Toothsome, Inc. — Effective Date: January 1, 2026
Our Commitment to HIPAA Compliance
Toothsome, Inc. is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and all applicable regulations (collectively, the "HIPAA Rules").
As a technology platform that facilitates dental benefit administration between employers, employees, and dental providers, Toothsome acts as a Business Associate under HIPAA. We handle PHI in accordance with HIPAA requirements and maintain Business Associate Agreements with all Covered Entities (employers and providers) we work with.
How We Handle Protected Health Information
Certain information we collect through the Toothsome platform may constitute Protected Health Information under HIPAA. This includes information related to dental services, treatment records, and benefit utilization that can be linked to an individual.
Permitted Uses and Disclosures
We use and disclose PHI only as permitted under HIPAA and our Business Associate Agreements:
- To perform our obligations under service agreements with employers and providers
- For proper management and administration of the Toothsome platform
- To provide data aggregation services relating to health care operations
- To de-identify PHI in accordance with HIPAA standards
- As required by law
Minimum Necessary Standard
We apply the minimum necessary standard when using or disclosing PHI, meaning we limit the PHI used or disclosed to the minimum amount necessary to accomplish the intended purpose. For example, we share transaction summaries with employers for payroll processing but do not share clinical details or specific procedure information.
Your Rights Regarding Protected Health Information
Under HIPAA, you have the following rights with respect to your PHI:
- Right to Access: You may request a copy of the PHI that we maintain about you. We will provide access within 10 business days of receiving a request from your employer (the Covered Entity).
- Right to Amendment: You may request correction of PHI you believe is inaccurate or incomplete. We will incorporate amendments within 10 business days of notification.
- Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI. The accounting will include the date, recipient, description, and purpose of each disclosure.
- Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations.
- Right to Confidential Communications: You may request that we communicate with you about your PHI in a specific manner or at a specific location.
To exercise any of these rights, contact our Privacy Officer at privacy@toothsome.io.
Security Measures
We implement comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI:
Encryption
All data is encrypted in transit using TLS (Transport Layer Security) and at rest using AES-256 encryption. All electronic PHI transmitted over networks is encrypted.
Access Controls
We maintain strict access controls including unique user identification, automatic logoff, and role-based access. Access to PHI is limited to authorized personnel who need it to perform their job functions.
Audit Controls
We maintain hardware, software, and procedural mechanisms to record and examine access to electronic PHI. We implement integrity controls to ensure ePHI has not been altered or destroyed without authorization.
Monitoring and Training
We actively monitor our systems for security incidents and unauthorized access. Our team receives regular training on HIPAA privacy and security practices.
Secure Disposal
When PHI is no longer needed, we securely delete or destroy it in accordance with HIPAA requirements.
While we implement comprehensive safeguards, no method of transmission over the Internet or electronic storage is completely secure. We continuously evaluate and improve our security measures to protect your information.
Breach Notification
In the event of a breach of unsecured PHI, Toothsome will notify the affected Covered Entity within 24 hours of discovery. Our breach notification includes:
- Date of the breach and date of discovery
- Description of the PHI involved
- Number of individuals affected
- Description of what happened
- Steps taken to mitigate harm
- Steps taken to prevent recurrence
Subcontractors
We ensure that any subcontractors who create, receive, maintain, or transmit PHI on our behalf agree in writing to the same restrictions and conditions that apply to Toothsome under our Business Associate Agreements. Our current subcontractors handling PHI include:
- Amazon Web Services (AWS) — Cloud hosting and data storage
- Veryfi — Receipt and OCR processing
- SendGrid — Email delivery (emails designed to contain no PHI)
- Stripe — Payment processing
Contact Our Privacy Officer
If you have questions about this HIPAA Notice, our privacy practices, or wish to exercise your rights regarding Protected Health Information, please contact:
Privacy Officer
Toothsome, Inc.
3550 N Lakeline Blvd, Unit 170, PMB 1022
Leander, TX 78641
Email: privacy@toothsome.io
For more details about how we collect and use information generally, please see our full Privacy Policy. For our template Business Associate Agreement, see our BAA.
This notice is provided for informational purposes and supplements our Privacy Policy.