If you run the practice or manage billing operations, this is your section. Start here to set up your team and lock in HIPAA-appropriate controls on day one.
First week checklist
Complete the practice profile
Name, NPI, Tax ID, specialty, primary payers. Practice settings →
Enforce 2FA for all users
Required for anyone who touches PHI. Two-factor auth →
Invite your team
Add users with the right roles. Team management →
Configure notifications
Slack, email, or in-app for deadlines, outcomes, and HIPAA-relevant events. Practice settings →
Review audit logs
Confirm PHI access is recorded as expected. Audit logs →
Request a BAA
If you’re a covered entity, request the BAA → before sending PHI.
Roles at a glance
| Role | Typical user | Access |
|---|---|---|
user | Billing staff | Own work; PHI access within the practice |
analyst | Analytics / reporting | Aggregated or anonymized data only |
support | Customer-facing support | Read-only PHI, scoped |
admin | Practice admin | Full access within the practice; cannot delete the practice |
super_admin | Denialbase internal (not for customers) | Full platform, heavily audited |
Compliance controls
2FA enforcement
Require TOTP or passkeys for everyone. Admins can require it at invite time.
Session policy
Idle timeout, max session duration, concurrent session limits.
Audit log export
Download PHI access logs for HIPAA audit purposes.
Data export / deletion
Exports for patient data-access requests; full practice deletion on offboarding.