Compliance

HIPAA-Compliant Smile Design Software: What You Actually Need to Know

"HIPAA compliant" appears on a lot of dental software marketing pages. It doesn't always mean what you'd expect. If your practice is uploading patient photographs to a third-party platform, HIPAA applies. A patient photo is a biometric identifier. The software vendor handling it is your business associate. And a business associate without a signed Business Associate Agreement is a compliance gap.

June 7, 2026 · 6 min read

Why Patient Photos Are PHI

Patient photographs — specifically face photographs — are listed under HIPAA's 18 categories of protected health information as biometric identifiers. When a photo is uploaded in the context of a dental consultation, it's linked to a healthcare interaction. That makes it PHI regardless of whether a name or record number is attached to it.

This matters for smile simulation software because the core workflow involves uploading identifiable patient photographs to a cloud platform. That platform is handling your PHI. Under HIPAA, they're your business associate.

What a Business Associate Agreement Actually Does

A BAA is a contract between your practice and the software vendor that establishes:

  • What PHI the vendor can access and use
  • What security safeguards they're required to maintain
  • What happens if there's a breach
  • How PHI gets deleted when you stop using the service

Without a signed BAA, your practice bears the full compliance liability for what happens to those patient photos. The vendor's privacy policy is not a BAA. "We take security seriously" is not a BAA. A signed document with your name on it is a BAA.

Questions to Ask Any Smile Simulation Vendor

Before you upload your first patient photo to any platform, get clear answers to these:

How SmileFrame Handles It

SmileFrame requires a BAA before any practice generates their first simulation. It's part of the signup flow, not a form you can request later.

Patient photos are stored in Cloudflare R2 under a signed BAA and deleted automatically after 7 days. EXIF metadata — GPS coordinates, device identifiers, timestamps — is stripped from photos before any processing occurs. The simulation is generated from a de-contextualized image with no patient identifiers attached.

The BAA at signup means your practice is covered from the first upload, not the first time you remember to ask about it.

One Thing to Be Honest About

No software vendor can make your practice HIPAA compliant by itself. HIPAA compliance is a practice-level responsibility. A signed BAA with your simulation vendor covers that specific data flow — it doesn't cover how your staff handles downloaded images, what happens to photos saved on personal devices, or how you document patient consent.

The simulation tool is one piece. Your practice policies are the rest.

SmileFrame includes a BAA at signup and deletes patient photos after 7 days.

No configuration required.