HIPAA Policy

1. Our Commitment to Your Practice

As a dental practice, you are a HIPAA Covered Entity. When you use OrapexAI to handle patient calls, we act as your Business Associate — a role we take seriously. We understand that your patients trust you with their most sensitive health information, and by extension, they are trusting the tools you choose to work with.

OrapexAI is committed to ensuring that your use of our AI receptionist service never puts your practice, your patients, or your reputation at risk. We have implemented administrative, technical, and physical safeguards that satisfy the requirements of the HIPAA Security Rule, Privacy Rule, and the HITECH Act.

2. Business Associate Agreement (BAA)

Before any patient data is ever processed through OrapexAI, we execute a signed Business Associate Agreement (BAA) with your practice. This is a legal requirement under HIPAA, and we make it a non-negotiable part of our onboarding process — no exceptions.

3. What PHI We Handle and Why

OrapexAI processes only the minimum necessary PHI required to perform your requested services. This includes:

• •
  Patient name and contact details — to identify callers and confirm appointments
• •
  Appointment information — to schedule, reschedule, or cancel visits in your calendar
• •
  Insurance information — to verify eligibility and benefits in real time before the appointment
• •
  Call transcripts and recordings — retained solely for service delivery, quality assurance, and audit purposes

We do not access, store, or process clinical records, treatment notes, diagnoses, prescriptions, or any PHI beyond what is strictly necessary for the receptionist functions you have contracted us to perform.

4. No PHI Used for AI Training

5. Security Safeguards

Our infrastructure is designed with HIPAA Security Rule requirements as a baseline, not an afterthought. Key safeguards include:

6. Data Retention and Deletion

PHI processed through OrapexAI is retained only for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable law. Specifically:

• • Call recordings and transcripts are retained for a default period to support quality assurance and any legitimate dispute resolution needs
• • Your practice may request early deletion of specific records, subject to any legal or regulatory obligations that require retention
• • Upon termination of your OrapexAI service agreement, PHI will be returned to you or securely destroyed in accordance with the terms of our BAA

7. Breach Notification

In the unlikely event of a confirmed or suspected breach involving PHI, OrapexAI will notify your practice without unreasonable delay — and in no case later than 60 days after discovery — consistent with HIPAA breach notification requirements. Our notification will include the nature of the breach, the PHI involved, the steps we have taken to contain and remediate the incident, and our recommendations for any actions your practice should take to protect your patients.

8. Your Responsibilities as a Covered Entity

While OrapexAI takes on significant compliance obligations as your Business Associate, your practice retains responsibility for certain aspects of HIPAA compliance, including:

• • Ensuring your own Notice of Privacy Practices (NPP) accurately reflects the use of third-party AI services for appointment handling
• • Training your staff on how OrapexAI interacts with your systems and what patient information it may access
• • Notifying OrapexAI of any changes to your patient population or service scope that may affect how PHI is processed

9. Contact Our Compliance Team

If you have questions about our HIPAA compliance practices, wish to review our BAA before signing up, or need to report a suspected security incident, please contact us directly: