HIPAA Compliance Notice

Last updated: April 11, 2026

Important clarification: DDSFAX is a cloud fax technology platform. We are not a healthcare provider, health plan, or healthcare clearinghouse. We are a Business Associate — a technology vendor that transmits documents on behalf of covered entities. We do not provide medical advice, diagnoses, or treatment of any kind.

Contents

  1. What This Page Is About
  2. Our Role Under HIPAA
  3. Business Associate Agreement
  4. Administrative Safeguards
  5. Technical Safeguards
  6. Physical Safeguards
  7. Breach Notification
  8. Subcontractors
  9. Your Responsibilities
  10. No HIPAA Certification
  11. Contact

1. What This Page Is About

This page explains how DDSFAX, a product of The DDS Company, is designed to support HIPAA compliance for the dental and medical practices that use our cloud fax platform.

DDSFAX is a cloud fax technology platform. We are not a healthcare provider, health plan, or healthcare clearinghouse. We do not deliver care, prescribe medications, bill insurance directly, or make clinical decisions. We are a technology vendor that provides fax transmission infrastructure to practices that may handle Protected Health Information (PHI).

Our role is narrowly defined: we transmit, temporarily store, and deliver fax documents on behalf of our customers. This page describes the safeguards we have in place to protect the data that passes through our platform.

2. Our Role Under HIPAA

Under the Health Insurance Portability and Accountability Act (HIPAA), DDSFAX is classified as a Business Associate — a vendor that handles PHI on behalf of covered entities (your dental or medical practice).

DDSFAX transmits documents — we do not access, read, interpret, diagnose, prescribe, or take any clinical action based on document content. Our systems process fax data as encrypted payloads. No DDSFAX employee views, reads, or analyzes the content of your faxes in the normal course of operations.

To be clear: DDSFAX is a document transmission service, not a healthcare service. We move documents from point A to point B securely. We do not participate in patient care, treatment decisions, or clinical workflows in any capacity.

3. Business Associate Agreement

A Business Associate Agreement (BAA) is the contract required under HIPAA between your practice (the Covered Entity) and DDSFAX (the Business Associate). It defines our obligations for protecting PHI.

DDSFAX provides a BAA to all paid subscribers at no additional cost. We believe HIPAA compliance is a baseline requirement, not a premium feature. Your BAA takes effect upon activation of a paid subscription.

View our standard Business Associate Agreement or contact us at hipaa@ddsfax.com to request a custom BAA.

4. Administrative Safeguards

We maintain administrative safeguards aligned with the HIPAA Security Rule:

  • Designated HIPAA Privacy & Security Officer: A designated officer oversees all HIPAA compliance activities, policies, and training
  • Workforce training: All team members with potential access to systems that handle PHI receive HIPAA training and sign confidentiality agreements
  • Risk assessments: We conduct comprehensive security risk assessments annually and after any significant system or infrastructure changes
  • Policies and procedures: Written policies covering data handling, access management, incident response, breach notification, and workforce sanctions
  • Subcontractor BAAs: We execute Business Associate Agreements with all subcontractors who may come into contact with PHI, including our fax transmission carrier and infrastructure providers
  • Sanction policy: Documented procedures for workforce members who violate HIPAA policies

5. Technical Safeguards

Encryption

  • In transit: All data transmitted to and from DDSFAX is encrypted using TLS 1.2 or higher. Fax transmissions use T.38 protocol with encrypted SIP signaling over a private IP network.
  • At rest: All stored data — including fax documents, metadata, and account information — is encrypted using AES-256 encryption
  • Key management: Encryption keys are managed with industry-standard practices including regular rotation and access controls

Access Controls

  • Unique user identification: Every user has a unique account with individual credentials
  • Role-based access: System access is restricted based on role and the minimum necessary principle
  • Automatic session timeout: Sessions expire after periods of inactivity
  • Multi-factor authentication: Required for all administrative and infrastructure access

Audit Logging

  • Comprehensive logging: All access to systems that handle PHI is logged with timestamp, user identity, and action performed
  • Log retention: Audit logs are retained for a minimum of 7 years
  • Automated monitoring: Real-time monitoring and alerting for suspicious access patterns or anomalous activity
  • Log integrity: Audit logs are stored in append-only storage to prevent tampering

Transmission Security

  • Private IP network: Faxes are transmitted over a carrier-grade private IP network, not the public internet
  • T.38 fax protocol: Industry-standard real-time fax protocol with error correction for reliable delivery
  • Delivery confirmation: Every fax transmission includes delivery verification with timestamps
  • Automatic retry: Failed transmissions are retried automatically with detailed error reporting

6. Physical Safeguards

  • SOC 2 Type II data centers: All data is hosted in SOC 2 Type II certified facilities with 24/7 physical security, biometric access controls, and video surveillance
  • Geographic redundancy: Data is replicated across geographically separated facilities for disaster recovery and business continuity
  • Media disposal: All storage media is securely wiped or destroyed when decommissioned, following NIST 800-88 guidelines

7. Breach Notification

In the event of a breach of unsecured PHI, DDSFAX will:

  1. Notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach
  2. Provide breach details including: the nature of the PHI involved, a description of what happened, the steps individuals should take to protect themselves, what DDSFAX is doing to investigate and mitigate the breach, and contact information for further questions
  3. Cooperate fully with covered entities in fulfilling their breach notification obligations to affected individuals and the Department of Health and Human Services (HHS)
  4. Document and remediate all breach incidents with a full record of the investigation, root cause analysis, and corrective actions taken

8. Subcontractors

DDSFAX uses a carrier-grade fax transmission provider as our primary subcontractor for delivering fax transmissions over the telephone network. This subcontractor:

  • Has executed a Business Associate Agreement with DDSFAX
  • Maintains administrative, technical, and physical safeguards that support HIPAA compliance
  • Processes fax data solely for the purpose of completing transmissions
  • Does not retain fax content beyond the time required for delivery

We evaluate all subcontractors for HIPAA compliance before engagement and maintain ongoing oversight of their security practices.

9. Your Responsibilities

As a Covered Entity using DDSFAX, you have obligations under HIPAA that we cannot fulfill on your behalf:

  • Execute a BAA: Ensure a Business Associate Agreement is in place with DDSFAX before transmitting PHI through our platform
  • Comply with your own policies: Ensure your use of DDSFAX aligns with your practice's HIPAA privacy and security policies
  • Train your staff: Provide appropriate training to your workforce members who use DDSFAX to send or receive faxes containing PHI
  • Secure your credentials: Protect your DDSFAX account login credentials and ensure only authorized personnel have access
  • Verify recipients: Confirm fax numbers before sending documents containing PHI to minimize misdirected faxes
  • Report incidents: Notify us promptly at security@ddsfax.com if you suspect any security incident or unauthorized access to your account

10. No HIPAA Certification

There is no official "HIPAA certification" issued by any government agency or standards body. No vendor, product, or service can be "HIPAA certified" because no such certification program exists under the law.

DDSFAX is designed with administrative, physical, and technical safeguards aligned with HIPAA requirements. We undergo regular risk assessments, maintain comprehensive security policies, and execute Business Associate Agreements with our customers and subcontractors. These measures demonstrate our commitment to protecting PHI — but they do not constitute a government-issued certification.

Be cautious of any vendor that claims to be "HIPAA certified." What matters is whether a vendor has implemented the required safeguards, will sign a BAA, and has a documented compliance program — all of which DDSFAX provides.

11. Contact

For HIPAA-related questions, BAA requests, or to report a security concern:

For related policies, see our Privacy Policy, Terms of Service, and Business Associate Agreement. For general inquiries, visit our Contact page.