breach, the data involved, and steps taken to mitigate
- Cooperate fully with the practice's own breach notification obligations
- Document the incident and remediation for regulatory purposes
Continuous Improvement
HIPAA compliance is not a one-time checkbox — it's an ongoing process. We regularly review and update our security practices, conduct penetration testing, monitor for new threats, and incorporate feedback from our practice partners.
Security or compliance questions?
Email us at security@treatmentplan.com
To request a copy of our BAA, see our BAA page.