HIPAA Notice

Our Role Under HIPAA

Sentinel Compliance Command is a healthcare compliance management company that serves as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164) and the HIPAA Security Rule.

As a Business Associate, we enter into a Business Associate Agreement (BAA) with each covered entity client prior to accessing, receiving, or maintaining any Protected Health Information (PHI) on their behalf. This notice describes our general approach to HIPAA compliance and our obligations as a Business Associate.

What Is Protected Health Information (PHI)?

PHI includes any information that relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare to an individual, or the past, present, or future payment for healthcare services — if that information can reasonably be used to identify the individual. PHI includes information in any form: electronic (ePHI), written, or oral.

How Sentinel May Encounter PHI

In the course of providing compliance program management services — including policy maintenance, training coordination, vendor monitoring, and documentation management — Sentinel may incidentally access limited PHI in the form of:

• Incident reports or OSHA logs that reference staff members
• Vendor agreements that identify covered services or patient-related data flows
• Compliance documentation referencing practice operations

Sentinel does not store, process, or transmit patient records, clinical data, billing information, or any individually identifiable health information as part of our standard service delivery.

Our Obligations as a Business Associate

As a Business Associate, Sentinel Compliance Command is required to:

• Use and disclose PHI only as permitted by our Business Associate Agreement and applicable law
• Implement appropriate administrative, physical, and technical safeguards to protect ePHI
• Report any breach of unsecured PHI to the covered entity client within the timeframes required by the HIPAA Breach Notification Rule
• Ensure that any subcontractors or agents who access PHI on our behalf agree to the same restrictions and conditions
• Make our books and records available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA regulations

Security Safeguards

Sentinel Compliance Command maintains a written HIPAA Security program that includes:

• Risk analysis and risk management procedures
• Access controls limiting PHI access to authorized personnel only
• Workforce training on HIPAA Privacy and Security requirements
• Incident response and breach notification procedures
• Business Associate Agreements with all downstream vendors who may encounter PHI

No Sale of PHI

Sentinel Compliance Command does not sell, rent, license, or otherwise exchange Protected Health Information for remuneration. We do not use PHI for marketing purposes without explicit authorization from the covered entity and, where required, the individual.

Breach Notification

In the event of a breach of unsecured PHI, Sentinel Compliance Command will notify the affected covered entity client without unreasonable delay and no later than 60 days following discovery of the breach, in accordance with 45 C.F.R. § 164.410. Notification will include the information required under the HIPAA Breach Notification Rule to the extent available at the time of notification.

This Notice Is Not a Notice of Privacy Practices

This HIPAA Notice describes Sentinel Compliance Command's obligations and practices as a Business Associate. It is not a Notice of Privacy Practices under 45 C.F.R. § 164.520, which is a document required of covered entities (such as your healthcare practice). As a compliance management partner, Sentinel assists covered entity clients in maintaining their own Notice of Privacy Practices as part of our service delivery.

Questions and Contact

If you have questions about this notice or our HIPAA compliance practices, please contact us: