Compliance

HIPAA Compliance

Cao Consulting LLC · NextGen Practice Solutions
Updated: April 2026
BAA Ready
Business Associate Agreement executed with every client before PHI access
Encrypted
AES-256 at rest · TLS 1.2+ in transit · Zero plaintext PHI storage
72hr Breach Notice
Breach notification within 72 hours per HIPAA Breach Notification Rule
Overview
Our commitment to patient data protection

NextGen Practice Solutions operates as a HIPAA Business Associate when providing services to dental practices. We understand that your patients trust you with their most sensitive information — and that trust extends to every vendor and technology partner you bring into your practice.

Our platform is designed from the ground up to handle protected health information (PHI) with the care HIPAA requires. Below is a plain-language overview of how we protect patient data across every layer of our operation.

Business Associate Agreement (BAA)
Required · Executed at signing
We execute a signed Business Associate Agreement with every dental practice client before any PHI is accessed or processed. The BAA defines our obligations as a Business Associate, including permitted uses of PHI, security requirements, breach reporting, and data return or destruction upon contract termination. No client goes live without a signed BAA on file.
Request BAA
Technical safeguards
How we protect PHI at every layer

HIPAA's Security Rule requires covered entities and Business Associates to implement technical safeguards protecting electronic PHI. Here's how we address each requirement:

Access control
Role-based access controls limit PHI access to authorized personnel only. Every access event is logged with user identity and timestamp.
Encryption in transit
All data transmitted between our systems and your practice uses TLS 1.2 or higher. Unencrypted transmission of PHI is not supported.
Encryption at rest
PHI stored in our database infrastructure (Supabase) is encrypted at rest using AES-256. Backups are encrypted with the same standard.
Audit logging
We maintain audit logs of all access to PHI, including user identity, action type, timestamp, and data accessed. Logs are retained per HIPAA requirements.
Automatic logoff
Portal sessions time out after a period of inactivity, reducing the risk of unauthorized access to unattended workstations.
Minimum necessary
Our systems are designed to access only the minimum PHI necessary to perform each specific function. We do not pull or store more data than required.
Administrative safeguards
Policies, training, and risk management
  • Security Officer. NextGen has designated a HIPAA Security Officer responsible for developing, implementing, and enforcing our security policies.
  • Workforce training. All personnel with access to PHI receive HIPAA training at onboarding and annually thereafter.
  • Risk analysis. We conduct periodic risk analyses to identify vulnerabilities in our systems and implement appropriate safeguards.
  • Vendor management. All subcontractors and technology vendors who may access PHI on our behalf are required to execute BAAs and meet our security standards.
  • Incident response. We maintain a documented incident response plan covering detection, containment, investigation, notification, and remediation of security incidents.
Breach notification
What happens if there's an incident

In the event of a breach of unsecured PHI, we will:

  • Notify you (as the Covered Entity) within 72 hours of discovering the breach
  • Provide a written report identifying the PHI involved, who may have accessed it, what we did to mitigate harm, and steps taken to prevent recurrence
  • Cooperate fully with your breach analysis and any required notification to affected individuals or regulatory authorities

Our notification obligation applies to any breach of unsecured PHI, regardless of breach size. We do not apply a "low probability of harm" exception without clear documented justification.

Subcontractors
Our vendor chain

The following subprocessors may handle PHI on our behalf in the course of service delivery. Each has executed a BAA with Cao Consulting LLC:

  • Supabase — Database infrastructure. US-based storage, SOC 2 Type II certified.
  • GoHighLevel (GHL) — CRM and patient communication platform. BAA available; executed for all dental practice clients.
  • Vapi — AI voice infrastructure for patient call handling. PHI transmission limited to call context necessary for the interaction.

We do not authorize any subcontractor to use PHI for any purpose other than the specific services for which they are engaged.

HIPAA Privacy Officer
Company Cao Consulting LLC (NextGen Practice Solutions)
HIPAA inquiries hipaa@nextgenpractice.org
BAA requests legal@nextgenpractice.org
Breach reporting security@nextgenpractice.org