Policy & Compliance Center

1. Introduction

Sentrix Solutions, LLC ("Sentrix," "we," "us," or "our") is committed to protecting the privacy and security of information entrusted to us. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you:

• Visit our website at sentrix-solutions.com (the "Site")
• Use our Client Portal
• Engage our professional services for quality assurance, OASIS coding, Plan of Care review, chart QA, or ADR support
• Communicate with us via email, phone, or other channels

This Privacy Policy applies to prospective clients, current clients, website visitors, and any other individuals whose information we process. Because we provide services to covered entities in the healthcare industry, portions of this policy address our role as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA).

2. Information We Collect

2.1 Business Contact Information

When you inquire about or engage our services, we may collect:

• Name, job title, and professional credentials
• Business email address and phone number
• Agency name, address, and National Provider Identifier (NPI)
• Billing information (address, contact details for invoicing)
• Communications preferences

2.2 Website and Portal Usage Information

When you visit our Site or use the Client Portal, we automatically collect certain technical information:

• IP address, browser type, and operating system
• Pages visited, time spent, and referring URLs
• Session cookies and authentication tokens for portal access
• Device identifiers and screen resolution for responsive design
• Log files recording system activity, errors, and access attempts

2.3 Protected Health Information (PHI)

When we provide QA, coding, or compliance services under a signed Business Associate Agreement (BAA), we receive and create PHI, which may include:

• Patient demographic information (names, dates of birth, addresses, contact information)
• Medical record numbers and health plan beneficiary numbers
• Dates of service, admission, discharge, and certification periods
• Clinical assessment data (diagnoses, medications, vital signs, functional status)
• OASIS assessment forms and coding documentation
• Plan of Care documents, physician orders, and clinical notes
• Payment and billing codes (ICD-10, CPT, HCPCS)
• Any other individually identifiable health information necessary to perform contracted services

Important: We access PHI only when authorized by a valid BAA and only to the minimum extent necessary to deliver the agreed-upon services.

2.4 Payment Information

We use Stripe, a PCI-DSS compliant payment processor, to handle credit card and ACH transactions. We do not directly store full credit card numbers or bank account details. We retain transaction IDs, payment dates, amounts, and invoice records for accounting and dispute resolution.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Perform OASIS coding, quality assurance reviews, Plan of Care assessments, chart audits, and ADR support
• Communicate findings, recommendations, and deliverables
• Authenticate and authorize Client Portal access
• Coordinate with your staff on assignments, deadlines, and clarifications

3.2 Business Operations

• Process payments, generate invoices, and maintain financial records
• Respond to support inquiries and troubleshoot technical issues
• Maintain accurate client records and engagement histories
• Improve service quality through internal audits and process enhancements

3.3 Compliance and Legal Obligations

• Fulfill contractual commitments under service agreements and BAAs
• Comply with HIPAA, HITECH, state privacy laws, and regulatory reporting requirements
• Investigate and respond to security incidents, breaches, or suspected fraud
• Defend legal claims, cooperate with law enforcement, and respond to lawful process

3.4 Analytics and Improvement

• Analyze Site traffic patterns and user behavior (using aggregated, de-identified data)
• Test and optimize website performance, usability, and accessibility
• Develop new service offerings based on client needs and industry trends

Marketing: We do not use PHI for marketing purposes. Business contact information may be used to send service updates, compliance alerts, or educational content. You may opt out of non-essential communications at any time by emailing contact@sentrix-solutions.com.

4. How We Share Information

We do not sell, rent, or trade personal information or PHI. We share information only in the following limited circumstances:

4.1 With Your Authorization

We may share information when you explicitly request or consent, such as when coordinating with your vendors or consultants on your behalf.

4.2 Service Providers and Subcontractors

We engage carefully vetted third-party service providers to support our operations, including:

• Cloud infrastructure and hosting providers (subject to BAAs when handling PHI)
• Payment processors (Stripe) for transaction handling
• Email and communication platforms for client correspondence
• IT security and monitoring tools to protect data integrity
• Professional advisors (attorneys, accountants, auditors) bound by confidentiality obligations

All subcontractors handling PHI must sign Business Associate Agreements and agree to HIPAA-compliant safeguards.

4.3 Legal Requirements and Safety

We may disclose information when required or permitted by law, including:

• In response to subpoenas, court orders, or lawful government requests
• To comply with regulatory audits, investigations, or reporting obligations
• To prevent fraud, security threats, or harm to individuals or property
• In connection with HIPAA-permitted public health reporting or law enforcement purposes

4.4 Business Transfers

If Sentrix is involved in a merger, acquisition, reorganization, or sale of assets, information may be transferred to the successor entity, subject to continued privacy protections and HIPAA obligations.

5. Data Security

We implement administrative, physical, and technical safeguards designed to protect information against unauthorized access, loss, alteration, and disclosure:

5.1 Administrative Safeguards

• Documented policies and procedures governing data access, use, and disclosure
• Workforce training on HIPAA, data security, and incident response
• Role-based access controls limiting access to the minimum necessary information
• Regular risk assessments and security audits
• Sanctions policy for workforce members who violate privacy or security policies

5.2 Physical Safeguards

• Secure facilities with restricted access, surveillance, and visitor controls
• Workstation security measures, including screen locks and clean desk policies
• Secure storage and disposal of physical records containing sensitive information
• Device encryption and mobile device management for laptops, tablets, and phones

5.3 Technical Safeguards

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Multi-factor authentication (MFA) for Client Portal and internal system access
• Audit logging and monitoring to detect suspicious activity
• Firewall protection, intrusion detection, and vulnerability scanning
• Regular software patching and security updates
• Secure backup and disaster recovery procedures

No Security is Absolute: While we strive to protect your information using industry-standard practices, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will promptly notify you and take corrective action if a breach occurs.

6. Data Retention

We retain information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce agreements:

• Business contact information: Retained for the duration of the business relationship and up to 7 years thereafter for compliance and recordkeeping purposes.
• PHI: Retained per the terms of the applicable BAA, typically for the period required by HIPAA regulations (minimum 6 years from creation or last use) or as specified by your agency's retention policy.
• Website logs and analytics: Retained for up to 2 years for security, troubleshooting, and service improvement.
• Payment records: Retained for 7 years in accordance with tax and accounting requirements.

Upon expiration of the retention period, we securely delete or anonymize information using methods consistent with industry best practices and regulatory requirements.

7. Your Rights and Choices

7.1 Access and Correction

You may request access to or correction of your business contact information by contacting us at contact@sentrix-solutions.com. For PHI, individual access and amendment requests are handled by the Covered Entity (your agency), and we will cooperate as required by our BAA.

7.2 Opt-Out of Communications

You may opt out of non-essential marketing or informational emails by clicking the "unsubscribe" link in any message or emailing contact@sentrix-solutions.com. Note that you cannot opt out of transactional messages related to active service engagements.

7.3 Cookies and Tracking

You can configure your browser to refuse cookies or alert you when cookies are being sent. However, some features of the Site or Client Portal may not function properly without cookies. We use session cookies for authentication and performance cookies to improve user experience. We do not use third-party advertising or tracking cookies.

7.4 HIPAA Rights for PHI

As a Business Associate, we support Covered Entities in fulfilling individual rights under HIPAA, including:

• Right of Access: We provide PHI in our possession to the Covered Entity upon request to facilitate patient access requests.
• Right to Amendment: We cooperate with the Covered Entity to amend PHI when instructed.
• Right to an Accounting of Disclosures: We maintain logs of PHI disclosures and provide accounting information to the Covered Entity upon request.
• Right to Restrict Use: We honor restrictions agreed upon by the Covered Entity and the individual, as communicated to us.

Patients should direct requests to exercise these rights to the Covered Entity (the home health agency), not to Sentrix directly.

8. State-Specific Privacy Rights

Certain states provide additional privacy rights to residents. If you are a California, Virginia, Colorado, Connecticut, or other state resident with applicable privacy laws, you may have rights such as:

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of personal information (subject to legal and contractual exceptions)
• Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at contact@sentrix-solutions.com with "Privacy Rights Request" in the subject line. We will verify your identity and respond within the timeframe required by applicable law.

Note: PHI regulated by HIPAA is generally exempt from state privacy laws. For PHI-related requests, we coordinate with the Covered Entity as required by our BAA.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at contact@sentrix-solutions.com so we can delete it.

10. Third-Party Links

Our Site may contain links to third-party websites, tools, or resources for your convenience. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. International Data Transfers

Sentrix operates in the United States and serves U.S.-based home health agencies. Our services and data storage are U.S.-based. If you access our Site or services from outside the United States, your information will be transferred to, stored, and processed in the United States in accordance with U.S. privacy laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. We will post the updated policy on this page with a revised "Last Updated" date. Material changes will be communicated via email to active clients or through a prominent notice on our Site.

Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our information practices, please contact us:

We are committed to working with you to resolve any privacy concerns fairly and promptly.