CaseLink is built for the exchange of Protected Health Information (“PHI”) between dental providers. That places clear obligations on us under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). This page describes the safeguards we maintain to meet those obligations, in accordance with 45 CFR 164.308, 164.310, 164.312, and 164.316.
The controls described here are the baseline commitments incorporated by reference into every CaseLink Business Associate Agreement. We will provide reasonable advance notice of any material reduction in scope.
Encryption
In transit
All connections to the CaseLink Service use Transport Layer Security (TLS) 1.2 or higher. TLS 1.3 is in use across supported endpoints as of the date above. Certificates are managed through automated renewal and are audited for expiry.
At rest
Stored electronic PHI (ePHI) is encrypted using AES-256 or an equivalent industry-standard algorithm. Encryption keys are managed in a dedicated key management service, are separated from the data they protect, and are rotated on a defined schedule.
Access Controls
Access to PHI within the Service is governed by role-based access controls (RBAC). Users are granted the minimum access necessary for their role within their practice, consistent with the HIPAA minimum necessary standard at 45 CFR 164.502(b).
CaseLink workforce members may access Covered Entity PHI only where required for support, security, or service operations, and only under documented controls that include:
- role-based permissions tied to job function,
- separation of production and non-production environments,
- time-bounded, purpose-scoped access for support tasks, and
- logging of every access event.
Authentication and Session Management
User accounts require strong authentication credentials. Multi-factor authentication (MFA) is required for all accounts with access to PHI and is enforced through technical controls. PHI access is not permitted for any account with MFA disabled.
Sessions expire after a period of inactivity. Password resets and MFA changes trigger security notifications to the account owner.
Audit Logging
The Service maintains a record of access and material actions taken on PHI, including:
- the user performing the action,
- the resource acted upon,
- the action taken,
- the timestamp, and
- the source IP address.
Audit records are retained for at least six (6) years, consistent with the HIPAA documentation retention requirement at 45 CFR 164.316(b)(2). Audit records are protected against unauthorized modification.
Workforce Training and Sanctions
All CaseLink workforce members with access to PHI complete HIPAA Privacy and Security training at hire and on a recurring basis. Training records are retained. CaseLink maintains a sanctions policy for workforce members who fail to comply with our privacy and security policies, consistent with 45 CFR 164.308(a)(1)(ii)(C).
Risk Management
CaseLink conducts periodic risk assessments and documents corrective actions, consistent with 45 CFR 164.308(a)(1)(ii)(A) and (B). Risk assessments cover:
- threats to the confidentiality, integrity, and availability of ePHI,
- vulnerabilities in systems that create, receive, maintain, or transmit ePHI,
- the likelihood and potential impact of identified risks, and
- remediation plans and their status.
Infrastructure and Physical Security
CaseLink runs on cloud infrastructure and platform providers whose data centers maintain physical security controls that meet or exceed industry standards, including access controls, environmental monitoring, and continuous physical surveillance. Physical safeguards for the underlying facilities are the responsibility of those providers under their own certifications and audits.
Data processed by CaseLink is stored in the United States.
Subprocessors
CaseLink uses third-party service providers to operate the Service. Any subprocessor with access to PHI is contractually bound to substantially the same restrictions and requirements that apply to CaseLink under an executed Business Associate Agreement, consistent with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).
The current list of subprocessor categories with access to PHI is maintained at caselink.net/subprocessors.
Incident Response and Breach Notification
CaseLink maintains a documented incident response process. In the event of a confirmed Security Incident involving ePHI or a Breach of Unsecured PHI:
- we investigate promptly,
- take reasonable steps to contain and mitigate impact,
- notify affected Covered Entities without unreasonable delay, and no later than the timelines set out in the applicable Business Associate Agreement, and
- cooperate reasonably in any required investigation and notifications.
Consistent with 45 CFR 164.410, unsuccessful Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of ePHI (such as pings, denied login attempts, and similar routine events) are addressed through automated safeguards and monitoring, and do not trigger individual notifications.
Backup and Business Continuity
CaseLink maintains backups of Customer Content on a defined schedule. Backups are encrypted at rest and are subject to the same access controls as production data. CaseLink maintains and periodically tests contingency plans covering data backup, disaster recovery, and emergency mode operations, consistent with 45 CFR 164.308(a)(7).
Responsible Disclosure
If you believe you have found a security vulnerability in the CaseLink Service, please report it to us so we can investigate and remediate. We appreciate coordinated disclosure and will work in good faith with researchers acting in good faith.
Security contact
Please include a description of the issue, steps to reproduce, and your contact information. Do not access or modify data belonging to others, and do not test in production against real PHI.
How This Page Fits
Incorporated by reference. This Security page is incorporated by reference into every executed CaseLink Business Associate Agreement. The controls described here are the baseline commitments CaseLink makes to Covered Entities. Material reductions in scope will be communicated with reasonable advance notice. Nothing on this page modifies the rights, obligations, or remedies set out in the BAA or under HIPAA.
Questions
Compliance, procurement, or diligence questions can be sent to our team.