Notice of Privacy Practices

This notice describes how health information about your patients may be used and disclosed by dental practices using Juno, and how patients can get access to this information. This Notice of Privacy Practices is provided on behalf of dental practices ("Covered Entities") that use Juno as their practice management software. JUNO REALTY LLC ("Juno") acts as a Business Associate to these practices under HIPAA.

1. Our duty to protect health information

Federal law (the Health Insurance Portability and Accountability Act of 1996, "HIPAA," and the HITECH Act) requires dental practices that use Juno to protect the privacy of your patients' health information ("protected health information" or "PHI"), provide this Notice about privacy practices, and follow the terms of this Notice.

2. How PHI may be used and disclosed

The following describes the ways dental practices using Juno may use and disclose patients' health information:

2.1 Treatment

PHI may be used and disclosed to provide, coordinate, or manage dental care and related services. This includes sharing information with other healthcare providers involved in a patient's care, such as specialists, laboratories, or referring dentists. Juno's AI agents may access PHI to draft clinical notes, chart perio findings, and generate treatment-related documentation, subject to provider review and approval.

2.2 Payment

PHI may be used and disclosed to obtain payment for dental services. This includes submitting claims to insurance companies, verifying eligibility and benefits, obtaining pre-authorizations, and processing ERA/EOB remittances. Juno's Claims AI agent submits claims electronically via clearinghouses (Stedi, DentalXChange, Vyne Dental) and may generate appeal letters for denied claims.

2.3 Healthcare operations

PHI may be used and disclosed for practice operations including quality assessment, staff training, business planning, customer service, auditing, and compliance activities. Juno's AI agents may analyze practice data patterns (scheduling utilization, claim denial rates, recall compliance) to improve practice operations.

2.4 Appointment reminders and recalls

The practice may use PHI to contact patients about appointments, recalls, and preventive care reminders via SMS, phone calls, or email. Juno's Recall AI agent may generate personalized outreach communications, subject to patient consent and opt-out preferences.

3. Substance use disorder (SUD) records — 42 CFR Part 2

Updated February 16, 2026. This section reflects the requirements of the final rule modifying 42 CFR Part 2, which aligns substance use disorder record protections with HIPAA.

If the dental practice receives or maintains records related to substance use disorder (SUD) treatment from a Part 2 program, those records receive additional protections under 42 CFR Part 2, as amended. Specifically:

SUD records received from a Part 2 program may be used and disclosed for treatment, payment, and healthcare operations as permitted by HIPAA, subject to the patient's right to request restrictions.
SUD records may not be used in civil, criminal, administrative, or legislative proceedings against the patient without the patient's written consent or a court order meeting specific criteria.
Patients have the right to request restrictions on the use and disclosure of SUD records for treatment, payment, and healthcare operations.
Any re-disclosure of SUD records must include a notice prohibiting further re-disclosure except as permitted by 42 CFR Part 2.
SUD records are maintained within Juno with the same technical safeguards (encryption, RLS, audit logging) applied to all PHI, with additional access controls as configured by the practice.

4. Other permitted uses and disclosures

PHI may also be used or disclosed without patient authorization in the following circumstances, as permitted or required by law:

As required by law: when required by federal, state, or local law
Public health activities: reporting to public health authorities for disease prevention, injury reporting, or FDA-related activities
Abuse or neglect: reporting suspected abuse, neglect, or domestic violence to appropriate authorities
Health oversight: disclosures to health oversight agencies for audits, investigations, or inspections
Judicial proceedings: in response to a court order or subpoena meeting applicable legal requirements
Law enforcement: in limited circumstances as required by law, with verification steps as required by the HIPAA Privacy Rule
Decedents: to coroners, medical examiners, and funeral directors as permitted by law
Organ donation: to organ procurement organizations as permitted by law
Research: only with IRB or Privacy Board approval or when PHI has been de-identified
Serious threat: to prevent or lessen a serious and imminent threat to health or safety
Workers' compensation: as authorized by workers' compensation laws
Military and national security: for armed forces personnel or national security activities as required by law

5. Uses and disclosures requiring authorization

The following uses and disclosures require the patient's written authorization:

Marketing communications (other than face-to-face communications and promotional gifts of nominal value)
Sale of PHI
Most uses of psychotherapy notes (if applicable)
Any use or disclosure not described in this Notice

Patients may revoke an authorization at any time in writing, except to the extent that action has already been taken in reliance on the authorization.

6. Patient rights

6.1 Right to access records

Patients have the right to inspect and obtain a copy of their health information, including an electronic copy if maintained electronically. The practice must respond within 30 days (one 30-day extension permitted with written notice). Reasonable cost-based fees may apply.

6.2 Right to request amendment

Patients may request amendment of their health information if they believe it is incorrect or incomplete. The practice must respond within 60 days.

6.3 Right to an accounting of disclosures

Patients may request a list of certain disclosures of their health information made by the practice in the prior six years. Juno maintains immutable audit logs that support this requirement.

6.4 Right to request restrictions

Patients may request restrictions on certain uses and disclosures of their health information. The practice is not required to agree to all restrictions but must agree to restrict disclosures to a health plan for services paid in full out of pocket. Patients may also request restrictions on the use and disclosure of substance use disorder records as described in Section 3.

6.5 Right to request confidential communications

Patients may request to receive communications about their health information by alternative means or at alternative locations (e.g., calling a cell phone instead of a home phone).

6.6 Right to a paper copy of this notice

Patients have the right to obtain a paper copy of this Notice at any time, even if they previously agreed to receive it electronically.

7. Practice responsibilities

Maintain the privacy of PHI as required by HIPAA and applicable state law
Provide patients with this Notice of Privacy Practices
Abide by the terms of the currently effective Notice
Notify affected individuals and HHS of any breach of unsecured PHI within the timeframes required by the HIPAA Breach Notification Rule (without unreasonable delay and no later than 60 days from discovery)

8. Juno's role as Business Associate

JUNO REALTY LLC ("Juno") acts as a Business Associate to dental practices that use the Service. Juno's obligations regarding PHI are governed by the Business Associate Agreement (BAA) executed with each practice. Juno implements the following safeguards:

Encryption of PHI at rest (AES-256) and in transit (TLS 1.3)
Row-level security isolating each practice's data at the database level
Immutable audit logging of all PHI access and modifications
PHI stripped from application logs and error reporting
Role-based access controls with multi-factor authentication
Regular security risk assessments per NIST SP 800-30
Incident response procedures with defined severity levels (SEV-1 through SEV-4)
Sub-contractor BAAs in place with all downstream service providers that access PHI

9. Complaints

If a patient believes their privacy rights have been violated, they may file a complaint with:

Their dental practice directly
JUNO REALTY LLC through the support form
The U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/hipaa/filing-a-complaint or by calling 1-800-368-1019

No patient will be retaliated against for filing a complaint.

10. Changes to this notice

This Notice may be revised at any time. The revised Notice will be effective for all PHI maintained at the time of the revision. The current Notice is always available at juno.dental/npp.