The stack we run for SmileLink and the DDS Marketing AI suite — built to align with HIPAA from the schema up, not retrofitted with a privacy badge.
Leyoxa uses the phrase "HIPAA-aligned" rather than "HIPAA-compliant" deliberately. Compliance is a status that lives with the covered entity — the clinic, its policies, its training, its physical safeguards. We can build infrastructure that supports compliance end-to-end. Calling it "aligned" keeps that line honest.
What follows is the actual stack we run — the same controls a real HIPAA audit will look for.
Signed Business Associate Agreements with the clinic and with every downstream subprocessor that touches PHI — cloud, database, SMS, model providers, observability.
TLS 1.3 in transit (no fallback), AES-256 column-level encryption at rest on PHI fields, end-to-end encryption on patient ⇄ clinic chat. KMS-managed keys with per-environment rotation.
Minimum-required-scope per role on the clinic side. Front desk doesn't see clinical notes. SSO supported. MFA forced for any role that can read PHI in bulk.
Every read of a PHI field is logged with user, timestamp, IP, and record ID. Every write is logged with before/after diffs. Logs are immutable and stored separately, with 6-year retention.
Per-clinic data isolation enforced at the database level, not just the application layer. PHI doesn't co-mingle with operational metadata or with other clinics' data.
Documented processes for access, correction, deletion, and accounting of disclosures. Tombstone-based delete strategy that respects audit retention while honoring patient requests.
A single subprocessor without a BAA breaks the whole compliance posture. We keep the list short and signed:
This isn't a hypothetical stack. It's the one running across the Leyoxa portfolio:
HIPAA-compliant dental software supports a covered entity (the clinic) in meeting the HIPAA Security and Privacy Rules: signed BAA, encryption in transit and at rest, audit logs on every PHI read and write, per-clinic isolation, and patient-rights workflows. We use the term "HIPAA-aligned" to be honest about the engineering posture — compliance status is a property of the operator.
If your dental software processes Protected Health Information on your behalf, HIPAA requires a Business Associate Agreement (BAA). Leyoxa signs BAAs as a Business Associate, and every downstream subprocessor on our stack carries a signed BAA.
PHIPA (Ontario's Personal Health Information Protection Act) is the Canadian equivalent. Most engineering controls carry over with differences mainly in terminology and a strong data residency preference for Canadian health information custodians. We host Canadian-bound workloads in Canadian regions.
Book a 30-minute call. We'll walk through the security posture and what a BAA looks like.