HIPAA AgentHIPAA Agent
Deploy Your Agent

Privacy Policy

Last updated: February 21, 2026

Introduction

Sentinel Health Compliance, LLC ("we," "our," or "us") operates HIPAA Agent (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at hipaaagent.ai.

As a HIPAA-compliant service provider, we take data privacy extremely seriously. We are committed to protecting your personal information and your patients' protected health information (PHI).

Information We Collect

Information You Provide

  • Account Information: Name, email address, phone number, practice name, NPI number, and billing information.
  • Compliance Data: Risk assessment responses, policies generated, training records, BAA information, and other compliance-related information you input.
  • Communications: Messages you send us, support requests, and feedback.

Information Collected Automatically

  • Usage Data: How you interact with our platform, features used, pages visited, and time spent.
  • Device Information: IP address, browser type, operating system, and device identifiers.
  • Cookies: We use essential cookies for authentication and session management. See "Cookies" section below.

How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve our services
  • Personalize your compliance experience based on your practice type and specialty
  • Process transactions and send related information
  • Send administrative information, updates, and security alerts
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage patterns to improve the Service
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

Data Protection & Security

We implement robust security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Enterprise-grade infrastructure with continuous security monitoring
  • Role-based access controls
  • Regular security audits and vulnerability assessments
  • US-based data centers only
  • Multi-factor authentication support
  • Automated backup and disaster recovery

AI and Your Data

We use AI (powered by Anthropic's Claude) to provide compliance assistance. Important points:

  • Your data is NEVER used to train AI models
  • AI interactions are processed using isolated inference with no data retention by the AI provider
  • We maintain a zero-data-retention agreement with our AI provider
  • Each AI interaction is processed independently and not linked to other users' data

Third-Party Service Providers

We work with trusted third-party providers who process data on our behalf:

  • Supabase: Database and authentication (HIPAA compliant)
  • Stripe: Payment processing (PCI DSS Level 1)
  • Vercel: Hosting and content delivery
  • Resend: Email delivery
  • Anthropic: AI processing (zero data retention)
  • OpenAI: GPT Store integration for HIPAA compliance checking (API Actions only, no data stored by OpenAI)

All providers are contractually bound to protect your data and are selected for their security practices.

Business Associate Agreement

We sign a Business Associate Agreement (BAA) with all customers who are HIPAA Covered Entities. This legally binds us to protect any PHI in accordance with HIPAA requirements. The BAA is provided during onboarding.

Cookies

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and security. Cannot be disabled.
  • Analytics Cookies: Help us understand how visitors use our site. Can be disabled.

We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings.

Data Retention

We retain your data according to the following schedule:

  • Active Accounts: Data retained for as long as your account is active
  • After Cancellation: Data available for export for 30 days, then permanently deleted
  • Compliance Records: Retained for 6 years as required by HIPAA
  • Billing Records: Retained for 7 years for tax purposes
  • Lite Scan Cache: Cached results expire and are purged after 24 hours
  • Comprehensive Scan Data: Retained as long as the practice record is active in our system

Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Export your data in a machine-readable format
  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us at compliance@hipaaagent.ai.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your rights

Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

API & Third-Party Agent Platforms

HIPAA Agent provides a public API that may be accessed by third-party AI platforms including OpenAI (ChatGPT), Anthropic (Claude), and developer tools.

Data Collected Through API

  • Domain names and NPI numbers submitted for lookup
  • IP addresses for rate limiting (not persisted)
  • No protected health information (PHI) is collected, requested, or processed through the API
  • When a domain is submitted for a lite scan, we perform real-time external checks on publicly observable signals (DNS records, SSL certificates, HTTP headers, publicly accessible web pages). These checks are passive and non-intrusive — no authentication is attempted, no vulnerabilities are exploited, and no systems are accessed.

Data Returned Through API

  • Public responses contain finding counts and severity categories only
  • No IP addresses, port numbers, server versions, or breached email addresses are included in public responses
  • Full findings are available only to authenticated subscribers
  • Lite scan results include email authentication status, SSL/TLS configuration, security header presence, and privacy policy detection. No internal system data, credentials, or protected health information is accessed or returned.

Automated Scanning

  • Domains submitted through our API or AI agent integrations may be queued for a comprehensive external security assessment. These assessments analyze only publicly observable signals and do not require or attempt authentication, access internal systems, or exploit vulnerabilities.
  • Automated scans check DNS records, SSL/TLS certificates, HTTP security headers, publicly accessible web pages, email authentication records (SPF, DMARC, DKIM), and other externally visible configurations.
  • Scan results are stored in our database and may be used to generate security posture reports. Lite scan results are cached for 24 hours.
  • Practice owners can access their full scan results at no cost through our lookup portal at hipaaagent.ai/lookup.

Third-Party AI Platforms

  • Our API may be called by AI assistants on platforms we do not control (ChatGPT, Claude, Cursor, etc.)
  • We do not receive or store conversation content from these platforms
  • Users should refer to the respective platform's privacy policy for how their queries are handled

API Data Practices

  • We do not sell API query data to third parties
  • We do not use lookup queries for marketing
  • We do not track individual users across agent platforms
  • API request logs retained for rate limiting and abuse prevention, purged after 90 days

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before changes take effect. Your continued use of the Service after changes become effective constitutes acceptance.

Contact Us

For privacy-related questions or to exercise your rights:

Email: compliance@hipaaagent.ai

Company: Sentinel Health Compliance, LLC

Website: hipaaagent.ai