Legal / Compliance

HIPAA
Compliance

Effective date: January 1, 2026  ·  Last reviewed: April 1, 2026

Our Commitment

Praxis AI is committed to maintaining full compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). As a Business Associate under HIPAA, we recognise that dental practices entrust us with sensitive patient information, and we take that responsibility seriously.

This page describes how Praxis AI handles Protected Health Information ("PHI"), the safeguards we have in place, and what your practice needs to know to maintain its own HIPAA compliance when using our Services.

What Is Protected Health Information?

Under HIPAA, PHI is any individually identifiable health information held or transmitted by a Covered Entity or its Business Associate, regardless of form (electronic, paper, or oral). PHI includes, but is not limited to:

  • Patient name, address, date of birth, phone number, and email address.
  • Dates of service, appointment schedules, and treatment notes.
  • Health plan beneficiary numbers and account numbers.
  • Device identifiers, URLs, and IP addresses that can identify an individual in a clinical context.
  • Photographs, biometric identifiers, and full-face images.

When Praxis AI processes any of the above on behalf of your practice, it constitutes PHI handling subject to HIPAA's Privacy and Security Rules.

How Praxis AI Handles PHI

Voice Agent

Call recordings and transcripts processed by the Voice Agent may contain PHI (e.g., a patient stating their name, date of birth, or reason for calling). Praxis AI:

  • Encrypts all call recordings and transcripts at rest (AES-256) and in transit (TLS 1.2+).
  • Retains recordings for 90 days by default; practices may shorten this window in account settings.
  • Limits access to PHI to authorised personnel on a need-to-know basis.
  • Does not use PHI from Voice Agent calls for any purpose other than providing the Services to your practice.

SEO Agent

The SEO Agent generates general educational and promotional content about your practice and services. It is not designed to process individual patient PHI. However, if practice-specific data inadvertently contains PHI, those safeguards described above apply equally.

Smile Simulator

The Smile Simulator processes patient facial images, which qualify as PHI under HIPAA. Praxis AI:

  • Processes images only for the purpose of generating the simulation output.
  • Does not retain source images beyond what is necessary to complete and deliver the simulation (typically 24 hours unless you enable gallery storage in settings).
  • Requires explicit patient consent before a simulation is created; practices are responsible for obtaining and documenting that consent.

Technical Safeguards

Praxis AI implements the technical safeguards required by 45 C.F.R. § 164.312, including:

  • Access controls — unique user identifiers, automatic logoff, and encryption and decryption controls.
  • Audit controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.
  • Integrity controls — mechanisms to authenticate ePHI and detect unauthorised alteration or destruction.
  • Transmission security — encryption of ePHI transmitted over electronic communications networks.

Physical Safeguards

Our infrastructure is hosted on AWS and Google Cloud, both of which maintain SOC 2 Type II, ISO 27001, and HIPAA certifications. Physical safeguards include:

  • 24/7 physical security at data centre facilities.
  • Controlled access via biometric authentication and badge systems.
  • Environmental controls for fire, flood, and power.
  • Media disposal procedures that render PHI unrecoverable.

Administrative Safeguards

Our administrative programme includes:

  • Security Officer — a designated HIPAA Security Officer responsible for developing and implementing security policies.
  • Workforce training — all employees complete HIPAA training at hire and annually thereafter.
  • Risk analysis — annual comprehensive risk assessments of all systems containing ePHI.
  • Risk management — documented remediation plans for identified risks, reviewed quarterly.
  • Incident response — a formal Breach Notification procedure aligned with 45 C.F.R. § 164.410 (60-day notification window).
  • Contingency planning — data backup, disaster recovery, and emergency mode operating procedures.

Your Practice's Responsibilities

As a Covered Entity, your dental practice retains responsibility for the following:

  • Patient authorisation and consent — obtaining required patient authorisations before using Praxis AI features that involve PHI (e.g., recording consent for Voice Agent calls, image consent for Smile Simulator).
  • Notice of Privacy Practices — disclosing to patients how their PHI is used and shared, including through third-party service providers like Praxis AI.
  • Access management — ensuring only authorised practice staff have access to Praxis AI accounts and PHI within the platform.
  • Workforce training — training your staff on HIPAA policies, including how to use Praxis AI tools in a compliant manner.
  • Minimum necessary — avoiding sharing more PHI with Praxis AI than is necessary for the Services.

If you are unsure whether a particular use of Praxis AI is HIPAA-compliant, please contact us before proceeding.

Breach Response

In the event of a confirmed Breach of Unsecured PHI, Praxis AI will:

  1. Notify your practice within 60 calendar days of discovery, as required by HIPAA.
  2. Provide a written notification describing the Breach, the PHI involved, and steps taken to mitigate harm.
  3. Cooperate fully with your investigation and any regulatory inquiry.

Your practice remains responsible for notifying affected patients and, when required, the Secretary of HHS and applicable media outlets.

Subcontractors & Sub-processors

Praxis AI engages sub-processors that may handle ePHI in the course of providing our Services. All such sub-processors are contractually obligated to comply with HIPAA and have signed Business Associate Agreements with Praxis AI. A current list of sub-processors is available upon request at legal@itspraxis.ai.

Audits & Certifications

Praxis AI undergoes the following assessments to validate our compliance programme:

  • Annual third-party HIPAA Risk Assessment.
  • Annual penetration testing by an independent security firm.
  • SOC 2 Type II audit (report available under NDA upon request).

Contact Our Compliance Team

Questions about our HIPAA compliance programme, requests for our BAA, or concerns about PHI handling should be directed to:

We aim to respond to all compliance inquiries within 5 business days.