Legal

HIPAA Notice

Effective: May 10, 2026

OneExpert is HIPAA-aware by design. The data we process is professional credentialing information about dental providers — license, NPI, DEA, malpractice, CV, references — not patient health information. Because customers are themselves Covered Entities and a small number of workflows could touch information regulated under HIPAA, we apply HIPAA-grade safeguards across the platform and will execute a Business Associate Agreement ("BAA") for any use case that involves PHI. If a BAA is in place, the BAA controls with respect to PHI.

1. Roles

  • You (the customer) are typically a Covered Entity (a dental practice or DSO) under HIPAA.
  • OneExpert is a Business Associate that processes PHI you provide so we can perform credentialing services on your behalf.
  • Subcontractors we use to deliver the service are downstream Business Associates and are bound to obligations no less stringent than ours. See our Subprocessors page.

2. What data we handle

Credentialing files contain professional information about dental providers — full name, NPI, license number, DEA registration, malpractice insurance details, professional history, and contact information. This is information about the provider as a professional, not patient health information, and the bulk of it is independently discoverable through public licensing registries. We do not require patient identifiers to deliver the service. Where a workflow could incidentally surface patient-related information, we apply HIPAA controls regardless of the legal classification.

3. BAA execution

We will execute a BAA with any customer whose use of OneExpert involves PHI. Until a BAA is executed, you should not upload PHI. Standard BAA terms address permitted uses and disclosures, safeguards, reporting, subcontractor flow-down, individual rights, access requests, amendments, and termination. To request a BAA, contact legal@oneexpert.ai.

4. Permitted uses and disclosures

We use and disclose PHI only:

  • To perform the credentialing services described in our agreement;
  • For our own management, administration, and legal responsibilities, where permitted by 45 CFR §164.504(e)(4);
  • Where required by law;
  • As authorized in writing by the Covered Entity or the individual.

We will not sell PHI and will not use it for marketing outside of permitted exceptions.

5. Safeguards

We maintain administrative, physical, and technical safeguards designed to comply with the HIPAA Security Rule, including:

  • Encryption. AES-256 at rest, TLS 1.3 in transit for all PHI.
  • Access control. Role-based access, least privilege, mandatory MFA for privileged access, automatic session expiration.
  • Audit logging. Access to PHI is logged and retained per our retention policy.
  • Network and host security. Hardened production environment, patched dependencies, vulnerability management.
  • Personnel. Workforce training on HIPAA and security; background checks where permitted by law; confidentiality obligations.
  • Vendor management. BAAs with subcontractors handling PHI; security review before onboarding.
  • Incident response. Documented procedures for detection, containment, eradication, recovery, and post-incident review.
  • Backup and continuity. Routine backups, disaster recovery plan, business continuity testing.
  • SOC 2-aligned. Operating practices designed to align with the SOC 2 Trust Services Criteria.

6. Breach notification

If we discover a Breach of Unsecured PHI (as defined in the Breach Notification Rule), we will notify the affected Covered Entity without unreasonable delay and in no case later than 60 days after discovery (or sooner if the BAA specifies). We will provide the information reasonably needed to comply with the Covered Entity's notification obligations.

7. Individual rights support

If we receive a request from an individual about their PHI, we will route it to the Covered Entity and assist as required by the BAA, including supporting the rights to access, amend, and an accounting of disclosures.

8. Subcontractors

We engage subcontractors only after appropriate review and require them to enter into BAAs. The current list is at our Subprocessors page. Material changes are subject to the notification provisions in the BAA.

9. International transfers

We process PHI primarily within the United States. We do not transfer PHI internationally except where you specifically direct us, or where a subcontractor includes incidental processing outside the U.S. (in which case appropriate safeguards apply).

10. Termination

Upon termination of the BAA, we will return or destroy PHI as feasible and as specified in the BAA. Where return or destruction is infeasible, we will continue to apply HIPAA protections for as long as we retain it.

11. Reporting concerns

Suspected security or HIPAA concerns should be reported to security@oneexpert.ai. We will not retaliate against any person for reporting in good faith.

12. Limitations

This page is informational. The actual rights and obligations between you and OneExpert with respect to PHI are governed by the executed BAA and applicable law. In the event of a conflict between this page and the BAA, the BAA controls. Nothing on this page creates rights for any third party.