HIPAA Disclosure

HIPAA distinguishes between Covered Entities and Business Associates. Understanding these roles is critical to determining each party's compliance obligations when PHI is created, received, maintained, or transmitted through the Cavitech AI platform.

Your dental practice is a Covered Entity. As a healthcare provider that transmits health information in electronic form in connection with transactions covered by HIPAA, your dental practice qualifies as a Covered Entity under 45 CFR § 160.103. You bear primary responsibility for the privacy and security of the PHI you create and maintain, including PHI that you upload to or generate through third-party platforms such as Cavitech AI. This responsibility includes obtaining patient authorizations where required, maintaining a Notice of Privacy Practices, implementing administrative, physical, and technical safeguards, and ensuring that any Business Associate to which you disclose PHI agrees in writing to appropriately safeguard that information.

Cavitech is a Business Associate. When your dental practice uploads patient radiographs, clinical notes, or other individually identifiable health information to the Cavitech AI platform, we create, receive, maintain, or transmit PHI on behalf of your practice. Under 45 CFR § 160.103, this makes Cavitech a Business Associate. We process PHI solely to provide the Service — AI-powered radiograph analysis, clinical decision support, treatment planning assistance, report generation, and related functionality. We do not use PHI for any purpose other than performing services on behalf of, or as directed by, the Covered Entity.

Business Associate Agreement (BAA). HIPAA requires that Covered Entities enter into a Business Associate Agreement with each Business Associate before disclosing PHI. Cavitech will offer a BAA to dental practices on paid subscription plans. The BAA will set out the permitted and required uses and disclosures of PHI, the safeguards we implement, our obligations to report breaches, and the terms for return or destruction of PHI upon termination. If you are a dental practice in the United States and require a BAA, please contact us at legal@cavitech-ai.com to initiate the process.

Until a BAA is executed between your practice and Cavitech, you should not upload PHI to the platform. Use of the platform without a BAA in place is at the Covered Entity's sole risk and may constitute a HIPAA violation.

Cavitech is committed to handling PHI in accordance with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the minimum necessary standard. The following practices govern how we receive, process, store, and dispose of PHI within the Cavitech AI platform.

Minimum necessary standard. We apply the minimum necessary standard to all uses, disclosures, and requests for PHI. Our platform is designed to access, process, and retain only the minimum amount of PHI necessary to perform the specific service requested by the dental practice. AI analysis pipelines receive only the radiograph image and the clinical context explicitly provided by the practitioner — no broader patient record is accessed or retained beyond what is required for the analysis.

No training on PHI. Cavitech does not use Protected Health Information to train, fine-tune, or improve our AI models or any third-party models. PHI is processed exclusively for the purpose of delivering the requested clinical decision support output to the submitting dental practice. This commitment is contractually reinforced in our Business Associate Agreement. Radiograph data is processed through our analysis pipeline and the resulting clinical output is returned to the practice. The original image data is not retained for model development purposes.

Dedicated infrastructure. PHI processed through the Cavitech AI platform is handled on a dedicated Railway server infrastructure that is logically separated from our marketing, analytics, and other non-production workloads. This separation ensures that PHI is not commingled with data from other business functions and that access to PHI environments is restricted to authorised personnel with a legitimate need.

Per-tenant isolation. Each dental practice's data is logically isolated at the database level through organisation-scoped access controls. Row-level security policies and application-layer enforcement ensure that one practice cannot access, view, or modify another practice's PHI. Queries are scoped to the authenticated organisation, and cross-tenant data access is architecturally prevented. Administrative access to production databases is restricted, logged, and subject to review.

Data retention and disposal. PHI is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. Upon termination of the Business Associate Agreement, or upon request by the Covered Entity, we will return or destroy all PHI in our possession in accordance with the terms of the BAA and 45 CFR § 164.504(e)(2)(ii)(J). Where return or destruction is not feasible, we will extend the protections of the BAA to the retained PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

The HIPAA Security Rule (45 CFR § 164.312) requires that Covered Entities and Business Associates implement technical safeguards to protect electronic Protected Health Information (ePHI). Cavitech implements the following technical safeguards in accordance with 45 CFR § 164.312 and industry best practices.

Access controls — 45 CFR § 164.312(a). We implement technical policies and procedures that restrict access to ePHI to only those persons and software programmes that have been granted access rights. This includes unique user identification for every user account, automatic session termination after periods of inactivity, role-based access controls that limit access to ePHI based on job function, and multi-factor authentication for administrative access to production infrastructure. All access to systems containing ePHI requires authentication, and default credentials are never used.

Audit controls — 45 CFR § 164.312(b). We deploy hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. Audit logs capture user authentication events, access to patient data and radiographs, modifications to records, administrative actions on production systems, and API requests involving PHI. Logs are retained in a tamper-resistant store, are not editable by the users whose actions they record, and are reviewed regularly to detect and investigate anomalous activity.

Integrity controls — 45 CFR § 164.312(c). We implement policies and procedures to protect ePHI from improper alteration or destruction. This includes integrity verification mechanisms for data at rest, automated checksums and validation for data in transit, version-controlled database schemas with migration auditing, and regular backups with integrity verification and tested restoration procedures.

Transmission security — 45 CFR § 164.312(e). We implement technical security measures to guard against unauthorised access to ePHI that is being transmitted over an electronic communications network. All data in transit between the client application and our servers is encrypted using TLS 1.3 (with TLS 1.2 as a minimum fallback). API endpoints enforce HTTPS exclusively — plaintext HTTP connections are rejected. Internal service-to-service communication within our infrastructure is also encrypted in transit.

Encryption at rest. All ePHI stored in our databases, file storage systems, and backups is encrypted at rest using AES-256 encryption. Encryption keys are managed through our cloud provider's key management service, with automatic key rotation and strict access controls on key material. Database backups are encrypted with the same standard and stored in geographically separate locations for disaster recovery.

The HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) requires that Covered Entities and Business Associates provide notification following a breach of unsecured PHI. Cavitech maintains a comprehensive breach notification programme that meets these requirements.

Notification timeline. In the event that Cavitech discovers a breach of unsecured PHI, we will notify the affected Covered Entity (your dental practice) without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, as required by 45 CFR § 164.410. A breach is considered "discovered" as of the first day on which the breach is known to Cavitech or, by exercising reasonable diligence, would have been known to Cavitech. Our internal incident response procedures are designed to identify and escalate potential breaches promptly, with target notification well within the 60-day window.

Content of notification. Our breach notification to the Covered Entity will include, to the extent possible: the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach; a description of what happened, including the date of the breach and the date of discovery; a description of the types of unsecured PHI involved in the breach (such as full name, radiographic images, clinical notes, date of birth, or other identifying information); the steps Cavitech has taken to investigate the breach, mitigate harm, and prevent future breaches; and contact details for obtaining additional information about the incident.

Cooperation. Following a breach, Cavitech will cooperate fully with the Covered Entity to enable the practice to meet its own notification obligations under 45 CFR §§ 164.404 (notification to individuals), 164.406 (notification to media), and 164.408 (notification to the Secretary of HHS). We will provide the Covered Entity with all information reasonably necessary to fulfil these obligations and will assist with risk assessments, remediation efforts, and communications to affected individuals as agreed in the BAA.

Documentation. Cavitech documents all security incidents involving PHI, including those that do not rise to the level of a reportable breach. This documentation includes the facts surrounding the incident, the results of the risk assessment conducted under 45 CFR § 164.402, the determination of whether the incident constitutes a breach, and the remedial actions taken. Records are maintained for a minimum of six years as required by 45 CFR § 164.530(j) and are available for review in the context of compliance audits or regulatory inquiries.

While Cavitech implements the safeguards described in this disclosure, HIPAA places primary compliance responsibility on the Covered Entity. The following obligations apply to your dental practice when using the Cavitech AI platform to process PHI.

Patient authorizations. As a Covered Entity, you are responsible for obtaining any patient authorizations required under 45 CFR § 164.508 before disclosing PHI to Cavitech or any other Business Associate. While many uses and disclosures for treatment, payment, and health care operations do not require individual authorization, certain uses — such as marketing, the sale of PHI, or uses of psychotherapy notes — require a valid, written authorization from the patient. You must ensure that disclosures of PHI to the Cavitech AI platform are made in accordance with your Notice of Privacy Practices and the HIPAA Privacy Rule.

Notice of Privacy Practices. Under 45 CFR § 164.520, you are required to maintain and provide to patients a Notice of Privacy Practices that describes the uses and disclosures of PHI that may be made by your practice, the patient's rights, and your legal duties with respect to PHI. If your practice uses Cavitech AI or any other third-party platform for clinical decision support, your Notice of Privacy Practices should reflect that PHI may be disclosed to Business Associates for treatment and health care operations purposes. We recommend that you review your Notice of Privacy Practices with legal counsel to ensure it accurately reflects your current data practices.

Administrative, physical, and technical safeguards. HIPAA requires that Covered Entities implement comprehensive safeguards to protect PHI within their own environment. This includes administrative safeguards such as workforce training on HIPAA policies and procedures, designation of a privacy and security officer, and regular risk assessments. Physical safeguards include controlling physical access to workstations and devices that access the Cavitech AI platform. Technical safeguards include using strong, unique passwords for Cavitech AI accounts, enabling multi-factor authentication where available, ensuring that devices used to access the platform run current operating systems with security patches applied, and logging out of sessions when not in active use.

Business Associate Agreement execution. You are required under 45 CFR § 164.502(e) to obtain satisfactory assurances from each Business Associate that the Business Associate will appropriately safeguard PHI. This means executing a BAA with Cavitech before uploading PHI to the platform. Contact legal@cavitech-ai.com to request a BAA. Do not upload PHI to the platform until the BAA has been fully executed by both parties.

Breach cooperation. In the event that Cavitech notifies you of a breach of unsecured PHI, you are responsible for fulfilling your own notification obligations to affected individuals, the Secretary of HHS, and, where applicable, the media, in accordance with 45 CFR Part 164, Subpart D. Timely cooperation and communication between both parties is essential to an effective breach response.