Use case

HIPAA-compliant CBCT viewer for dental practices

CBCTHub implements the HIPAA Security Rule safeguards — encryption, access control, audit trail — and we sign a Business Associate Agreement on Pro and Clinic plans.

Request a BAA

What the HIPAA-ready setup gives you

  • Signed Business Associate Agreement on Pro and Clinic plans.
  • Encryption at rest (AES-256) and TLS 1.3 in transit.
  • Role-based access with row-level security per account.
  • Audit logs for every share, export and deletion.
  • Sharing links with revocation, expiry and optional password.
  • Local-first viewer — DICOM processing stays in the browser unless you upload.

Why HIPAA matters for CBCT

A CBCT DICOM is protected health information. It carries the patient's name, birth date, study date, and a 3D anatomical record of the head and jaws. Under HIPAA, any platform that stores, transmits or displays this data on behalf of a covered entity is a business associate and must implement the Security Rule safeguards.

Handing a patient a CD avoids the issue technically, but fails the practical test — the patient cannot open it, and the clinic ends up emailing the scan anyway, often without adequate safeguards.

How CBCTHub meets the Security Rule

Technical safeguards: encryption at rest, encryption in transit (TLS 1.3), access control, audit controls, and integrity controls. Administrative safeguards: workforce access management, incident response procedures, business associate agreements. Physical safeguards: infrastructure hosted on SOC 2 Type II providers.

The full security whitepaper lives on /security. Request it at security@cbcthub.com if you are completing a vendor security questionnaire.

Beyond HIPAA

For EU and UK practices, CBCTHub aligns with GDPR. We sign a Data Processing Agreement, support data subject rights (access, rectification, erasure, portability) and can pin storage to the EU region on eligible plans. For Brazilian clinics we align with LGPD; for Canadian clinics, PIPEDA.

FAQ

Which plans include a BAA?

Pro and Clinic plans include a signed Business Associate Agreement. The free plan is intended for non-HIPAA uses and does not include a BAA.

Where is patient data stored?

On SOC 2-certified infrastructure. Storage regions can be pinned to the US or EU on eligible plans. We do not use patient data for training or analytics.

What happens if we leave CBCTHub?

You can export all your data and delete the account. Data is removed from primary storage immediately and purged from backups within 30 days.

Talk to us about a BAA

Email security@cbcthub.com to request the Business Associate Agreement or the full security questionnaire. Most vendor reviews are completed in under a week.

Contact security team

More use cases

View DICOM onlineShare CBCT with patientCBCT viewer for MacCBCT viewer for WindowsCBCT viewer for iPadCarestream viewerPlanmeca viewerVatech viewerSirona viewerMorita viewerNewTom viewer