Compliance

Is Your Smile Simulation Tool a HIPAA Liability? A 5-Minute Audit

This isn't a buying guide — it's an audit of what you're already using. If your practice has been uploading patient photos to a smile simulation tool for months, it's worth five minutes to check whether the compliance basics are actually in place, not assumed. Grab the login for whatever tool you use and go through this list.

July 13, 2026 · 5 min read

Question 1: Do You Have a Signed BAA — Not Just Access to a Tool?

Search your email for the vendor's name plus "Business Associate Agreement." If you can't find a signed copy, you don't have one — an account login isn't a BAA, and a vendor's general terms of service usually isn't either. (We cover what a proper BAA actually needs to contain separately.) No signed BAA, patient photos already uploaded: that's the single biggest finding this audit can surface.

Question 2: How Long Do Patient Photos Stay on the Platform?

Check the vendor's privacy policy or ask directly: is there an automatic deletion window, or do photos stay indefinitely unless someone manually removes them? Indefinite retention isn't automatically a HIPAA violation, but it's more risk surface than most practices realize they're carrying — every day a photo sits on a server is another day it could be part of a breach.

Question 3: Where Is the Data Actually Stored?

Ask the vendor directly if you don't know: what country, and under what security certification? A vague answer or no answer is itself the finding.

Question 4: Who on Your Team Can Access Old Patient Photos?

Log into the tool and check the user list. Does it match your current staff? Departed employees with live access to a platform holding patient photos is a common, easy-to-miss gap — audit this list the same way you'd audit practice management software access.

Question 5: What Happens If the Vendor Has a Breach?

Your BAA should specify the vendor's breach notification obligations — how fast they tell you, and what they cover. If you don't have a BAA (see Question 1), you don't have this protection either, regardless of what their marketing page claims about security.

Score Yourself

FindingsWhat it means
Signed BAA, defined retention, known storage location, current staff list, breach terms specifiedLow risk — you're in reasonable shape
1–2 gaps (e.g. BAA exists but retention is unclear)Moderate risk — close the gaps this week, don't wait for a renewal cycle
No signed BAA, and/or indefinite retention with no visibility into storageHigh risk — patient photos are PHI; treat this as urgent, not routine

If You Found Gaps

Contact the vendor and ask for a BAA before uploading another photo — a responsible vendor will have one ready, not a multi-week process. If they can't produce one promptly, that's information about how they treat compliance generally. In the meantime, stop uploading new patient photos to that tool until the agreement is signed.

BAA signed at signup. Photos deleted in 7 days.

No audit required — it's built in by default. $5 per simulation.