HIPAA Compliance

Smiles Unlimited is committed to and has implemented safeguards to ensure our mobile applications, services, web platforms, and the data are compliant with the regulations and conditions set forth in the Health Insurance Portability and Availability Act of 1996 (HIPAA). Smiles Unlimited is committed to continuously improving our privacy and security measures to ensure our products are kept up to date with the best practices and technology improvements.

As a “Business Associate” per the definition in the HIPAA Act, and by assignment of the HIPAA-covered entity, Smiles Unlimited is subject to the following controls (safeguards not limited to the following however):

Administrative Safeguards (HIPAA - 164.308)
Smiles Unlimited has implemented policies in place to ensure appropriate assignment of data access permissions and proper movement and handling of that data.

Privacy and security training (HIPAA 164.308(a)(5)(i)) is a mandated event for all staff that handle patient health information and is provided by a third-party entity.

Smiles Unlimited has hired a privacy & security firm and conducted risk assessments (HIPAA 164.308(a)(1)(ii)(A)) such as Privacy Impact Assessment (PIA), Threat Risk Assessment (TRA), and a penetration test. The PIA and TRA can be requested by contacting our privacy department at privacy@smilesunlimited.biz for the purpose of adopting our product.

Smiles Unlimited can sign a Business Associate Agreement to be the “Business Associate” with our customers to handle PHI on their behalf (HIPAA 164.308(b)(1)).

Physical Safeguards (HIPAA 164.310)
Smiles Unlimited is deployed on enterprise-grade cloud infrastructure from both Amazon Web Services (AWS) and Microsoft Azure. These cloud providers have physical safeguards including but not limited to: initial environmental and geographical assessments, redundancy measures, availability measures in case of outages, employee data center access privileges, 24-hour monitoring Closed Circuit Television Camera, data entry points, and intrusion detection. Smiles Unlimited’s offices are controlled with fob access control to prevent walk-up intrusion (HIPAA 164.310(a)(1)). Access to key resources is limited to staff with specific purposes and is revoked once the purpose is no longer applicable (HIPAA 164.312(a)(1)). Smiles Unlimited has signed Business Associate Agreements (BAA) with our cloud providers.

Technical Safeguards (HIPAA 164.312)
Smiles Unlimited implements additional measures to safeguard data such as encryption of PHI at rest and in transit (HIPAA 164.312(a)(2)(iv) 164.312(e)(2)(i)). Furthermore, Smiles Unlimited implements automatic logoff (HIPAA 164.312(a)(2)(iii)) on the web platform. Smiles Unlimited also separates development, testing, and operational environments to ensure data segregation. We follow secure system engineering principles, acceptance testing, and have even undergone a penetration test.

Questions around the specifics can be requested by contacting privacy@smilesunlimited.biz

‍Helpful links for additional information:

HIPAA FAQ for Healthcare Professionals
HIPAA Summary