Smilepass
Step-by-step implementation guide β pre-implementation checklist, onboarding, staff training, go-live runbook, and ROI tracking.
Smilepass β Implementation Playbook (DSO)
Smilepass Implementation Playbook for DSOs
Data & Infrastructure | AI-Powered Patient Identification and Data Management
1. Executive Summary
What Smilepass Does
Smilepass is an AI-powered facial recognition and biometric patient identification platform that eliminates manual check-in processes, reduces identity errors, and creates a seamless patient intake experience. The system captures and verifies patient identity through facial biometrics, integrating directly with practice management systems to auto-populate patient records, streamline form completion, and enhance data integrity across your organization.
Why DSOs Specifically Benefit from This Category of AI
Scale Advantages:
- Standardized patient identification eliminates the variability of manual check-in processes across 15β50+ locations, reducing identity mismatches that compound at scale
- Centralized biometric database enables patients to check in seamlessly at any location in your networkβa significant competitive advantage for multi-location DSOs
- Aggregate data quality improvements compound: cleaner patient records mean better analytics, more accurate reporting, and stronger payer relationships
Operational Standardization:
- Uniform intake experience across all locations strengthens brand consistency
- Eliminates location-specific workarounds that create compliance gaps
- Standardized identity verification reduces fraud risk and duplicate record creation
Data Aggregation Benefits:
- Cross-location patient tracking becomes automatic, enabling true network-wide patient journey analytics
- Centralized identity management reduces IT overhead versus managing disparate systems
- Clean, verified patient data improves downstream AI applications (treatment planning, revenue cycle, recalls)
Expected Timeline: Decision to Full Deployment
| Phase | Timeline | Milestone |
|---|---|---|
| Pre-Implementation | Weeks 1β2 | Infrastructure assessment, contracts, baseline metrics |
| Pilot Wave (3β5 locations) | Weeks 3β6 | First locations live, initial learning capture |
| Wave 2 Expansion (8β12 locations) | Weeks 7β12 | Refined playbook deployed |
| Wave 3+ Full Deployment | Weeks 13β20 | All remaining locations live |
| Optimization & Stabilization | Weeks 20β26 | Full ROI measurement, process refinement |
Total Timeline: 5β6 months for a 30-location DSO, with faster deployment possible for organizations with mature IT infrastructure and strong change management capabilities.
2. Pre-Implementation Checklist (Weeks 1β2)
Technical Requirements
Hardware Requirements
β Front desk workstation specifications: Minimum Intel i5 (or equivalent), 8GB RAM, Windows 10/11 or macOS 11+ β Camera hardware: USB 3.0 webcam with minimum 1080p resolution and IR capability for low-light environments (vendor will specify approved models) β Tablet option: If using patient-facing tablets, iPad (6th gen+) or approved Android devices β Network connectivity: Minimum 25 Mbps download/10 Mbps upload per location; latency <100ms to cloud services
Software Requirements
β Practice management system version compatibility: Verify current PMS versions across all locations against Smilepass compatibility matrix β Browser requirements: Chrome 90+, Edge 90+, Safari 14+ (for web-based dashboard access) β Operating system patches: All workstations current on security updates
Network Requirements
β Firewall configuration: Whitelist Smilepass cloud endpoints (specific IPs/domains provided during onboarding) β SSL/TLS: Ensure TLS 1.2+ is enabled on all network traffic β VPN considerations: If locations use VPN to central systems, verify bandwidth capacity for biometric data transmission
π΅ Vendor Onboarding Steps
| Step | Action | Owner | Timeline |
|---|---|---|---|
| 1 | Execute Master Services Agreement and BAA | Legal/Vendor | Day 1β3 |
| 2 | Complete enterprise onboarding questionnaire | IT Lead/Vendor | Day 2β4 |
| 3 | Establish vendor key contacts (implementation lead, technical support, account executive) | Operations | Day 3 |
| 4 | Schedule kickoff call with full implementation team | Project Manager | Day 4β5 |
| 5 | Receive and distribute technical documentation package | IT Lead | Day 5β7 |
| 6 | Establish support ticketing access for IT team | IT Lead/Vendor | Day 7 |
Key Vendor Contacts to Establish
- Implementation Manager: Primary contact for rollout coordination
- Technical Integration Specialist: API configuration and PMS integration support
- Customer Success Manager: Post-launch optimization and escalation
- 24/7 Support Line: For go-live and critical issues
Data/Access Prerequisites
β PMS API credentials: Obtain API keys or integration credentials for each PMS instance β Admin access to PMS: Ensure IT or designated staff have admin-level access for configuration β Patient data export capabilities: Verify ability to export patient demographic data for initial seeding (if required) β SSO integration prerequisites: If using enterprise SSO, gather IdP metadata and configuration requirements β User provisioning list: Compile list of all users who will need Smilepass access, by role and location
π£ Internal Stakeholder Alignment
Approval Required From:
| Stakeholder | Approval Needed For | Timeline |
|---|---|---|
| CEO/Board | Capital expenditure, strategic initiative approval | Week 1 |
| Chief Dental Officer | Clinical workflow changes, provider communication | Week 1 |
| VP of Operations | Implementation timeline, resource allocation | Week 1 |
| CFO | Budget approval, ROI framework | Week 1 |
| Compliance/Legal | BAA review, privacy policy updates | Week 1 |
| IT Director | Technical architecture approval, security review | Week 1β2 |
Informed (Not Approving):
| Stakeholder | Information Needed | When |
|---|---|---|
| Regional Managers | Rollout schedule, location selection rationale | Week 2 |
| Office Managers | Timeline for their location, resource requirements | Week 2 |
| Providers | High-level benefits, what to expect | Week 2 |
| HR | Training requirements, potential job description updates | Week 2 |
Stakeholder Alignment Map
βββββββββββββββββββββββββββββββ
β BOARD / INVESTORS β
β Strategic approval, ROI β
βββββββββββββββ¬ββββββββββββββββ
β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
β β β
βββββββ΄ββββββ βββββββ΄ββββββ βββββββ΄ββββββ
β CEO β β CFO β β CDO β
β Executive β β Budget β β Clinical β
β Sponsor β β Owner β β Approval β
βββββββ¬ββββββ βββββββββββββ βββββββ¬ββββββ
β β
βββββββββββββββββββββ¬ββββββββββββββββββββββββββββ
β
βββββββββββ΄ββββββββββ
β VP OPERATIONS β
β Project Sponsor β
βββββββββββ¬ββββββββββ
β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β β β
βββββββ΄ββββββ βββββββ΄ββββββ βββββββ΄ββββββ
β Regional β β IT β β Training β
β Managers β β Director β β Lead β
β (Cascade) β β (Tech) β β (Rollout) β
βββββββ¬ββββββ βββββββββββββ βββββββββββββ
β
βββββββ΄ββββββββββββββββββββββββββββββββββββββ
β β
ββββ΄ββββ βββββββββββ βββββββββββ βββββββββββ
βOfficeβ βProvidersβ β Front β βClinical β
βMgrs β β β β Desk β β Staff β
ββββββββ βββββββββββ βββββββββββ βββββββββββ
β οΈ Baseline Metrics to Capture BEFORE Go-Live
Critical: Standardize measurement methodology across ALL locations before collecting baselines. Inconsistent measurement makes cross-location comparison impossible.
Patient Experience Metrics
| Metric | How to Measure | Standardization Note |
|---|---|---|
| Average check-in time | Time from patient arrival to seated in operatory | Use PMS timestamps; define "arrival" consistently (door entry vs. front desk acknowledgment) |
| Patient wait time complaints | Count of documented complaints per 100 patients | Create standard complaint logging protocol |
| Patient satisfaction (check-in) | NPS or survey score specific to check-in | Deploy identical 2-question survey across all locations |
Operational Metrics
| Metric | How to Measure | Standardization Note |
|---|---|---|
| Identity verification errors | Count of chart pulls for wrong patient, misfiled documents | Audit 1 week of charts at each location using same criteria |
| Duplicate patient records created (monthly) | PMS duplicate detection report | Run same duplicate-finding algorithm at each location |
| Front desk labor hours on check-in | Time study or estimation by office manager | Use standardized time-motion study protocol |
| Forms completion rate at arrival | % of patients with all required forms complete before appointment | Define required forms list consistently |
Data Integrity Metrics
| Metric | How to Measure | Standardization Note |
|---|---|---|
| Patient demographic accuracy | Audit sample for errors (wrong DOB, address, insurance) | Sample 50 records per location, same audit checklist |
| Insurance verification accuracy | % of claims rejected for patient info errors | Pull from clearinghouse or PMS rejection reports |
Financial Metrics
| Metric | How to Measure | Standardization Note |
|---|---|---|
| Claims rejected for patient ID issues | Filter rejection codes related to patient identification | Standardize rejection code categorization |
| No-show rate | PMS no-show report | Ensure consistent definition of "no-show" vs. "late cancel" |
Enterprise-Level Requirements
Network Standards Across Locations
β Minimum bandwidth: Document current bandwidth at each location; flag any below 25/10 Mbps β Network segmentation: Determine if biometric data should travel on dedicated VLAN β Firewall rule standardization: Create master firewall rule template for all locations
Centralized vs. Location-Level Hosting Decision
π£ Executive Decision Required:
| Option | Pros | Cons | Recommendation |
|---|---|---|---|
| Centralized (Cloud) | Single data repository, easier patient cross-location lookup, simplified compliance | Requires reliable internet at all locations, latency concerns | Recommended for most DSOs |
| Hybrid | Local processing with cloud sync, works offline | More complex architecture, higher IT burden | Consider only if locations have unreliable connectivity |
SSO Integration
β Identity provider: Confirm IdP (Okta, Azure AD, Google Workspace, etc.) β SAML/OIDC configuration: Gather technical requirements from IT β Role mapping: Define how PMS roles map to Smilepass permission levels β Provisioning/deprovisioning: Establish automated user management workflow
Centralized Credentialing
β Provider credentialing data: Determine if provider profiles in Smilepass need credentialing verification β Access control matrix: Define who can access what data across the enterprise β Audit logging requirements: Confirm audit trail meets compliance requirements
3. Location Readiness Assessment
Scoring Framework
Score each location on the following factors (1β5 scale), then calculate a composite readiness score.
Factor 1: IT Infrastructure Maturity (Weight: 25%)
| Score | Criteria |
|---|---|
| 5 | Network >100 Mbps, all workstations <2 years old, latest PMS version, previous successful tech rollouts |
| 4 | Network 50β100 Mbps, workstations 2β3 years old, PMS within one version of current, one successful rollout |
| 3 | Network 25β50 Mbps, workstations 3β4 years old, PMS within two versions, mixed rollout history |
| 2 | Network 10β25 Mbps, workstations 4β5 years old, outdated PMS, prior rollout struggles |
| 1 | Network <10 Mbps, workstations >5 years old, significantly outdated PMS, no tech rollout experience |
Factor 2: Staff Tenure and Adaptability (Weight: 20%)
| Score | Criteria |
|---|---|
| 5 | <10% annual turnover, documented tech comfort, recent training completion >90%, positive attitude toward change |
| 4 | 10β15% turnover, moderate tech comfort, training completion 80β90%, generally receptive to change |
| 3 | 15β25% turnover, mixed tech comfort, training completion 70β80%, neutral toward change |
| 2 | 25β35% turnover, low tech comfort, training completion 50β70%, some resistance to change |
| 1 | >35% turnover, tech-averse culture, training completion <50%, active resistance to change |
Factor 3: Patient Volume (Weight: 20%)
| Score | Criteria | Note |
|---|---|---|
| 5 | 80β120 patients/day | High impact, high visibility, but not overwhelming |
| 4 | 60β80 patients/day | Strong impact with manageable volume |
| 3 | 40β60 patients/day | Moderate volume, good for learning |
| 2 | 120β150 patients/day | Very high volume increases risk |
| 1 | <40 OR >150 patients/day | Too low for meaningful data OR too high risk for pilot |
Factor 4: Existing Tech Stack Compatibility (Weight: 20%)
| Score | Criteria |
|---|---|
| 5 | PMS with native Smilepass integration, digital imaging already deployed, existing API integrations successful |
| 4 | PMS with documented Smilepass compatibility, modern imaging, some API experience |
| 3 | PMS on compatibility list but not native, standard imaging, limited integration experience |
| 2 | PMS requires custom integration work, older imaging system, no API experience |
| 1 | PMS not on compatibility list OR requires significant infrastructure upgrades |
Factor 5: Local Champion Availability (Weight: 15%)
| Score | Criteria |
|---|---|
| 5 | Identified tech-forward provider AND office manager, both enthusiastic, prior champion experience |
| 4 | Strong office manager champion with provider support OR tech-forward provider with competent OM |
| 3 | Willing office manager, neutral provider, no prior champion experience |
| 2 | No clear champion, but no active resistance |
| 1 | No champion available OR key staff actively resistant |
Composite Score Calculation
Formula:
Composite Score = (IT Γ 0.25) + (Staff Γ 0.20) + (Volume Γ 0.20) + (Tech Stack Γ 0.20) + (Champion Γ 0.15)
Score Interpretation
| Composite Score | Readiness Tier | Rollout Recommendation |
|---|---|---|
| 4.0β5.0 | Tier 1 (High Readiness) | Wave 1 pilot candidate |
| 3.0β3.9 | Tier 2 (Moderate Readiness) | Wave 2 candidate |
| 2.0β2.9 | Tier 3 (Low Readiness) | Wave 3 candidate, requires remediation |
| <2.0 | Tier 4 (Not Ready) | Defer until specific issues resolved |
Sample Location Readiness Scorecard
| Location | IT (25%) | Staff (20%) | Volume (20%) | Tech (20%) | Champion (15%) | Composite | Tier |
|---|---|---|---|---|---|---|---|
| Downtown Main | 5 | 4 | 4 | 5 | 5 | 4.55 | 1 |
| Suburban North | 4 | 4 | 5 | 4 | 4 | 4.20 | 1 |
| Eastside Family | 4 | 3 | 3 | 4 | 5 | 3.75 | 2 |
| Westside Ortho | 3 | 4 | 3 | 3 | 3 | 3.20 | 2 |
| Rural Clinic A | 2 | 3 | 2 | 2 | 2 | 2.25 | 3 |
Rollout Sequence Recommendation
Based on readiness scores, we recommend the following wave structure:
Wave 1 (Pilot): 3β5 Highest-Scoring Locations
Selection Criteria:
- Composite score β₯4.0
- Geographic diversity (don't cluster all pilots in one region)
- Include at least one high-volume and one moderate-volume location
- Strong champion presence
- Representative of your portfolio (if you have specialty practices, include at least one)
Wave 2 (Early Expansion): Next 5β8 Locations
- Composite score 3.5β4.0
- Locations that can benefit from Wave 1 learnings
- Include locations in same region as Wave 1 successes (peer influence)
Wave 3+ (Broad Deployment): Remaining Locations
- Deploy in regional clusters to maximize training efficiency
- Address remediation items for Tier 3 locations before deployment
- Consider deferring Tier 4 locations until fundamental issues resolved
4. Rollout Strategy
Recommended Wave Structure
Wave 1: Pilot (3β5 Locations)
Duration: 4 weeks Purpose: Validate integration, refine training, capture learnings, prove ROI
Wave 2: Early Expansion (8β12 Locations)
Duration: 4β5 weeks Purpose: Scale with refined playbook, stress-test support model
Wave 3+: Broad Deployment (Remaining Locations)
Duration: 4β6 weeks per wave of 10β15 locations Purpose: Efficient rollout using proven processes
Wave 1 Pilot Location Selection
Required Criteria
β Composite readiness score β₯4.0 β Identified and confirmed local champion (office manager + provider buy-in) β No major planned disruptions (renovations, key staff departures, PMS migration) β Stable patient volume (avoid seasonal lows)
Preferred Criteria
β Geographic proximity to headquarters or regional support hub (enables faster on-site support) β History of successful technology adoption β Office manager with bandwidth to participate in feedback loops β Mix of patient demographics representative of overall portfolio
Risk Factors to Avoid in Wave 1
β οΈ Brand-new locations (<6 months operating) β οΈ Locations undergoing leadership transition β οΈ Highest-volume flagship locations (too much risk if issues arise) β οΈ Locations with known staff morale issues
π£ Recommended Wave 1 Selection Process
- Generate readiness scores for all locations
- Filter to Tier 1 locations (score β₯4.0)
- Apply required and preferred criteria
- Regional managers validate selections with local context
- Executive sponsor approves final pilot location list
Timeline Per Wave
Wave 1 Detailed Timeline
| Week | Activities |
|---|---|
| Week 1 | Champion training, hardware deployment, test environment setup |
| Week 2 | Integration testing, staff training, parallel workflow planning |
| Week 3 | Go-live, intensive support, daily check-ins |
| Week 4 | Stabilization, initial metrics capture, learning documentation |
Wave 2+ Timeline (Per Wave)
| Week | Activities |
|---|---|
| Week 1 | Champion certification, hardware/configuration deployment |
| Week 2 | Staff training (delivered by local champions), final testing |
| Week 3 | Staggered go-live (3β4 locations Mon, 3β4 Wed, remaining Fri) |
| Week 4β5 | Stabilization, metrics review, refinement |
Buffer Between Waves
Minimum 1-week buffer between waves to:
- Complete learning documentation from prior wave
- Update training materials based on feedback
- Address any systemic issues before scaling
- Allow central team recovery time
Go/No-Go Criteria for Wave Advancement
Criteria to Advance from Wave 1 to Wave 2
| Category | Go Criteria | No-Go Triggers |
|---|---|---|
| Technical | Integration stable for 5+ consecutive days, <2 hours cumulative downtime | >8 hours downtime, data integrity issues, security concerns |
| Adoption | >80% of check-ins using Smilepass, <10% staff bypass rate | <50% adoption, widespread staff resistance |
| Patient Experience | No patient complaints requiring escalation, wait times stable or improved | Multiple patient complaints, increased wait times |
| Operational | Check-in time reduced or stable, no increase in identity errors | Significant increase in errors, workflow disruption |
| Support Load | Issues resolving within expected timeframes, no critical open tickets | Backlog of unresolved issues, vendor support overwhelmed |
π£ Go/No-Go Decision Process
- Local champions complete Wave assessment checklist (Day 21)
- Central project team reviews metrics and feedback (Day 22β23)
- Project team recommendation submitted to VP of Operations (Day 24)
- VP of Operations makes Go/No-Go decision (Day 25)
- Decision communicated to all stakeholders (Day 26)
β οΈ Rollback Plan
If a wave fails to meet Go criteria, execute the following rollback protocol:
Immediate Actions (Within 24 Hours)
β Pause all planned go-lives for subsequent locations in current wave β Document specific failure points with as much detail as possible β Notify vendor of issues and engage escalated support β Communication cascade: VP Ops β Regional Managers β Affected Office Managers β Revert to previous workflow at affected locations if patient experience is degraded
Assessment Period (48β72 Hours)
β Root cause analysis with vendor technical team β Determine if issue is:
- Location-specific (proceed with other locations, remediate affected location)
- Systemic (full pause until resolved)
- Training-related (enhanced training, then retry)
- Integration-related (technical fix required)
Recovery Path
β Vendor provides remediation plan with timeline β Test fix in controlled environment β Pilot remediation at single affected location β Resume wave if successful, with extended monitoring
Protecting Other Locations
- Locations already live in prior waves continue operating normally
- Do not deploy to new locations until root cause resolved
- Increased monitoring at all live locations during investigation
5. Configuration & Integration (Weeks 2β3)
Step-by-Step PMS Integration
π΅ Dentrix Integration
| Step | Action | Owner | β οΈ Notes |
|---|---|---|---|
| 1 | Verify Dentrix version compatibility (G7.3+ recommended) | IT | Older versions may require upgrade |
| 2 | Install Dentrix API connector module | Vendor/IT | Requires after-hours install; plan for 30-min downtime |
| 3 | Configure API credentials in Smilepass admin portal | IT/Vendor | Use service account, not individual user credentials |
| 4 | Map Dentrix patient fields to Smilepass fields | IT/Vendor | Standard mapping provided; custom fields require config |
| 5 | Configure bi-directional sync settings | IT/Vendor | Determine real-time vs. batch sync |
| 6 | Test patient lookup from Smilepass | IT | Use test patients first |
| 7 | Test demographic write-back to Dentrix | IT | β οΈ Critical: Verify no data overwrites |
| 8 | Validate insurance verification integration | IT/Vendor | If using integrated eligibility |
| 9 | Production go-live configuration | IT/Vendor | Switch from test to production mode |
π΅ Eaglesoft Integration
| Step | Action | Owner | β οΈ Notes |
|---|---|---|---|
| 1 | Verify Eaglesoft version (21.00+ recommended) | IT | Contact Patterson support if unsure |
| 2 | Enable Eaglesoft API access in system settings | IT | Requires admin credentials |
| 3 | Install Smilepass integration agent on Eaglesoft server | IT/Vendor | Server reboot may be required |
| 4 | Configure API endpoint in Smilepass portal | IT/Vendor | Requires server IP/port information |
| 5 | Test connectivity and authentication | IT | Use vendor diagnostic tool |
| 6 | Configure patient data field mapping | IT/Vendor | Document any custom mappings |
| 7 | Test patient search and retrieval | IT | Verify photo attachment capabilities |
| 8 | Configure appointment status updates | IT/Vendor | Sync check-in status to Eaglesoft |
| 9 | Production deployment | IT/Vendor | Test during low-volume period first |
π΅ Open Dental Integration
| Step | Action | Owner | β οΈ Notes |
|---|---|---|---|
| 1 | Verify Open Dental version (22.1+ recommended for full API) | IT | Open Dental updates frequently |
| 2 | Generate API key in Open Dental (Setup β API) | IT | Use dedicated API user account |
| 3 | Configure API endpoint in Smilepass | IT/Vendor | Enter API key and server URL |
| 4 | Enable required API permissions | IT | Patient read/write, appointment access |
| 5 | Test patient lookup and creation | IT | Open Dental has native duplicate detection |
| 6 | Configure patient photo storage location | IT/Vendor | Verify photo path accessibility |
| 7 | Test full workflow: lookup β check-in β appointment update | IT | Document any errors |
| 8 | Production go-live | IT/Vendor | Monitor API logs first 48 hours |
Imaging System Integration (If Applicable)
If Smilepass connects to imaging systems for photo management:
β Verify imaging system compatibility (Dexis, Carestream, Schick, etc.) β Configure image import path or API connection β Map patient identifiers between systems β Test image capture and storage β Verify DICOM compliance if applicable β Test retrieval of patient photos for verification
Test Environment Setup
Centralized Test Environment (Recommended)
π΅ Request test environment from Smilepass that mirrors production configuration
| Component | Configuration |
|---|---|
| Test tenant | Separate from production, vendor-provisioned |
| Test patient data | Synthetic data onlyβno real PHI |
| Test PMS instance | Sandbox or copy of production (with PHI scrubbed) |
| Test hardware | At least 1 camera + workstation at central location |
Test Validation Checklist
β User authentication (SSO and direct login) β Patient search functionality β New patient enrollment workflow β Returning patient identification β Check-in process completion β Data sync to PMS (bi-directional) β Photo capture and storage β Report generation β Offline mode (if applicable) β Performance under simulated load
Data Migration / Historical Data Ingestion
Patient Photo Migration (If Applicable)
β Inventory existing patient photos in PMS or imaging system β π΅ Determine if historical photo import is supported/recommended β Assess photo qualityβlow-quality images may not work for biometric matching β Define inclusion criteria (active patients only? Seen in last 2 years?) β β οΈ Privacy review: Ensure consent covers biometric use (see compliance section) β Execute batch import during off-hours β Validate import completeness and accuracy
π£ Historical Data Decision Point
Question: Should you pre-load existing patient photos, or start fresh with new biometric enrollments?
| Option | Pros | Cons | Recommendation |
|---|---|---|---|
| Pre-load existing photos | Immediate recognition for returning patients | Photo quality may vary, consent may need updating, longer setup | Only if photos are recent and high-quality |
| Fresh enrollment | Clean data, explicit consent, better photo quality | Returning patients must re-enroll initially | Recommended for most DSOs |
Security and HIPAA Compliance Verification
Enterprise-Level HIPAA Checklist
β Business Associate Agreement (BAA) executed and filed β Data encryption: Verify encryption at rest (AES-256) and in transit (TLS 1.2+) β Access controls: Role-based access implemented, least-privilege principle applied β Audit logging: All access to PHI logged with user, timestamp, action β Data retention policy: Align Smilepass retention with organizational policy β Data deletion procedures: Verify ability to delete patient data upon request β Breach notification: Confirm vendor's breach notification procedures and timelines β Biometric data handling: Verify compliance with state biometric privacy laws (BIPA in Illinois, CCPA in California, etc.) β Subprocessor list: Review Smilepass subprocessors and ensure BAA coverage
β οΈ State-Specific Biometric Privacy Requirements
Several states have specific requirements for biometric data:
| State | Law | Key Requirements |
|---|---|---|
| Illinois | BIPA | Written consent, retention/destruction policy, no sale of data |
| Texas | CUBI | No sale, informed consent, reasonable security |
| Washington | HB 1493 | Notice required, no commercial purposes without consent |
| California | CCPA/CPRA | Biometrics as sensitive personal information, enhanced rights |
β Legal review of consent forms for all locations in applicable states β Update patient intake forms with biometric consent language β Document retention and destruction policy for biometric data
Enterprise Configuration Framework
Standardized Configuration Template
Apply identically across ALL locations:
| Setting | Standard Value | Rationale |
|---|---|---|
| Session timeout | 15 minutes | Security compliance |
| Photo quality threshold | 85% confidence minimum | Accuracy vs. convenience balance |
| Failed match threshold | 3 attempts before manual override | Security vs. workflow |
| Data retention period | 7 years or per legal requirement | Regulatory compliance |
| Audit log retention | 7 years | HIPAA requirement |
| Default language | English (with Spanish available) | Adjust based on patient demographics |
| Offline mode | Enabled with 4-hour cache | Business continuity |
| Escalation alerts | Email to Office Manager + Regional Manager | Timely issue awareness |
Location-Specific Configuration
Can vary by location:
| Setting | Variation Allowed | Examples |
|---|---|---|
| Operating hours | Per location schedule | Different weekend hours |
| Provider list | Per location roster |
AI-generated implementation guide based on public vendor information. Verify specifics directly with Smilepass.