The short version
- Thorli will be a Business Associate when working with dental practices, not a Covered Entity. We will be bound by HIPAA when PHI is involved.
- We will sign a Business Associate Agreement (BAA) with every dental practice client before any PHI is shared. Non-negotiable, effective from day one of formal entity registration.
- We only use HIPAA-eligible tools for any system that could touch PHI. We say "no" to common marketing tools that cannot sign BAAs.
- If you send us PHI we did not ask for, we redact and delete it on receipt.
- Breach notification within 60 days, as HIPAA requires, with as much detail as we can responsibly share.
1. Thorli's role under HIPAA
The Health Insurance Portability and Accountability Act ("HIPAA") regulates how Protected Health Information ("PHI") is handled. There are two main types of entities under HIPAA:
- Covered Entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Your dental practice is a Covered Entity.
- Business Associates: vendors that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. Thorli will be a Business Associate once registered and engaging dental practice clients.
Thorli is not a healthcare provider and does not directly treat patients. We will become subject to HIPAA when a dental practice client shares PHI with us in connection with the marketing services we provide.
2. Business Associate Agreements (BAAs)
Per our Bill of Rights (item 8), we will sign a Business Associate Agreement with every dental practice client before any PHI is shared. The BAA describes:
- What PHI we may receive and how we may use it.
- Safeguards we must maintain (administrative, physical, technical).
- Reporting obligations if a breach or improper disclosure occurs.
- Subcontractor flow-down: any vendor we use that may touch PHI must sign a BAA with us.
- Termination and return/destruction of PHI when the engagement ends.
We use a standard BAA based on the HHS sample agreement. We will accept reasonable redlines from your practice or your attorney. If your practice does not have a BAA template, we will provide ours.
3. HIPAA-eligible tools we use
Our stack is intentionally curated so that any system that could touch PHI is HIPAA-eligible and covered by a signed BAA:
- Twilio — SMS messaging (signed BAA, HIPAA-eligible products only).
- Cloudflare — CDN, WAF, and edge security (BAA via Enterprise tier).
- AWS Simple Email Service (SES) — transactional email (BAA available).
- AWS S3 and EC2 — storage and compute (BAA via AWS).
- HubSpot Enterprise — CRM, with BAA addendum (and Sensitive Data feature enabled when required).
- Plausible Analytics — site analytics. Plausible does not collect PHI by design (no IP storage, no cookies, no cross-site identifiers), so it is acceptable as a privacy-preserving analytics layer. We still keep PHI out of URLs and event names.
- 1Password Business — credential management with BAA.
4. Tools we do NOT use for anything HIPAA-adjacent
These are popular marketing tools that cannot sign a HIPAA BAA and therefore cannot be used in any system that might receive PHI. If you are working with another agency, ask them point-blank whether they use these for healthcare clients:
- Google Analytics 4 (GA4) — Google does not offer a BAA for GA4. We do not install GA4 on dental practice websites for this reason. We use Plausible instead.
- Mailchimp — does not sign BAAs. We do not use it for any healthcare communications.
- Klaviyo — does not sign BAAs. Off the table for dental marketing.
- ActiveCampaign, ConvertKit, MailerLite (consumer plans) — same problem.
- Standard Meta Pixel on patient-data pages — default Meta Pixel deployments have been the subject of dozens of healthcare class actions for PHI leakage. If you require Meta tracking, we use the Conversions API (CAPI) with server-side, pre-hashed data and no patient-data page firing.
- Default Google Ads remarketing on appointment, treatment, or post-visit pages — same PHI leakage risk. We exclude those pages from all ad tags.
- Hotjar, Microsoft Clarity, FullStory, and other session replay tools on pages where patient data is entered — PHI capture risk.
- Zapier and Make on free or non-BAA tiers when routing patient data — we use enterprise tiers with BAA when integration is required.
If a workflow requires a tool that cannot sign a BAA, we design around the tool, not around HIPAA.
5. How we handle PHI that arrives unexpectedly
Even though our forms ask for business contact information only, occasionally a prospective client will paste a patient example, a screenshot of a chart, or an email thread that contains PHI. When that happens:
- The receiving team member redacts and deletes the PHI from our systems immediately (email, CRM, ticketing).
- We notify the sender that PHI was received outside of a BAA and ask them to resend a redacted version.
- We log the incident internally. If it rises to the level of a breach under HIPAA, we follow the notification process in Section 6.
6. Breach notification
If Thorli discovers a Breach of Unsecured PHI (as defined by HIPAA), we will notify the affected dental practice client (the Covered Entity) without unreasonable delay and in no case later than 60 calendar days after discovery, in accordance with 45 CFR 164.410. Our notification will include:
- The identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed.
- The date of the Breach and the date of discovery, if known.
- A description of the types of Unsecured PHI involved.
- Steps we have taken to mitigate and prevent recurrence.
The Covered Entity is responsible for individual and HHS notifications under 45 CFR 164.404 and 164.408. We will cooperate fully.
7. Subcontractors
If we use a subcontractor that may create, receive, maintain, or transmit PHI on our behalf, we obtain a written BAA from that subcontractor before sharing any PHI. The subcontractor is bound by terms at least as protective as the BAA we have with the dental practice client. This is required by 45 CFR 164.504(e)(2).
8. Safeguards
Thorli maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C):
- Administrative: documented security policies, annual HIPAA training for all team members with PHI access, role-based access controls, quarterly access reviews, formal incident response plan.
- Physical: all production data resides in SOC 2 Type II certified U.S. data centers (AWS). Team laptops are encrypted at rest (FileVault for macOS) and remotely wipeable.
- Technical: TLS 1.2+ in transit, AES-256 at rest, mandatory two-factor authentication, audit logging on PHI access, separation of production and non-production environments.
9. Patient rights to file complaints with HHS
Individuals who believe their HIPAA rights have been violated may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights ("OCR"). Information about filing a complaint is at hhs.gov/hipaa/filing-a-complaint. Thorli will not retaliate against any individual for filing a complaint with OCR or with us.
10. Updates to this Notice
We will update this Notice if our HIPAA practices materially change. The "Last updated" date at the top will reflect the change. Existing BAAs remain in force per their terms.
11. Contact
HIPAA, BAA, or PHI-related questions:
Email: hipaa@thorli.com
General: hello@thorli.com