Trust & legal

The disclaimer

Sift Health is an automated scanner that identifies publicly observable risk indicators on healthcare websites. It is not a HIPAA compliance audit, certification, or legal determination. Compliance depends on administrative, physical, and technical safeguards that no external scan can observe. Consult qualified counsel for compliance advice.

Scanning scope

• Public pages only. Sift Health requests the same publicly accessible pages any visitor or search-engine crawler can reach. It never logs in, bypasses authentication, or accesses anything behind a login.
• Passive only. Requests are standard-crawler-equivalent GET/HEAD requests. No brute forcing, no auth-bypass attempts, nothing construable as intrusion testing.
• Bounded. A scan crawls roughly 15–20 pages, prioritizing patient-facing paths, then stops.
• Well-known paths only for hygiene checks. Infrastructure checks touch a small list of well-known files (e.g. /.git/HEAD, /.env) — the same things any security scanner or bot already probes.

Data handling & retention

• Sift Health does not collect PHI. It records observations about pages — headers, detected scripts, form structure — not patient data.
• Scan results and findings are stored so you can see trends and so monitoring can diff against a baseline.
• Contact-form messages are relayed for sales/support and should never contain PHI.
• After cancellation, scan history remains exportable for a limited window (see the trust page), then is removed on the retention schedule.

Responsible use

• Scan only sites you own or are authorized to assess. Verifying a domain for monitoring is your representation that you're authorized.
• Don't present Sift Health results as a compliance certification or legal determination — they aren't, and the disclaimer says so.
• White-labeling changes the brand on a report, not the disclaimer.