Trust & legal
What Sift Health is, in plain language.
Draft pending legal review. This page is a good-faith statement of how we operate. It will be reviewed by qualified counsel before launch, and is not itself legal advice. The structured disclaimer below is the canonical fallback copy returned with every report.
The disclaimer
Sift Health is an automated scanner that identifies publicly observable risk indicators on healthcare websites. It is not a HIPAA compliance audit, certification, or legal determination. Compliance depends on administrative, physical, and technical safeguards that no external scan can observe. Consult qualified counsel for compliance advice.
To expand on that: true HIPAA compliance is the product of administrative, physical, and technical safeguards — workforce training, access management, business associate agreements, audit logging, incident response, and more. None of those are visible from outside a website, so no external scan can determine compliance. Sift Health looks only at the publicly observable surface and tells you where the risk indicators are. Treat the result as a prioritized to-do list, and bring genuine compliance questions to qualified counsel.
Scanning scope
Sift Health is deliberately conservative about what it touches. The scope below is a hard boundary, not a setting.
- Public pages only
- Sift Health requests the same publicly accessible pages any visitor or search-engine crawler can already reach. It never authenticates, never accesses anything behind a login, and never attempts to.
- Passive only
- All requests are standard crawler-equivalent GET/HEAD requests. There is no brute forcing, no credential testing, no auth-bypass attempts — nothing that could be construed as intrusion or penetration testing.
- Bounded crawl
- A scan reads robots.txt and the sitemap, probes a curated list of patient-facing paths, and stops at roughly 15–20 pages.
- Well-known paths only
- Infrastructure-hygiene checks are limited to a small list of well-known files and directories (for example /.git/HEAD or /.env) — the same paths routine security scanners and bots already probe across the web.
Data handling & retention
We record observations about websites, not patient data. Here's what that means in practice.
- No PHI collected
- Sift Health observes page-level facts — response headers, detected third-party scripts, form structure, certificate details. It is not designed to collect, and should not be sent, protected health information.
- Why we store results
- Scan results and findings are retained so you can see score trends over time and so monitoring can diff a new scan against your baseline to detect changes.
- Contact messages
- Messages sent through the contact form are relayed to our team for sales and support. They should never contain PHI.
- Retention after cancellation
- If you cancel a subscription, your scan history remains exportable for a limited window (currently 90 days, draft) before removal on our retention schedule.
Responsible-use policy
Using Sift Health responsibly comes down to a few commitments.
- Scan only what you're authorized to
- Scan sites you own or are engaged to assess. By verifying a domain for recurring monitoring, you represent that you're authorized to request scans of that site.
- Don't overstate the results
- A Sift Health report identifies publicly observable risk indicators and recommends fixes. It is not a compliance certification. Presenting it as one — to a client, a regulator, or anyone else — is outside this policy.
- White-label the brand, not the disclaimer
- Agency-tier white-labeling replaces the logo and colors on a report. The structured disclaimer remains, by design, on every report.
Questions?
Developers can read the condensed version in the docs. For anything else, write to us — just don’t send PHI through the contact form.