Business Associate Agreement
Before any PHI/ePHI enters Codee, the clinic and Codee need a HIPAA-compliant BAA defining permitted uses, safeguards, subcontractors, return/deletion, and breach duties.
HIPAA operating mode
If Codee creates, receives, stores, or transmits patient health information for a dental or orthodontic office, Codee must operate as a business associate with a signed BAA and Security Rule safeguards. This page describes the production checklist before real patient media is used.
Before any PHI/ePHI enters Codee, the clinic and Codee need a HIPAA-compliant BAA defining permitted uses, safeguards, subcontractors, return/deletion, and breach duties.
Production mode needs risk analysis, access control, audit controls, encryption, backups, incident response, workforce permissions, and vendor/subcontractor controls.
Public demo pages must stay de-identified. Real patient photos, scans, names, dates, contact data, and treatment details belong behind signed private links.
The orthodontist or treatment coordinator approves the visible plan, pricing, consent language, and payment option before Codee shares the patient link.
Codee records that the patient viewed and confirmed the presentation before checkout. Payment is separate from clinical acceptance and can trigger staff follow-up.
The clinic should own the Stripe or Stripe Connect account. Codee can generate the presentation and checkout path, while funds route to the clinic.