Our Commitment to HIPAA
Davis Center for Oral and Maxillofacial Surgery is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act. We are committed to maintaining the privacy and security of your Protected Health Information (PHI) in full compliance with the HIPAA Privacy Rule (45 CFR Part 164 Subpart E) and the HIPAA Security Rule (45 CFR Part 164 Subpart C).
This document describes the specific technical, administrative, and physical safeguards we have implemented in our patient preregistration portal at OMS.tapat.dev.
Technical Safeguards
The following technical controls are implemented in our patient portal to protect PHI from unauthorized access, modification, or disclosure.
-
🔒Encryption at RestAll patient data — including health history, insurance information, demographic details, and electronic signatures — is stored in Supabase, a SOC 2 Type II certified cloud database. Data is encrypted at rest using AES-256. No PHI is stored in browser localStorage, sessionStorage, or cookies.
-
🛡Encryption in TransitAll communication between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Data submitted through the portal is never transmitted over unencrypted connections. Our SSL certificate is provisioned and auto-renewed by Netlify.
-
🔐Access Controls & AuthenticationPatient access is controlled through short-lived JSON Web Tokens (JWT) that expire after 24 hours. Patient identity is verified using email address plus date of birth for returning users. Administrative access requires email and password authentication — credentials are never stored in application code or transmitted to the browser. Admin passwords are stored exclusively as environment variables on the server.
-
⏱Automatic Session TimeoutAdministrative sessions automatically expire after 15 minutes of inactivity. A countdown timer is displayed to the admin user, with the option to renew before expiration. Upon timeout, the session is invalidated and the user must re-authenticate to access patient records.
-
📋Audit LoggingAll significant events are recorded in a tamper-evident audit log stored in our secure database. Logged events include: patient record creation, identity verification attempts (successful and failed), form submissions, admin logins (successful and failed), admin patient record access, and consent form assignments. Each entry records the action, actor, timestamp, and IP address.
-
📧No PHI in Email CommunicationsAutomated email notifications sent to administrative staff upon form completion contain no patient health information. Notification emails contain only a generic message indicating that a new submission is available, along with a link to the secure admin portal. Patients are encouraged to use the secure portal rather than email for any health-related communications.
-
🗄Database Access Controls — Row Level SecurityOur database enforces Row Level Security (RLS) on all patient tables. Direct database access is restricted to authenticated server-side functions using the service role key. The public API key, which is visible to browsers, has zero permissions on any patient data table. This means that even if API credentials were exposed, no PHI could be accessed without a valid server-side authentication token.
What PHI We Collect & Why
We collect only the minimum necessary PHI to accomplish the purposes for which it is collected, consistent with the HIPAA Minimum Necessary standard.
👤 Demographic Information
Name, date of birth, address, phone numbers, email, employer, and marital status. Collected to identify patients and facilitate billing and communication.
🩺 Health History
Medical conditions, current medications, allergies, and surgical history. Required to ensure safe treatment and appropriate anesthesia protocols.
💳 Insurance Information
Insurance carrier, policy holder, policy and group numbers. Collected to facilitate claims submission on your behalf. Social Security Numbers are not collected through this portal.
✏ Electronic Signatures
Canvas-based signatures for financial agreement, privacy practices acknowledgment, insurance acknowledgment, health history, and HIPAA notice. Stored as encrypted image data.
⛔ What We Do NOT Collect
Social Security Numbers, credit card numbers, government ID numbers, or biometric identifiers are not collected through this portal.
📊 Minimal Tracking
We do not use advertising trackers, third-party analytics, or marketing cookies. IP addresses are logged only for security audit purposes.
Administrative Safeguards
-
👮Designated Privacy OfficerKerri Jewkes serves as our designated HIPAA Privacy Officer, responsible for developing and implementing our privacy policies, receiving and investigating complaints, and ensuring workforce compliance with privacy practices.
-
🤝Business Associate AgreementsWe have executed or are in the process of executing Business Associate Agreements (BAAs) with all vendors who handle PHI on our behalf, including our cloud database provider, email service provider, and electronic health record system. Vendors without executed BAAs are not permitted to process PHI.
-
📚Workforce TrainingAll staff with access to PHI receive HIPAA privacy and security training upon hire and annually thereafter. Access to the administrative portal is limited to staff with a legitimate need to access patient records.
-
⚠Breach Notification ProceduresIn the event of a breach of unsecured PHI, we will notify affected individuals within 60 days of discovery, as required by the HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D). We will also notify the Secretary of Health and Human Services and, for breaches affecting 500 or more individuals, prominent media outlets in the affected state.
-
🔄Regular Risk AssessmentWe conduct periodic security risk assessments to identify potential vulnerabilities in our systems and processes. Identified risks are addressed through our risk management plan to reduce threats to the confidentiality, integrity, and availability of PHI.
Your Patient Rights Under HIPAA
As a patient of Davis Center for Oral and Maxillofacial Surgery, you have the following rights regarding your protected health information:
Right to Access
You have the right to inspect and receive a copy of your health information, including medical records and billing records.
Right to Amend
You may request corrections or additions to your health information if you believe it is inaccurate or incomplete.
Right to an Accounting
You may request a list of disclosures we have made of your health information for purposes other than treatment, payment, or operations.
Right to Restrict
You may request restrictions on how we use or disclose your health information. We will consider all requests carefully.
Right to Confidential Communications
You may request that we contact you in a specific way or at a specific location (e.g., home vs. work phone).
Right to a Paper Copy
You may request a paper copy of our Notice of Privacy Practices at any time, even if you agreed to receive it electronically.
Filing a Complaint
If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.
🏥 File with Our Practice
Contact Kerri Jewkes, Privacy Officer
890 W. Heritage Park Blvd., Suite 103
Layton, UT 84041
(801) 614-0999
🇺🇸 File with HHS
U.S. Department of Health and Human Services
Office for Civil Rights
hhs.gov/ocr/privacy/hipaa/complaints
1-800-368-1019
Questions About Your Privacy?
Contact our Privacy Officer or front desk team. We are committed to addressing your privacy questions promptly and thoroughly.
Davis Center for Oral and Maxillofacial Surgery
890 W. Heritage Park Blvd., Suite 103
Layton, Utah 84041
(801) 614-0999
info.davisoms@gmail.com
This document is reviewed annually and updated as needed to reflect changes in our practices or applicable law.