HIPAA compliant. BAA included.
Every Ayla practice receives a signed Business Associate Agreement. Your patient data is protected by enterprise-grade security from day one.
Our commitment to HIPAA compliance
Ayla is designed from the ground up to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and all applicable federal and state regulations governing the privacy and security of protected health information (PHI).
We understand that dental practices entrust us with their most sensitive data — patient health records, treatment histories, insurance information, and billing details. That trust is the foundation of our business, and we protect it with the same level of security used by the largest healthcare organizations in the world.
How we protect your data
AES-256 Encryption
All patient data is encrypted at rest using AES-256. SSNs and high-sensitivity fields use additional field-level AES-256 encryption. Passwords are hashed with bcrypt. Data in transit is protected by TLS.
AWS Infrastructure
Ayla runs on Amazon Web Services — the same infrastructure trusted by major healthcare organizations, financial institutions, and government agencies. SOC 2 compliant hosting with 99.9% uptime SLA.
Access Controls
Role-based access control ensures each team member sees only the data relevant to their role. Two-factor authentication, biometric login, session timeouts, XSS protection on all user inputs, and comprehensive audit logging are all included.
US-Only Data Storage
All data is stored exclusively on AWS servers in the United States. Ayla never stores or processes patient data outside of US-based infrastructure.
Breach Notification
In the unlikely event of a data breach involving PHI, Ayla will notify the affected practice within the timeframe required by HIPAA — and provide full support throughout the incident response process.
Automatic Backups
Automatic daily backups with point-in-time recovery ensure your patient data is never at risk. All file storage (x-rays, documents) uses AWS S3 with server-side encryption. Full data export available anytime.
Business Associate Agreement (BAA)
Every subscribing dental practice receives a signed Business Associate Agreement as part of their Ayla subscription — at no additional cost. The BAA is not an optional add-on. It is a standard part of every Ayla engagement.
What the BAA covers
The BAA defines the legal framework for how Ayla, as a Business Associate, handles protected health information on behalf of your practice, the Covered Entity. It establishes obligations for both parties under HIPAA.
Ayla’s obligations as Business Associate
- Use and disclose PHI only as permitted by the BAA and as required to provide the Ayla Service
- Implement administrative, physical, and technical safeguards to protect PHI as required by the HIPAA Security Rule
- Report any security incident or breach of unsecured PHI to the practice within the timeframe required by HIPAA
- Ensure that any subcontractors who access PHI agree to the same restrictions and conditions (AWS, Stripe, Stedi)
- Make PHI available to the practice for patient access requests as required by HIPAA
- Return or destroy PHI upon termination of the BAA, as directed by the practice
- Make internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance determination
- Maintain audit logs of all access to PHI within the Ayla platform
Your obligations as Covered Entity
- Obtain any required patient consents and authorizations for the use and disclosure of PHI
- Notify Ayla of any restrictions on the use or disclosure of PHI that the practice has agreed to with patients
- Notify Ayla of any changes to or revocation of patient authorizations
- Ensure that your use of the Ayla Service complies with HIPAA and all applicable state privacy laws
- Manage role-based access controls within Ayla to ensure appropriate access for your team members
- Maintain your own HIPAA compliance program, including staff training and internal policies
PHI handling practices
Breach notification procedures
In the unlikely event of a breach of unsecured protected health information, Ayla will:
- Notify the affected practice without unreasonable delay, and no later than as required by HIPAA regulations
- Provide the identity of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed
- Describe the nature of the breach including the types of information involved
- Describe the steps Ayla is taking to investigate, mitigate harm, and prevent future breaches
- Provide a contact person for additional information and support
- Cooperate fully with the practice in meeting their own breach notification obligations to affected individuals and the Secretary of HHS
Termination and data return
Upon termination of the BAA or your Ayla subscription, we will return or destroy all PHI in our possession as directed by the practice. Your data is available for full export for 90 days following termination. If return or destruction is not feasible (for example, if PHI is embedded in backup systems), we will extend the protections of the BAA to that data and limit further use and disclosure to the purposes that make return or destruction infeasible.
Ready to get your BAA?
Every Ayla subscription includes a signed Business Associate Agreement at no extra cost. Book a demo to learn more about our compliance framework.
For HIPAA-related inquiries, email hello@tryayla.com with the subject line “HIPAA Inquiry.”