Ridiculously Good LookingDental Websites that Book Patients
← Back to Legal
HOW WE PROTECT YOU

Your patients’ privacy, protected by design.

How we think about HIPAA, PHI, and your data — what stays off our systems by default, what we do when patient data is in scope, and who is responsible for what.

Last updated: June 2026. We take your patients’ privacy as seriously as you do. This page explains, in plain language, how we keep your growth work and their data safe. It summarizes — but does not replace — our Terms, Privacy Policy, and any Business Associate Agreement we sign with you.

PHI-free by default

Our standard builds are designed not to create, receive, store, or transmit Protected Health Information (PHI). In practice that means:

  • Lead forms capture the intent to connect — name and contact details, plus a non-clinical interest like “new patient” or “cosmetic” — not symptoms, diagnoses, insurance IDs, or treatment history.
  • Submissions are routed to systems you control — your inbox, your practice-management system, or your scheduling tool — rather than living in our database.
  • Patient booking happens inside your own HIPAA-compliant scheduler, not a generic widget we own.

This keeps PHI out of the marketing layer entirely, which is the cleanest way to protect it.

When patient data is in scope

Some practices want us to go further — handling patient information directly (typically Custom-tier work). When that happens:

  • We sign a Business Associate Agreement (BAA) with your practice before any PHI is handled.
  • PHI is stored, sent, and processed only through established, HIPAA-compliant vendors that have signed BAAs with us — purpose-built systems that exist to protect health data.
  • Those vendors serve as the system of record for PHI. We build and connect; they store and safeguard.

Never set this up before? That’s normal — most practices have never asked much of their website. We’ll help you choose the right compliant tools and handle the wiring.

Why some features need additional tools

Because we don’t store patient data ourselves, the most advanced features run through specialized, compliant third-party tools rather than through us — for example:

  • Storing patient records or treatment history on your site
  • Two-way patient messaging (SMS or secure chat)
  • Online intake, forms that collect clinical detail, or insurance information

These tools cost more than ordinary software, and that’s the point: the price reflects the BAAs and HIPAA / SOC 2 compliance that protect you and your patients. Building and maintaining that level of compliance from scratch is genuinely expensive — a compliant build done on your own can run into the tens of thousands of dollars — so neither we nor your practice can realistically do it cheaper than vendors who do it at scale.

None of this is required to be successful. A fast, trustworthy, well-built site that gets you found and booked does not need to touch PHI at all. These tools are only required when you want to do the most advanced things on your site — and we’ll always tell you honestly when you actually need them, and when you don’t.

Clean analytics on health pages

Tracking pixels and analytics can quietly turn ordinary marketing data into a privacy problem on a healthcare site. On the pages that touch patient intent, we avoid third-party advertising pixels and configure analytics so they never capture the contents of a form. Measurement should never come at the cost of your patients’ privacy.

How we secure our own systems

For everything we do operate, we follow industry-standard practices: encryption in transit and at rest, least-privilege access, vetted subprocessors, and a defined incident-response process. The details live in Security, and the full vendor list lives in Subprocessors.

Who is responsible for what

You remain the covered entity (or its business associate) and are responsible for your own HIPAA compliance — obtaining patient consents and authorizations, configuring your practice-management and scheduling systems, and deciding what may lawfully be collected through your site. RGL designs and integrates your marketing systems; your HIPAA-compliant vendors store and safeguard PHI. We’re not liable for PHI introduced into systems outside the scope of a signed BAA — but we’ll always help you set things up the right way.

Questions

Want to know exactly where your data would live, or which vendors we’d recommend for your practice? Email hello@goodlookingco.com and we’ll walk you through it.