HIPAA Compliance

Our Commitment

Synthesis Benefits is designed to help dental practices manage insurance data efficiently and securely. We understand the sensitivity of the information our platform processes, and we have built our systems and processes to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations.

1. Our Role Under HIPAA

Under HIPAA, dental practices that use our Service are Covered Entities. Synthesis Benefits operates as a Business Associate — we process Protected Health Information (PHI) on behalf of your practice to deliver our insurance intelligence and practice management services.

Before any PHI is processed through the Service, we require a signed Business Associate Agreement (BAA) between your practice and Synthesis Benefits. The BAA defines the permitted uses of PHI, our obligations to protect it, and the procedures for breach notification.

2. Protected Health Information (PHI)

The Service may process the following categories of PHI on behalf of your practice:

• Patient names and dates of birth
• Contact information (phone numbers, email addresses)
• Insurance member IDs, group numbers, and coverage details
• Procedure codes and treatment history
• Claims and billing information
• Appointment schedules

We process PHI only for the purposes of providing the Service as described in the BAA. We do not use PHI for marketing, advertising, or any purpose unrelated to the services we provide to your practice.

3. Technical Safeguards

3.1 Encryption

• At rest: All PHI fields are individually encrypted using AES-256-GCM with unique initialization vectors per field. Encryption keys are stored separately from the encrypted data.
• In transit: All connections to the Service use TLS 1.2 or higher. API endpoints enforce HTTPS-only access.

3.2 Access Controls

• Authentication: Secure token-based authentication (JWT) with automatic session expiration.
• Role-based access: The Service enforces role-based permissions (Front Desk, Billing, Office Manager, Provider) to ensure users access only the data required for their function.
• Practice isolation: All data is scoped to individual practices. Users cannot access data belonging to other practices.

3.3 Infrastructure Security

• Hosted on dedicated servers with firewall-restricted access
• Database connections restricted to internal network only
• SSH key-only authentication — no password-based server access
• Automated security updates and vulnerability monitoring
• Production deployments use HIPAA-eligible cloud infrastructure

4. Administrative Safeguards

• Workforce training: All personnel with access to PHI receive HIPAA training on proper handling and incident response.
• Minimum necessary: We apply the HIPAA Minimum Necessary standard — only the minimum amount of PHI needed to perform a function is accessed or disclosed.
• Subcontractors: Any subcontractors who may access PHI are bound by BAAs and equivalent security requirements.
• Risk assessment: We conduct periodic risk assessments to identify and address potential vulnerabilities.

5. Audit Controls

• PHI access operations are logged with timestamps, user identity, and action performed.
• Audit logs are retained for a minimum of 6 years as required by HIPAA.
• Logs are stored separately from application data and are tamper-resistant.
• Periodic audit log reviews are conducted to detect unauthorized access.

6. Breach Notification

In the unlikely event of a breach involving unsecured PHI, we will:

• Notify the affected Covered Entity (your practice) without unreasonable delay and no later than 60 days after discovery of the breach.
• Provide sufficient information for the Covered Entity to fulfill its notification obligations to affected individuals and the Department of Health and Human Services (HHS).
• Cooperate with the Covered Entity in investigating the breach and mitigating harm.
• Document the breach and remediation steps taken.

For full details on our breach response procedures, see our Breach Notification Policy.

7. Patient Rights

HIPAA grants patients certain rights regarding their PHI, including the right to access, amend, and request an accounting of disclosures. Because Synthesis Benefits acts as a Business Associate, patient requests should be directed to your dental practice (the Covered Entity). We will cooperate with your practice to fulfill patient requests as required.

8. Data Disposal

Upon termination of the BAA or your subscription, we will:

• Provide a 30-day window for you to export your data.
• Securely delete all PHI within 90 days of termination.
• Provide written confirmation of data destruction upon request.
• Retain only the minimum data required by law (e.g., audit logs for 6 years).

9. Business Associate Agreement

A signed BAA is required before your practice processes any PHI through the Service. Our BAA covers:

• Permitted and required uses and disclosures of PHI
• Obligations to safeguard PHI
• Breach notification procedures
• Termination provisions and data return/destruction
• Compliance with the HIPAA Security Rule and Privacy Rule

To review our BAA template, visit the Business Associate Agreement page, or contact us at contact@synthesisbenefits.com to execute a BAA for your practice.

10. Continuous Improvement

HIPAA compliance is not a one-time achievement — it is an ongoing commitment. We continuously review and update our security practices, conduct risk assessments, and stay current with regulatory guidance from HHS and the Office for Civil Rights (OCR).

Contact

For questions about our HIPAA compliance practices or to request a BAA, contact:

Synthesis Benefits
Email: contact@synthesisbenefits.com