GoMedicai Solutions

HIPAA Notice of Privacy Practices

Last Updated: May 7, 2026

GoMedicai Solutions LLC

Effective Date: May 7, 2026

Last Updated: May 7, 2026

Our Role Under HIPAA

GoMedicai Solutions LLC is a Business Associateas defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. We process Protected Health Information (PHI) on behalf of dental practices ("Covered Entities") that have engaged our platform services. We do not independently determine the purposes or means by which PHI is used — that authority rests with the Covered Entity (your dental practice).

This Notice describes how GoMedicai handles PHI in the course of providing services to Covered Entities, and the obligations we maintain to protect that information.

What Is Protected Health Information (PHI)?

PHI is individually identifiable health information that relates to:

  • A patient's past, present, or future physical or mental health or condition
  • The provision of healthcare to a patient
  • Past, present, or future payment for the provision of healthcare

PHI includes information in any form — electronic, written, or oral — such as names, dates of service, diagnoses, procedure codes, insurance identifiers, and account numbers.

How GoMedicai Uses and Discloses PHI

As a Business Associate, GoMedicai uses and discloses PHI only as permitted by our Business Associate Agreements (BAAs) with Covered Entities and as required by law. Permitted uses include:

Treatment, Payment, and Healthcare Operations support:

  • Processing and submitting insurance claims on behalf of the Practice (EDI 837D)
  • Receiving and routing remittance and payment information (EDI 835)
  • Verifying patient insurance eligibility (EDI 270/271)
  • Facilitating patient scheduling, intake, and communication workflows

Administrative and operational functions:

  • Maintaining audit logs of AI actions and data access for the Practice
  • Routing patient inquiries and appointment requests to Practice staff
  • Providing the Practice with operational dashboards and analytics

As required by law:

  • Disclosing PHI when required by federal, state, or local law, or in response to lawful legal process

GoMedicai does not:

  • Use PHI to train AI models
  • Sell PHI to third parties
  • Use PHI for GoMedicai's own marketing purposes
  • Disclose PHI except as permitted by our BAAs and applicable law

Safeguards We Maintain

GoMedicai implements the following HIPAA-required safeguards:

Administrative safeguards:

  • Designated Privacy and Security Officer
  • Workforce training on HIPAA policies and procedures
  • Risk analysis and risk management program
  • Business Associate Agreements with all subcontractors who access PHI

Physical safeguards:

  • PHI is stored exclusively on HIPAA-eligible AWS infrastructure
  • Physical access controls managed by AWS per their shared responsibility model

Technical safeguards:

  • AES-256 encryption of PHI at rest
  • TLS 1.3 encryption of PHI in transit
  • Role-based access controls (RBAC) limiting PHI access to authorized personnel
  • Full audit logs of all PHI access, with timestamp, user identity, and action
  • Automatic session timeouts and multi-factor authentication

Breach Notification

In the event of a breach of unsecured PHI, GoMedicai will notify the affected Covered Entity within 72 hours of discovering the breach, consistent with HIPAA §164.410. The Covered Entity is responsible for notifying affected individuals, the Secretary of HHS, and (where required) the media, consistent with their obligations as a Covered Entity under HIPAA.

Your Rights Regarding PHI

Because GoMedicai acts as a Business Associate and not a Covered Entity, patient rights under HIPAA (such as the right to access, amend, or restrict use of PHI) must be exercised through the dental practice that is your healthcare provider. Please contact your dental practice directly to exercise these rights.

Subcontractors and Agents

GoMedicai may engage subcontractors or agents who access PHI to support service delivery. All such subcontractors are required to execute a Business Associate Agreement with GoMedicai and are bound by equivalent privacy and security obligations.

Current infrastructure subcontractors include Amazon Web Services (AWS), which hosts all PHI on HIPAA-eligible infrastructure under AWS's own BAA with GoMedicai.

Retention of PHI

PHI is retained for the period required by applicable federal and state law, and as specified in our BAAs with Covered Entities. Upon termination of a BAA, GoMedicai will return or destroy PHI as directed by the Covered Entity, consistent with HIPAA requirements.

Changes to This Notice

GoMedicai reserves the right to update this Notice at any time. Material changes will be posted at gomedicai.com/hipaa-notice and communicated to Covered Entities with whom we have active BAAs.

Contact Our Privacy Officer

For questions about this Notice or GoMedicai's privacy and security practices:

GoMedicai Solutions LLC — Privacy Officer

Email: privacy@gomedicai.com

Website: https://www.gomedicai.com

To report a potential privacy or security concern, contact: security@gomedicai.com