HIPAA Notice of Privacy Practices

Effective Date: April 2026

This Notice describes how Protected Health Information (PHI) about patients may be used and disclosed through the OrthoRecords platform, and how you can get access to this information. Please review it carefully.

Our Role Under HIPAA

OrthoRecords, operated by [Practice Name], functions as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. We process and store PHI on behalf of dental practices ("Covered Entities") that use our platform, pursuant to a written Business Associate Agreement (BAA).

How PHI May Be Used and Disclosed

### Treatment Support We facilitate storage and retrieval of PHI to support clinical care, documentation, and care coordination among authorized dental providers within your practice.

### Healthcare Operations PHI may be accessed for quality assessment, staff training, auditing, and other legitimate practice management functions, strictly as directed by the Covered Entity.

### Required by Law We may use or disclose PHI when required to do so by federal, state, or local law, including disclosures to law enforcement or government agencies as mandated.

### Subcontractors We may share PHI with our vendors and subcontractors (e.g., cloud hosting providers) who perform services on our behalf. All such parties are bound by HIPAA-compliant agreements ensuring equivalent protections.

### Other Disclosures We will not use or disclose PHI for any purpose not described in this Notice or our BAA without written authorization from the patient's dental provider or the patient themselves.

Security Safeguards

We maintain comprehensive safeguards to protect the confidentiality, integrity, and availability of all PHI we handle, including: - Encryption of PHI at rest (AES-256) and in transit (TLS 1.2+) - Role-based access controls limiting PHI access to authorized personnel - Comprehensive audit logging of all PHI access and modification - Regular security risk assessments and vulnerability management - Employee training and signed confidentiality agreements - Incident response and business continuity plans

Breach Notification

In the event of a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and no later than 60 days following discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Minimum Necessary Standard

We apply the HIPAA minimum necessary standard and limit access to PHI to the minimum required to perform our services. Access controls ensure that workforce members access only the PHI necessary for their specific role.

Patient Rights

Patients wishing to exercise HIPAA rights — including the right to access, amend, restrict use of, or obtain an accounting of disclosures of their PHI — must contact their dental provider (the Covered Entity) directly. Your dental practice is the responsible party for fulfilling these patient rights requests.

Business Associate Agreements

All dental practices using OrthoRecords are required to execute a Business Associate Agreement with [Practice Name] prior to processing any PHI through the platform. To request a BAA, contact: hipaa@orthorecords.com.

Filing a Complaint

If you believe your privacy rights under HIPAA have been violated, you may file a complaint with:

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 www.hhs.gov/ocr/privacy/hipaa/complaints

You may also contact our Privacy Officer directly. We will not retaliate against any individual who files a good-faith complaint.

Contact Our Privacy Officer

HIPAA Privacy Officer [Practice Name] hipaa@orthorecords.com OrthoRecords.com