HIPAA Compliance

Last updated: April 27, 2026 · Questions? info@chairsidecall.com

Our HIPAA Commitments

• ✓Business Associate Agreement (BAA) before go-live. Every practice signs a BAA before we handle a single patient call. No BAA = no service. Full stop.
• ✓HIPAA-eligible infrastructure. Our voice processing, call storage, and transcription services run on cloud infrastructure that meets HIPAA requirements and whose vendors sign a BAA with us.
• ✓Encryption in transit and at rest. All call audio and transcripts are encrypted using TLS 1.2+ in transit and AES-256 at rest.
• ✓Minimum necessary access. Our AI only processes the patient information required to answer the call and book the appointment. We do not store clinical notes or diagnosis information.
• ✓Role-based access controls. Only authorized Chairside Call personnel can access call data, and only for support, security, and service improvement purposes.
• ✓Annual risk assessments. We conduct annual risk assessments consistent with the HIPAA Security Rule (45 CFR § 164.308(a)(1)) to identify and address vulnerabilities.
• ✓Breach notification. In the event of a suspected breach involving PHI, we will notify your practice within 60 days of discovery, consistent with the HIPAA Breach Notification Rule.
• ✓Data deletion on termination. When a practice ends service, we provide a data export and delete all PHI within 30 days, except where retention is required by law.

What PHI We Handle

Chairside Call is designed to limit PHI exposure. In the standard service, we may process:

• Patient name and phone number (from caller ID and the call itself)
• Appointment type and scheduling preferences
• Insurance carrier name (verbally provided during the call)
• Reason for visit (e.g., "toothache," "routine cleaning")

We do not store clinical records, diagnoses, treatment plans, or financial account numbers. If the caller volunteers sensitive information beyond what is needed to book, our agents are trained to redirect the conversation.

Emergency Call Handling

When a caller describes a dental emergency (e.g., severe pain, trauma, swelling), the AI flags the call for immediate escalation to your designated on-call staff. The call is not handled autonomously. Your team receives an instant notification with the call summary so they can respond quickly.

Chairside Call does not provide clinical advice. We route — we do not diagnose.

Your Responsibilities as a Covered Entity

Under HIPAA, your practice remains the Covered Entity and retains ultimate responsibility for PHI. Your obligations include:

• Ensuring your Notice of Privacy Practices (NPP) reflects your use of a voice receptionist service
• Maintaining valid PMS access credentials and notifying us of any access changes promptly
• Designating a HIPAA Privacy Officer responsible for your practice's overall compliance
• Training your staff on the appropriate use of call recordings and transcripts provided by Chairside Call

Patient Rights

Patients who want to exercise HIPAA rights — such as requesting access to their records, requesting an amendment, or requesting an accounting of disclosures — should contact your dental practice directly. As your Business Associate, we process such requests only at your direction.

If a patient contacts us directly about a HIPAA rights request, we will promptly forward the request to your practice's designated Privacy Officer.

Questions & BAA Requests

To request a copy of our Business Associate Agreement template, ask questions about our compliance posture, or report a suspected security incident, email us at info@chairsidecall.com. We aim to respond within 1 business day for compliance-related inquiries.