HIPAA Compliance Statement

PHI-Safe-by-Design, Not Just Compliant-by-Checklist

Most platforms that handle clinical data ask you to trust their security controls. Audit Sentinel AI takes a fundamentally different approach: we engineered the system so that protected health information (PHI) is removed before it ever reaches our infrastructure.

We call this PHI-safe-by-design. Rather than storing PHI and relying on access controls to protect it, our architecture ensures that patient-identifiable information never enters our database, our AI models, or any third-party processor. The strongest protection against a PHI breach is not having PHI in the first place.

How Clinical Notes Are Processed

Every clinical note submitted to Audit Sentinel AI passes through a mandatory de-identification step — Pass 1 of our AI pipeline — before any coding analysis begins. This is not optional, not configurable, and not bypassable. It runs on every note, every time.

The HIPAA Safe Harbor Method

Our de-identification follows the Safe Harbor method defined at 45 CFR § 164.514(b)(2). The following 18 categories of identifiers are detected and replaced with standardized, bracketed placeholders before the note leaves your session context:

Names · Geographic data smaller than a state · All dates (except year) related to an individual · Telephone numbers · Fax numbers · Email addresses · Social Security numbers · Medical record numbers · Health plan beneficiary numbers · Account numbers · Certificate and license numbers · Vehicle identifiers · Device identifiers · Web URLs · IP addresses · Biometric identifiers · Full-face photographs · Any other unique identifying number, characteristic, or code.

What We Store vs. What We Never Store

Transparency requires specificity. Here is exactly what our database contains — and what it does not.

Account Data

WordPress user accounts store your name, email address, subscription plan, and audit usage count. This is standard account data — not clinical data and not PHI.

Payment Processing

All payment processing is handled by Stripe (integrated via ProfilePress). Your credit card number, CVV, and billing details are transmitted directly to Stripe’s PCI DSS Level 1-certified infrastructure. Audit Sentinel AI does not store, process, or have access to your payment credentials.

Advertising and Tracking

Google Vertex AI (Gemini)

What Google receives: Only the de-identified clinical text (with all 18 PHI identifiers replaced by placeholders), the CPT/ICD-10 codes you submitted, and the encounter type. Google does not receive patient names, dates of birth, SSNs, MRNs, or any other direct identifier.

Google’s data commitments: Our use of Vertex AI is governed by Google Cloud’s Data Processing Agreement (DPA). Under this agreement, Google does not use customer data submitted through Vertex AI to train or improve its general-purpose models. Data is processed with encryption in transit (TLS 1.2+) and at rest (AES-256).

Google Cloud certifications: SOC 1, SOC 2, SOC 3 · ISO 27001, 27017, 27018 · HIPAA compliance certification.

Additional detail is available at cloud.google.com/terms/data-processing-addendum.

Our HIPAA Position Statement

Classification

Audit Sentinel AI is not a HIPAA Covered Entity in the traditional regulatory sense. We do not provide healthcare treatment, do not process health insurance claims, and do not operate as a healthcare clearinghouse. We do not store, transmit, or maintain protected health information (PHI) as defined under 45 CFR § 160.103.

Why This Matters

The data we store — de-identified clinical text with standardized placeholder tokens — does not meet the regulatory definition of PHI because it cannot be used, alone or in combination with other reasonably available information, to identify an individual patient. Under the HIPAA Privacy Rule, information de-identified in accordance with 45 CFR § 164.514(b) is no longer subject to the Privacy Rule’s protections.

Your HIPAA Obligations

Audit Sentinel AI is designed to integrate into your HIPAA-compliant workflows without creating additional compliance risk. Because de-identification occurs before data leaves your session, the platform supports your obligation to apply the minimum necessary standard to PHI disclosure.

BAA Availability

While our de-identification architecture means that a BAA may not be strictly required for standard platform use, we understand that many healthcare organizations require a BAA as part of their vendor onboarding program.

For customers on the Scale plan or enterprise engagements who require a formal Business Associate Agreement, Audit Sentinel AI offers a BAA upon request. Contact us at hello@auditsentinel.ai with subject line “BAA REQUEST” to initiate this process.

Technical Safeguards

Encryption in transit: All data between your browser and our servers is encrypted using TLS 1.2 or higher. API calls to Google Vertex AI are encrypted under the same standard.

Encryption at rest: All stored data — including de-identified audit records and account information — is encrypted using AES-256.

Access controls: Access to production infrastructure is restricted to authorized personnel using multi-factor authentication and role-based access controls on a least-privilege basis.

Incident response: We maintain an incident response plan for identifying, containing, and remediating security events. In the event of a security incident affecting user data, we will notify affected users in accordance with applicable law.

Architectural security: Because raw PHI is never written to our systems, the primary risk vector in healthcare data breaches — exfiltration of identifiable patient records — does not apply to our stored data.

Retention, Deletion, and Your Rights

Audit records: De-identified audit records are retained for the duration of your active subscription. Cancelled accounts are purged within 90 days.

Account data: Retained for the duration of your active account and a reasonable period after cancellation for financial record-keeping compliance.

Deletion requests: You may request deletion of your audit history and/or your account at any time. We will fulfill verified requests within 30 calendar days and confirm completion in writing.

Data that never requires deletion: Raw clinical notes containing patient identifiers are never stored. There is nothing to delete because there is nothing to retain.

Your rights: You may request access to, correction of, or deletion of your personal data at any time by contacting hello@auditsentinel.ai.

Executive Summary for Vendor Review

If you are evaluating Audit Sentinel AI as part of your organization’s vendor compliance review, here are the key facts your team needs:

Questions? We’re Here.

If you have questions about this statement, need to request a BAA, or want to discuss our architecture with your compliance team:

Email: hello@auditsentinel.ai
Website: auditsentinel.ai
Response time: We respond to compliance and privacy inquiries within 5 business days. Include “COMPLIANCE” in your subject line for priority handling.