Security & Compliance Infrastructure
Zero-PHI architecture, blockchain-anchored audit trails, Ed25519 cryptographic attestations, and defense-in-depth security layers -- all purpose-built for healthcare compliance.
View Trust Center →Zero PHI Architecture
HIPAA Agent scans your infrastructure, not your patient data. No PHI is collected, processed, or stored -- ever.
How It Works
Our autonomous scanning agent evaluates your web-facing infrastructure -- DNS records, TLS certificates, email authentication, security headers, exposed ports, and 70+ other controls. It never touches EHR systems, patient databases, or any Protected Health Information.
Every API request through MCP and A2A protocols passes through our PHI detection layer, which scans for 18 HIPAA-defined identifiers and auto-rejects any request containing PHI.
Full details in our Trust Center →Encryption & Data Protection
Multiple encryption layers protect data at rest and in transit across our entire stack.
Encryption & Data Protection
- TLS 1.3 encryption on every connection
- AES-256 encryption at rest in Supabase
- Fernet symmetric encryption on VPS temp files
- Automatic session timeout after 20 min idle
- Secure credential storage with hashing + salting
- Encrypted automated backups
Access Controls
- TOTP-based multi-factor authentication
- Role-based access control (RBAC)
- OAuth2 with 12 granular scopes
- API key tiers (free / pro / enterprise)
- Automatic account lockout policies
- Session timeout enforcement
Monitoring & Auditing
- SHA-256 hash chain audit trail on all actions
- Real-time security event monitoring
- Automated threat detection and alerting
- 70+ control vulnerability scanning
- Per-NPI audit history with tamper proof
- Complete API request logging
Infrastructure
- Vercel Pro (edge network, DDoS protection)
- Hetzner CCX23 dedicated VPS for scanning
- Supabase (Postgres + Row-Level Security)
- Redundant systems for high availability
- US-based data processing only
- Disaster recovery procedures
Blockchain & Cryptographic Proof
Every compliance action is cryptographically signed and publicly verifiable.
Base L2 Blockchain Anchoring
A daily SHA-256 root hash of all compliance data is anchored on Base L2, creating a tamper-proof public record. Anyone can verify data integrity on-chain.
Blockchain details →Ed25519 Signed Attestations
All reputation data -- grades, findings, scan timestamps -- is signed with Ed25519 elliptic-curve keys. Signatures are verifiable by any third party without trusting HIPAA Agent.
Trust Center →Per-NPI Hash Chain Audit Trail
Every action against a provider NPI (scan, grade change, finding update) is appended to a SHA-256 hash chain. Each entry references the previous hash, making retroactive edits impossible.
Audit trail details →PHI Detection Layer
A real-time content filter prevents Protected Health Information from entering the system.
18 HIPAA Identifiers Scanned
Every inbound API request -- whether via MCP tools, A2A protocol, or REST -- is scanned for the 18 HIPAA-defined PHI identifiers (names, dates, SSNs, MRNs, email addresses, biometrics, etc.). Requests containing PHI are automatically rejected with a descriptive error and the event is logged for security review.
Developers can test payloads before integration using the public endpoint:
Proactive Cybersecurity Protection
Go beyond compliance. Enterprise-grade cybersecurity tools built specifically for healthcare practices.
Dark Web Monitoring
Continuous scanning of dark web forums, marketplaces, and paste sites for your practice's compromised credentials and patient data.
Real-Time Threat Intelligence
Live threat feeds from CISA, HHS HC3, and industry sources. Get alerted to healthcare-targeted ransomware, phishing, and zero-day vulnerabilities.
Breach Probability Scoring
Automated analysis of your security posture to calculate your practice's breach likelihood. Understand your risk and what to fix first.
Ransomware Response Playbook
Customized incident response plans designed for ransomware attacks on healthcare practices. Know exactly what to do in a crisis.
Vendor Risk Assessment
Evaluate the cybersecurity posture of your EHR vendors, cloud providers, and business associates. Identify supply chain risks before they become breaches.
Cyber Insurance Readiness
Generate the documentation and evidence cyber insurers require. Reduce premiums by demonstrating strong security controls and incident response capabilities.
Incident Response Planning
Comprehensive plans covering detection, containment, eradication, recovery, and lessons learned for healthcare-specific scenarios.
Business Associate Agreement
As a HIPAA-compliant platform, we provide a Business Associate Agreement (BAA) to every customer. This legally binds Sentinel Health Compliance to protect your data with the same standards you are required to maintain.
- BAA included with all plans at no extra cost
- Signed electronically during onboarding
- Meets all OCR requirements for business associates
OCR Audit Readiness
The HHS Office for Civil Rights (OCR) conducts audits of covered entities to ensure HIPAA compliance. HIPAA Agent keeps you prepared at all times with built-in audit readiness tools that map directly to OCR audit protocols.
AI Privacy Commitment
Our AI features are designed with privacy-first principles. Your data is never used to train models.
No Training on Your Data
Your data is never used to train or improve AI models. Period. All inference uses isolated, stateless requests.
Isolated Processing
Each AI query is processed in isolation with no data persistence. Context is discarded after response generation.
Audit Logging
Every AI interaction is logged in our hash chain audit trail for compliance and transparency.
Ready to Secure Your Practice?
Deploy enterprise-grade security infrastructure built for healthcare. Free HIPAA Agent Compliance Score\u2122 available -- no credit card required.