Does Lighthouse 360 Sign a BAA? How to Request One for HIPAA Compliance

Overview of Lighthouse 360 and HIPAA Compliance

Lighthouse 360 is a patient communication platform built for dental practices. Because it sends reminders, two‑way texts, emails, and other patient messages, it can involve Protected Health Information (PHI). When PHI handling is involved, HIPAA compliance becomes a shared responsibility between your practice and the vendor.

To support Dental Practice Compliance, Lighthouse 360 provides a Business Associate Agreement (BAA) to covered entities and will sign one upon request. A signed BAA is the prerequisite that allows you to use Lighthouse 360’s PHI‑related features in a compliant manner and clarifies each party’s data security requirements.

Key takeaways

• If you transmit or store PHI with Lighthouse 360, you need a signed Business Associate Agreement before using those features.
• HIPAA compliance is not automatic; it depends on your processes, configuration, and the BAA’s safeguards.
• Documented PHI handling practices and ongoing oversight are essential to remain compliant over time.

Importance of Business Associate Agreements

A Business Associate Agreement is a contract required when a vendor creates, receives, maintains, or transmits PHI on your behalf. It establishes permitted uses and disclosures, mandates administrative, physical, and technical safeguards, and sets breach notification duties. Without a BAA, using a vendor to manage PHI jeopardizes HIPAA compliance.

For a patient communication platform, the BAA also aligns expectations around data security requirements such as encryption, access controls, workforce training, and incident response. It protects patients by minimizing risk and protects your practice by defining responsibilities and remedies if something goes wrong.

What a strong BAA covers

• Permitted uses/disclosures and the minimum‑necessary standard for PHI handling.
• Administrative, physical, and technical safeguards, including encryption in transit, access controls, and audit logging.
• Subcontractor management and flow‑down obligations.
• Breach and incident notification timelines, cooperation, and investigation support.
• Data retention, return, and secure destruction at termination.
• Business continuity, disaster recovery, and service availability commitments.
• Verification rights, assurances, and any liability or insurance provisions appropriate for your risk profile.

Steps to Request a BAA from Lighthouse 360

You can obtain a Lighthouse 360 BAA through onboarding or by asking support or your account representative. Use the steps below to streamline the process and avoid gaps.

Step‑by‑step process

1. Confirm coverage: Identify how your practice uses Lighthouse 360 (texts, emails, reminders, scheduling) and whether PHI is involved.
2. Check existing paperwork: Review your service order or master agreement to see if a BAA is already included as an addendum.
3. Request the BAA: Open a support ticket within your Lighthouse 360 account or contact your account manager to request the vendor’s standard BAA.
4. Provide details: Share your legal entity name, practice address, primary contact, and preferred e‑signature email to speed up processing.
5. Align timelines: Ask for an estimated turnaround and whether countersignature will be completed via e‑signature or a downloadable PDF.
6. Pause PHI features if needed: If no BAA is in place, defer PHI‑containing messages until the agreement is fully executed.
7. File and document: Save the countersigned BAA in your compliance repository and note the effective date in your vendor inventory.

What to include in your request

• Statement that you are a HIPAA covered entity or business associate using Lighthouse 360 for patient communications.
• Request for the current standard BAA, including security controls, subcontractors, breach notification, and data retention terms.
• Any practice‑specific requirements (e.g., insurance minimums, notification windows, or data return expectations).

Reviewing and Signing the BAA

Before you sign, perform a focused review to ensure the BAA reflects your risk tolerance and operational needs. Involve compliance, legal, and IT/security as appropriate. Clarify any ambiguous terms and confirm how you will retrieve a countersigned copy.

Clauses to verify carefully

• Scope of services and definition of PHI/ePHI relevant to messaging, scheduling, and reminders.
• Technical safeguards: encryption in transit, access controls, authentication options (e.g., MFA), and audit logging availability.
• Subprocessors: who they are, how they are vetted, and how obligations flow down.
• Incident response: notification triggers, timeframes, and cooperation duties.
• Data lifecycle: retention periods, backups, return/export options, and destruction standards at termination.
• Verification rights and reports (e.g., summaries of security assessments upon request).
• Allocation of risk: limitation of liability, indemnification scope, and insurance requirements.

Execution tips

• Use the practice’s legal name and signatory with authority to bind the entity.
• Prefer e‑signature for speed and clear version control.
• Store the countersigned BAA with your risk analysis, policies, and vendor inventory; diarize renewal or review dates.

Maintaining HIPAA Compliance with Lighthouse 360

After the BAA is in place, configure Lighthouse 360 deliberately and train your staff. HIPAA compliance is ongoing; combine platform controls with policy, training, and monitoring to manage risk across people, process, and technology.

Configuration best practices

• Minimize PHI in reminders and texts; avoid sensitive details in message subjects or previews.
• Use available security options such as strong passwords, unique user accounts, and multifactor authentication.
• Apply least‑privilege access; regularly review and remove inactive users.
• Standardize message templates to prevent oversharing and to meet data security requirements.
• Document patient communication preferences and respect opt‑in/opt‑out choices for SMS and email.

Operational safeguards

• Provide routine staff training on PHI handling and acceptable use of the platform.
• Update your Security Risk Analysis to include Lighthouse 360 and track mitigation steps.
• Monitor logs for unusual access and establish an incident response playbook.
• Review the BAA and your vendor inventory at least annually or when services change.
• Have an offboarding process to revoke access and export data if you change vendors.

Conclusion

Lighthouse 360 will sign a Business Associate Agreement for covered dental practices. Request the BAA, review it for clear security and privacy obligations, sign and archive the countersigned copy, then configure the platform and your workflows to protect PHI. With these steps, you can use Lighthouse 360 as part of a defensible, end‑to‑end HIPAA compliance program.

FAQs.

Does Lighthouse 360 provide a Business Associate Agreement?

Yes. Lighthouse 360 offers a standard BAA and will sign one with HIPAA‑covered dental practices. If you plan to transmit or store PHI through the platform, obtain and execute the BAA before enabling PHI‑related features.

How do I request a BAA from Lighthouse 360?

Contact support through your Lighthouse 360 account or reach out to your account manager and ask for the standard BAA. Provide your practice’s legal name and contact details, complete e‑signature, and save the countersigned document in your compliance files.

Why is a BAA necessary for HIPAA compliance?

A BAA is required whenever a vendor handles PHI on your behalf. It defines permitted uses, mandates safeguards, and sets breach notification and data lifecycle obligations—forming the legal foundation that allows you to use a patient communication platform compliantly.