Privacy Policy

At Brookline Progressive Dental Team, we are committed to protecting your privacy and safeguarding your personal information, including protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy explains how we collect, use, disclose, and protect your information when you visit our website (https://brooklinedentalteam.com/), submit an appointment request form, or use our doctor referral form to refer patients to our dental practice.

1. What Information We Collect

We collect different types of information depending on how you interact with our website:

Appointment Request Form (Non-Health Information):
When you submit an appointment request form, we collect:
Name
Email address
Phone number
Preferred appointment date
Message or additional details you provide
Disclaimer: Our appointment request form is not HIPAA-compliant and is not intended for submitting protected health information (PHI), such as medical or dental history. Please do not include PHI in this form. Any PHI submitted inadvertently will be deleted and not processed.
Doctor Referral Form (Protected Health Information):
When a referring doctor submits a patient referral, we collect:
Referring doctor’s name, contact information, and practice details
Patient’s name, contact information, and demographic details
Patient’s health information (PHI), such as dental history, diagnoses, or treatment details provided by the referring doctor
This information is considered PHI under HIPAA and is handled with strict confidentiality and security.
Automatically Collected Information:
When you visit our website, we may collect:
IP address
Browser type
Device information
Pages visited and time spent on the site
Referring website (if applicable)
This data is collected via cookies and similar technologies (e.g., Google Analytics) to improve website functionality and user experience.

2. How We Collect Information

We collect information in the following ways:

Directly from You: Through the appointment request form on our website.
From Referring Doctors: Through the doctor referral form, which includes patient PHI provided by the referring doctor.
Automatically: Via cookies, web beacons, and server logs when you interact with our website.
Third-Party Services: We use third-party tools, such as:
Amazon Web Services (AWS) (secure data storage and processing for both forms, HIPAA-compliant for referral form)
hCaptcha or Google reCAPTCHA for spam protection
These providers are bound by agreements to protect your data, including a HIPAA Business Associate Agreement (BAA) with AWS for PHI.

‍3. How We Use Your Information

We use your information for the following purposes:

Appointment Request Form:
To process and respond to appointment requests.
To schedule and confirm dental appointments.
To communicate about our services, promotions, or updates (with your consent, where required).
Doctor Referral Form:
To process patient referrals from referring doctors.
To coordinate care for referred patients, including contacting the patient or referring doctor.
To maintain accurate patient records in compliance with HIPAA and Massachusetts healthcare regulations.
General Purposes:
To improve our website and services (e.g., analyzing anonymized user behavior via analytics).
To comply with legal obligations, including HIPAA, Massachusetts privacy laws (201 CMR 17.00), GDPR, CCPA, and other applicable laws.
To protect against spam and unauthorized access (e.g., using CAPTCHA services).
To safeguard our rights, property, or safety, or that of our patients and staff.

4. How We Share Your Information

We do not sell, trade, or rent your personal information or PHI to third parties. We may share your information as follows:

Appointment Request Form:
With service providers, e.g. AWS (data storage), which do not process PHI for this form.
Doctor Referral Form:
With service providers like AWS (HIPAA-compliant data storage and processing, under a BAA).
With other healthcare providers (e.g., specialists or laboratories) as necessary to coordinate patient care, only with patient authorization or as permitted by HIPAA.
General Sharing:
With third-party providers (e.g., [optional: hCaptcha]) for spam protection, which do not access PHI.
If required by law, such as to comply with a subpoena, court order, or other legal process, in accordance with HIPAA and Massachusetts law.
In the event of a merger, acquisition, or sale of our practice, with notice and safeguards as required by HIPAA.
Anonymized or aggregated data may be shared for research or analytics.

5. How We Protect Your Information

We implement robust technical and organizational measures to safeguard your information:

Encryption:
Data stored in AWS (DynamoDB or S3) is encrypted at rest using AES-256 or AWS Key Management Service (KMS).
Data transmitted via forms is encrypted in transit using HTTPS/TLS.
Access Controls:
Access to your data, including PHI, is restricted to authorized personnel via secure authentication and role-based access controls.
HIPAA Compliance (Doctor Referral Form): Ascertain AWS infrastructure for the referral form is configured with a BAA to meet HIPAA requirements.
Non-HIPAA Compliance (Appointment Request Form):
The appointment request form is not intended for PHI. Any PHI submitted inadvertently is deleted and not stored.
Spam Protection:
We use CAPTCHA services (e.g., hCaptcha) to prevent automated spam submissions.
Massachusetts Privacy Standards:
We comply with 201 CMR 17.00, including encryption, access controls, and employee training.
Regular Audits:
We conduct security assessments to ensure compliance with HIPAA, Massachusetts law, and other standards.

No system is completely secure. In the event of a data breach, we will notify affected individuals and authorities as required by HIPAA, Massachusetts law, GDPR, or CCPA.

‍

6. Your Choices and Rights

You have rights regarding your personal information and PHI, subject to applicable laws:

HIPAA Rights (Doctor Referral Form, U.S. Residents):
Access: Request a copy of your PHI in our designated record set.
Amendment: Request correction of inaccurate PHI.
Accounting of Disclosures: Request a list of certain PHI disclosures.
Restriction: Request restrictions on PHI use or disclosure (we may not always comply).
Confidential Communications: Request alternative communication methods.
GDPR Rights (EU Residents):
Access, rectification, erasure, restriction, data portability, objection, and consent withdrawal.
Lodge a complaint with your data protection authority.
CCPA Rights (California Residents):
Request to know, delete, or opt out of data sales (we do not sell data).
Non-discrimination for exercising rights.
Massachusetts Rights:
Under 201 CMR 17.00, you have rights to secure handling of personal information.
General Choices:
Opt out of marketing communications by contacting our office.
Manage cookie preferences through your browser or our cookie consent banner.

7. Cookies and Tracking Technologies

We use cookies for:

Essential Cookies: Website functionality (e.g., session management).

Analytics Cookies: Anonymized analytics (e.g., Google Analytics).

Functional Cookies: User preferences (e.g., cookie consent).

Manage cookies via your browser or our consent banner. Cookies do not collect or store PHI.

‍

8. Data Retention

We retain information as necessary or required by law:

Appointment Request Data: Retained for 1 year for processing and legal compliance.

Patient Referral Data (PHI): Retained per HIPAA and Massachusetts law (e.g., 7 years for adults, until age 21 for minors).

Analytics Data: Anonymized and retained indefinitely.

Deletion requests are honored, subject to legal retention requirements.

‍

9. Third-Party Links

Our website may link to third-party sites. We are not responsible for their privacy practices. Review their policies before providing information.

‍

10. Children’s Privacy

Our website is not directed to individuals under 16. We do not knowingly collect their personal information without parental consent, except as required for patient care under HIPAA.

‍

11. International Data Transfers

Information, including PHI, is processed in the United States (AWS servers). By using our website, you consent to this transfer. We use safeguards (e.g., encryption, Standard Contractual Clauses for GDPR) to protect data, with HIPAA compliance for PHI.

‍

12. HIPAA Compliance for Doctor Referral Form

As a HIPAA-covered entity, we adhere to strict standards for PHI in the doctor referral form:

Business Associate Agreement (BAA): We have a BAA with AWS for PHI processing.

Security Rule: Encryption, access controls, and audits protect PHI.

Privacy Rule: PHI is used/disclosed only for treatment, payment, or healthcare operations, or with patient authorization.

Breach Notification: We notify affected individuals, HHS, and media (if required) per HIPAA regulations.

Referring doctors must obtain patient authorization before submitting PHI.

‍

13. Massachusetts Privacy Requirements

Under 201 CMR 17.00, we protect personal information (e.g., name, email, phone) with:

Encryption for data storage and transmission.

Access controls and employee training.

Written information security program (WISP).

Regular risk assessments.

These measures apply to both forms, with additional HIPAA safeguards for the referral form.

‍

14. Changes to This Privacy Policy

We may update this policy to reflect changes in practices or laws. Significant changes will be posted with a revised “Last Updated” date and, for PHI, direct notice (e.g., email, website banner). Review this policy periodically.

‍

15. Contact Us

For questions, concerns, or requests, contact our office by calling us at 617-232-8113 or email us at info@brooklinedentalteam.com.