HIPAA operating mode

Codee can support clinics only with the right privacy controls.

If Codee creates, receives, stores, or transmits patient health information for a dental or orthodontic office, Codee must operate as a business associate with a signed BAA and Security Rule safeguards. This page describes the production checklist before real patient media is used.

Contract

Business Associate Agreement

Before any PHI/ePHI enters Codee, the clinic and Codee need a HIPAA-compliant BAA defining permitted uses, safeguards, subcontractors, return/deletion, and breach duties.

Security

Administrative, physical, and technical safeguards

Production mode needs risk analysis, access control, audit controls, encryption, backups, incident response, workforce permissions, and vendor/subcontractor controls.

Patient data

No PHI on public demos

Public demo pages must stay de-identified. Real patient photos, scans, names, dates, contact data, and treatment details belong behind signed private links.

Presentation

Clinic approval gate

The orthodontist or treatment coordinator approves the visible plan, pricing, consent language, and payment option before Codee shares the patient link.

Confirmation

Edge-style acceptance record

Codee records that the patient viewed and confirmed the presentation before checkout. Payment is separate from clinical acceptance and can trigger staff follow-up.

Payment

Clinic-owned merchant account

The clinic should own the Stripe or Stripe Connect account. Codee can generate the presentation and checkout path, while funds route to the clinic.