Privacy Policy

2.1 Protected Health Information (PHI)

We process PHI as defined under HIPAA, including but not limited to:

• Patient demographic information (name, address, phone, email, date of birth)
• Clinical notes and documentation
• Treatment plans and procedures
• Dental examination findings
• Medical and dental history
• Insurance information
• Audio recordings of patient-provider interactions
• Digital images and radiographs when integrated with practice management systems

2.2 Practice Information

• Healthcare provider credentials and licensing information
• Practice management system data integration
• Staff user accounts and access permissions
• Billing and subscription information
• Technical support communications

2.3 Technical Information

• Device information (IP address, browser type, operating system)
• Usage analytics and platform performance metrics
• System logs and error reports
• Authentication and security event logs

2.4 Audio Recordings

• Real-time audio capture during patient consultations
• Temporary storage of audio files for transcription processing
• Voice pattern analysis for improved transcription accuracy (de-identified)

3.1 Primary Purposes

• Clinical Documentation: Generate SOAP notes, treatment documentation, and patient communication logs
• Practice Management Integration: Sync with Open Dental and other practice management systems
• AI Processing: Transcribe audio recordings and create structured clinical notes
• Quality Assurance: Improve transcription accuracy and note quality

3.2 Secondary Purposes

• Platform Improvement: Enhance AI algorithms using de-identified data only
• Technical Support: Provide customer support and troubleshoot technical issues
• Compliance Monitoring: Ensure HIPAA compliance and security standards
• Business Operations: Process billing, manage subscriptions, and communicate service updates

3.3 AI Model Training

Important: We do NOT use PHI for AI model training. We remove 100% of patient identifying information prior to any AI model training. All patient data remains within the Open Dental Practice Management Software and is never used for model improvement without complete de-identification.

4.1 No Sale of PHI

We do not sell, rent, or trade PHI or personal information to third parties for marketing or commercial purposes.

4.2 Permitted Disclosures

We may disclose PHI only in the following circumstances:

• To You: Upon your request for access to your own information
• For Treatment: To healthcare providers involved in your care
• For Healthcare Operations: For quality assurance and compliance activities
• As Required by Law: When legally mandated by court order or regulatory requirement

4.3 Business Associates

We maintain Business Associate Agreements (BAAs) with all third-party vendors who may access PHI, including:

• Cloud hosting providers (AWS, Microsoft Azure)
• Security monitoring services
• Technical support contractors
• Backup and disaster recovery services

4.4 Data Location

All PHI is processed and stored within HIPAA-compliant infrastructure located in the United States. We do not transfer PHI outside the United States without explicit consent and appropriate safeguards.

5.1 Technical Safeguards

• Encryption: AES-256 encryption for all PHI in transit and at rest
• Access Controls: Multi-factor authentication and role-based access permissions
• Audit Logs: Comprehensive logging of all PHI access and modifications
• Network Security: Firewalls, intrusion detection, and secure communication protocols
• Data Backup: Encrypted, geographically distributed backup systems

5.2 Administrative Safeguards

• HIPAA Training: Regular training for all personnel with PHI access
• Risk Assessments: Annual security risk analyses and vulnerability testing
• Incident Response: Formal breach notification and response procedures
• Vendor Management: Due diligence and ongoing monitoring of business associates

5.3 Physical Safeguards

• Data Centers: SOC 2 certified facilities with 24/7 security monitoring
• Device Security: Encrypted workstations and secure disposal of hardware
• Facility Access: Restricted access to areas containing PHI

6.1 Retention Periods

• Transcripts and Summaries: Retained on AWS servers for the period of time specified by each client. Clients may choose to have all data deleted immediately or retain for longer periods of time by choice.
• Audio Recordings: Stored on client workstations only and can only be saved by the client to their secure destinations. Kaila never keeps any audio recordings on the platform.
• System Logs: Retained for 7 years for security and compliance purposes
• Billing Records: Retained for 7 years as required by tax regulations

6.2 Data Deletion

• Customers receive complete data export upon request only. We do not automatically export any data on our servers upon termination.
• Upon service termination, customer PHI is securely deleted according to client specifications
• Written certification of data destruction provided upon request
• De-identified data may be retained for research and platform improvement

7.1 HIPAA Rights

You have the right to:

• Access: Request copies of your PHI (transcripts and summaries only) so long as the client has any of yours on Kaila's servers
• Amendment: Request corrections to inaccurate PHI
• Restriction: Request limitations on PHI use and disclosure
• Accounting: Receive a list of PHI disclosures
• Confidential Communications: Request PHI be communicated through alternative means
• Complaint: File complaints regarding privacy practices

7.2 Exercise of Rights

To exercise these rights, contact us at support@hellokaila.com or through your healthcare provider. We will respond within 30 days of receiving your request.

7.3 State Privacy Rights

Residents of certain states may have additional privacy rights under state laws (e.g., California CCPA, Virginia CDPA). Contact us for information about state-specific rights.

8.1 Essential Cookies

We use necessary cookies for:

• User authentication and session management
• Security monitoring and fraud prevention
• Platform functionality and performance

8.2 Analytics

We use de-identified analytics to improve platform performance. No PHI is included in analytics data.

8.3 Third-Party Services

We may use third-party services for customer support and platform monitoring. These services operate under strict data processing agreements.

12.1 Notification of Changes

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated through:

• Email notification to registered users
• Prominent notice on our website
• Direct communication to covered entities

12.2 Effective Date

Updated policies become effective 30 days after notification, except for changes required by law, which may be effective immediately.

13.1 Privacy Officer

For privacy-related questions, concerns, or requests:
Email: support@hellokaila.com
Subject Line: Privacy Inquiry

13.2 HIPAA Complaints

You may also file complaints with:
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

15.1 Current Compliance

• HIPAA Security, Privacy, and Breach Notification Rules
• Florida state healthcare privacy regulations
• Industry-standard security frameworks

15.2 Ongoing Compliance

We are working toward SOC 2 Type II certification and will update this policy upon completion of the certification process.