HIPAA Business Associate Agreement

Capitalised terms used without definition have the meaning given to them in the HIPAA Rules. In particular:

• Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) have the meaning given in 45 CFR §160.103 and are limited to information received from, or created, maintained, received, or transmitted on behalf of, the Covered Entity.
• Business Associate has the meaning given in 45 CFR §160.103 and refers to Cavitech.
• Covered Entity has the meaning given in 45 CFR §160.103 and refers to the dental practice or health-care provider.
• Breach has the meaning given in 45 CFR §164.402.
• Subcontractor has the meaning given in 45 CFR §160.103 and refers to any entity that creates, receives, maintains, or transmits PHI on our behalf (see our public Sub-processor list).
• Security Incident has the meaning given in 45 CFR §164.304.
• Designated Record Set has the meaning given in 45 CFR §164.501.

Scope of permitted use.

Cavitech may use and disclose PHI only as necessary to perform the services described in the Terms and as permitted or required by this BAA and by law. The permitted purposes are:

• Treatment, payment, and health-care operations support for the Covered Entity, including AI-assisted radiograph analysis, clinical-note transcription, treatment planning, patient management, and billing-related functionality.
• Proper management and administration of Cavitech as permitted by 45 CFR §164.504(e)(4), provided that any disclosure is required by law or the recipient provides adequate assurances that the PHI will be held confidentially and used only for the purpose for which it was disclosed.
• Data-aggregation services relating to the health-care operations of the Covered Entity where the Covered Entity has instructed Cavitech to perform such services (45 CFR §164.504(e)(2)(i)(B)).

Explicit prohibitions.

Cavitech will not:

• Use or further disclose PHI other than as permitted or required by this BAA or as required by law.
• Use or disclose PHI in a manner that would violate the HIPAA Rules if the Covered Entity did so directly.
• Sell PHI, or use or disclose PHI for marketing purposes that would require an Authorization under 45 CFR §164.508 without such Authorization.
• Use PHI to train, fine-tune, or improve any machine-learning or artificial-intelligence model, whether Cavitech’s own or that of a Subcontractor. This prohibition is absolute.

Cavitech implements and maintains administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required by the HIPAA Security Rule (45 CFR §164.306 and §164.308–§164.314). These include:

• Encryption of ePHI at rest using AES-256 and in transit using TLS 1.3.
• Organisation-scoped access isolation enforced at the application, database, and object-storage layers.
• Role-based access control for Cavitech personnel, with production-data access restricted and audited.
• Named HIPAA Privacy Officer and HIPAA Security Officer — see the Officer Block at the bottom of this page.
• Documented incident-response plan published at /legal/security.
• No transmission of PHI to third-party general-purpose AI APIs for device-classified clinical features; cleared-path AI features run on private infrastructure.

Cavitech will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Cavitech agrees in writing to substantially the same restrictions and conditions that apply to Cavitech under this BAA, consistent with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2). A current list of Subcontractors is published at /legal/subprocessors with reasonable advance notice of any addition or replacement.

Reporting obligations.

Cavitech will report to the Covered Entity:

• Any use or disclosure of PHI not permitted by this BAA of which Cavitech becomes aware, without unreasonable delay and in any event within five (5) business days of discovery.
• Any Breach of Unsecured PHI of which Cavitech becomes aware, without unreasonable delay and in any event within thirty (30) calendar days of discovery, to support the Covered Entity’s 60-day notification obligation under 45 CFR §164.410. Where the investigation determines that earlier notification is warranted — for example, for a high-severity incident or where regulators have imposed a shorter timeline — Cavitech will provide notice sooner. The 72-hour goal described in our Security & Incident Response page applies in parallel.
• Any Security Incident of which Cavitech becomes aware. Routine unsuccessful attempts to access or interfere with the service (port scans, authentication failures, denied traffic, dropped packets) are deemed reported by this BAA as a class and do not require individual notice.

Contents of the report.

Reports include, as available: the nature of the incident, the PHI involved, the identity of any unauthorized recipient (if known), the steps Cavitech has taken to mitigate the incident, and the corrective actions planned or taken. Cavitech will reasonably assist the Covered Entity in meeting its own notification obligations to individuals, the Secretary of the U.S. Department of Health & Human Services, and the media where required by 45 CFR §§164.404–410.

Access by individuals — 45 CFR §164.524.

To the extent Cavitech maintains PHI in a Designated Record Set on behalf of the Covered Entity, Cavitech will make such PHI available to the Covered Entity (or, at the Covered Entity’s direction, to the individual) as necessary to satisfy an individual’s right of access under 45 CFR §164.524.

Amendment — 45 CFR §164.526.

Cavitech will make any amendment to PHI in a Designated Record Set that the Covered Entity directs or agrees to, as necessary to satisfy an individual’s right to amend under 45 CFR §164.526.

Accounting of disclosures — 45 CFR §164.528.

Cavitech will document such disclosures of PHI, and information related to such disclosures, as would be required for the Covered Entity to respond to an individual’s request for an accounting under 45 CFR §164.528, and will make that information available to the Covered Entity on request.

To the extent Cavitech is to carry out a Covered Entity’s obligation under the HIPAA Rules, Cavitech will comply with the requirements of the HIPAA Rules that apply to the Covered Entity in the performance of that obligation. Cavitech will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health & Human Services for purposes of determining compliance with the HIPAA Rules.

Term.

This BAA is effective from the date the Covered Entity accepts the Terms and continues until the Terms are terminated, whichever is later.

Termination for cause.

The Covered Entity may terminate this BAA and the underlying Terms if Cavitech has breached a material term of this BAA and has not cured the breach within thirty (30) days of written notice, consistent with 45 CFR §164.504(e)(2)(iii).

Return or destruction of PHI — 45 CFR §164.504(e)(2)(ii)(J).

On termination of the Terms, Cavitech will, at the Covered Entity’s election, return or destroy all PHI in its possession that was received from, or created or received by Cavitech on behalf of, the Covered Entity. The 30-day export window described in the DPA §10 applies by default. Where Cavitech determines in good faith that return or destruction of PHI is infeasible (for example, where law requires retention, or where PHI is embedded in statutory audit records for the investigational-device framework), Cavitech will extend the protections of this BAA to that PHI and will limit further uses and disclosures to those purposes that make return or destruction infeasible.

Amendment.

Cavitech may amend this BAA from time to time to reflect changes in the HIPAA Rules or Cavitech’s processing activities. Material changes will trigger a version bump of the onboarding acknowledgement, and Covered Entities will be asked to re-accept.

Interpretation.

Any ambiguity in this BAA will be resolved in favour of a meaning that permits Cavitech and the Covered Entity to comply with the HIPAA Rules.

No third-party beneficiaries.

Nothing in this BAA is intended to confer rights on any person or entity other than the parties.