HIPAA Compliance Guide

This HIPAA Compliance Guide is provided to members of WebCeph services who are subject to the requirements of the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economicee and Clinical Health Act (“HITECH”), and related regulations.

You, as a Covered Entity under HIPAA, will collect the following personal information from your patient which fall under the category of “protected health information”(PHI) under HIPAA.

  • Name
  • Date of birth
  • Contact information
  • Address
  • Prescribing contents by treatment day, diagnosis content, intraoral photos and scans, and facial part photos.

We, AssembleCircle Corp., may maintain, transmit, create or receive the forementioned PHI for or from you as a Business Associate under HIPAA, in order to provide WebCeph services, such as provision of information for diagnostic data analysis services for orthodontic and orthognathic surgery.

When you use WebCeph services as a Covered Entity collecting PHI from patients the HIPAA regulations apply and must be adhered to.

The fundamental rule is that PHI may not be used or disclosed to anyone except the person to whom it belongs. Thus, you must receive a valid HIPAA authorization from your patient in order to use WebCeph services.

HIPAA authorization is consent obtained from an individual that permits a covered entity or business associate to use or disclose that individual’s protected health information to someone else for a purpose that would otherwise not be permitted by the HIPAA Privacy Rule. An authorization must be in writing, written in plain language, and must contain specific elements and statements to be valid.

The specific elements and statements in a valid authorization are:


  • A description of the PHI
  • The name of the person making the authorization
  • The name of the person or organization who is authorized to receive the PHI
  • A description of the purpose for the use or disclosure
  • An expiration date for the authorization
  • The signature of the person making the authorization


  • The person has the right to revoke the authorization in writing at any time and a description of how they may revoke.
  • The person’s treatment, payment, enrollment or eligibility for benefits is not conditioned on whether they signed the Authorization.
  • Any information disclosed per the Authorization may be re-disclosed by a recipient and is no longer protected by federal or state health privacy laws.
  • If any one of the elements or statements is missing, it is NOT valid, and should be returned to the person who provided it, for correction.

Please consider the above and take the appropriate measures to secure a valid HIPAA authorization from your patients. Should you have any questions regarding this guide, please contact us at admin@assemblecircle.com