HIPAA Compliance Statement

Last updated: March 18, 2026

Our Commitment to HIPAA Compliance

SASH (Smart Assisted Housing) is committed to full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule. As a provider of Remote Patient Monitoring (RPM) services integrated into affordable housing, we recognize our responsibility to protect the privacy and security of Protected Health Information (PHI).

This HIPAA Compliance Statement outlines how we safeguard your health information and your rights under HIPAA.

HIPAA Covered Entity Status

SASH operates as a HIPAA Covered Entity and Business Associate depending on the context of our services:

  • Covered Entity: When providing Remote Patient Monitoring services directly to residents and transmitting health information to healthcare providers for treatment purposes
  • Business Associate: When processing PHI on behalf of healthcare providers, hospitals, or Medicare/Medicaid programs that refer patients to SASH homes

We maintain Business Associate Agreements (BAAs) with all healthcare partners and service providers who handle PHI on our behalf.

What is Protected Health Information (PHI)?

Protected Health Information includes any individually identifiable health information collected, used, or disclosed by SASH, including:

Health Data

  • Vital signs (BP, heart rate, oxygen, temperature)
  • Medical diagnoses and conditions
  • Treatment plans and medications
  • Lab results and test findings
  • Fall detection and emergency alerts
  • Medical device readings

Identifying Information

  • Name, address, phone number
  • Date of birth and age
  • Social Security number
  • Medical record numbers
  • Health insurance information
  • Device identifiers and IP addresses (when linked to health data)
How We Use and Disclose Your PHI

Uses Without Your Authorization

HIPAA permits us to use and disclose your PHI without your written authorization for:

  • Treatment: Sharing vital signs and health alerts with your physicians, nurses, and care team to coordinate your medical care
  • Payment: Submitting claims to Medicare, Medicaid, or private insurance for RPM services and verifying coverage eligibility
  • Healthcare Operations: Quality improvement, staff training, auditing, and program evaluation to enhance SASH services
  • Public Health: Reporting communicable diseases, adverse drug events, or public health emergencies as required by law
  • Health Oversight: Responding to audits, investigations, or inspections by government health agencies
  • Legal Requirements: Complying with court orders, subpoenas, or law enforcement requests
  • Emergency Situations: Disclosing PHI to emergency responders when you are unable to consent due to a medical emergency

Uses Requiring Your Authorization

We will obtain your written authorization before using or disclosing your PHI for:

  • Marketing communications about health products or services
  • Sale of your PHI to third parties
  • Psychotherapy notes (if applicable)
  • Research studies (unless an IRB waiver is obtained)
  • Any other purpose not permitted under HIPAA without authorization

You may revoke your authorization at any time by submitting a written request to our HIPAA Privacy Officer.

Your HIPAA Rights

Under HIPAA, you have the following rights regarding your PHI:

Right to Access

You have the right to inspect and obtain a copy of your PHI, including medical records, billing records, and RPM device data. We will respond to your request within 30 days (with one 30-day extension if needed).

Right to Amend

If you believe your PHI is incorrect or incomplete, you may request an amendment. We will respond within 60 days and either make the amendment or provide a written explanation of denial.

Right to an Accounting of Disclosures

You may request a list of certain disclosures of your PHI made by SASH in the past six years (excluding disclosures for treatment, payment, healthcare operations, and disclosures you authorized).

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We are not required to agree to your request, except in cases where you pay out-of-pocket in full and request that we not disclose information to your health plan.

Right to Confidential Communications

You may request that we communicate with you about your PHI in a certain way or at a certain location (e.g., by phone instead of mail, or at work instead of home). We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this HIPAA Compliance Statement at any time, even if you previously agreed to receive it electronically.

Right to Notification of Breach

You have the right to be notified if your unsecured PHI is breached. We will notify you within 60 days of discovering a breach affecting your information.

To exercise any of these rights, contact our HIPAA Privacy Officer using the information provided at the end of this statement.

HIPAA Security Safeguards

We implement comprehensive administrative, physical, and technical safeguards to protect your PHI:

Administrative Safeguards

  • Designated HIPAA Privacy Officer and Security Officer
  • Workforce training on HIPAA policies and procedures
  • Risk assessments and security audits conducted annually
  • Business Associate Agreements with all vendors handling PHI
  • Incident response and breach notification procedures
  • Sanctions policy for workforce members who violate HIPAA

Physical Safeguards

  • Secure data centers with restricted access controls
  • Locked storage for paper records containing PHI
  • Workstation security policies and device encryption
  • Secure disposal of PHI (shredding, data wiping)
  • Video surveillance and alarm systems at facilities

Technical Safeguards

  • End-to-end encryption for PHI in transit (TLS 1.3)
  • AES-256 encryption for PHI at rest
  • Multi-factor authentication for system access
  • Automatic logoff after periods of inactivity
  • Audit logs tracking all PHI access and modifications
  • Regular security patches and vulnerability scanning
  • Firewall protection and intrusion detection systems
Minimum Necessary Standard

SASH adheres to the HIPAA "minimum necessary" standard, which requires us to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. We:

  • Implement role-based access controls so workforce members can only access PHI needed for their job functions
  • Share only relevant PHI with healthcare providers (e.g., vital signs alerts to physicians, not full housing records)
  • De-identify or aggregate data whenever possible for research and quality improvement
  • Review and update our minimum necessary policies annually

The minimum necessary standard does not apply to disclosures for treatment purposes, disclosures to you, or disclosures required by law.

Breach Notification

In the event of a breach of unsecured PHI, SASH will:

  • Notify Affected Individuals: Within 60 days of discovering the breach, we will send written notification by first-class mail (or email if you previously agreed to electronic communication)
  • Notify the Secretary of HHS: For breaches affecting 500 or more individuals, we will notify the Department of Health and Human Services within 60 days. For smaller breaches, we will report annually.
  • Notify the Media: For breaches affecting more than 500 residents of a state or jurisdiction, we will notify prominent media outlets within 60 days

Breach notifications will include: description of the breach, types of PHI involved, steps you should take to protect yourself, what SASH is doing to investigate and mitigate harm, and contact information for questions.

Patient Rights Under State Law

In addition to HIPAA rights, you may have additional privacy rights under state law. SASH complies with applicable state privacy laws in Ghana, Botswana, and Illinois, including:

  • Illinois: Biometric Information Privacy Act (BIPA) protections for biometric data (if applicable to RPM devices)
  • Ghana: Data Protection Act, 2012 (Act 843) requirements for health data processing
  • Botswana: Data Protection Act, 2018 requirements for health information security

Where state law provides greater privacy protections than HIPAA, we will comply with the stricter standard.

Changes to This HIPAA Notice

We reserve the right to change this HIPAA Compliance Statement and to make the revised statement effective for all PHI we maintain, including information created or received before the change. If we make material changes, we will:

  • Post the updated notice on our website with a new effective date
  • Provide written notice to all SASH residents
  • Make the updated notice available at all SASH housing locations
Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with:

SASH HIPAA Privacy Officer

Email: [email protected]

Phone: (555) 123-4567

Mail: SASH HIPAA Privacy Officer
123 Housing Boulevard
Champaign, IL 61820, USA

U.S. Department of Health and Human Services

Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201

Phone: 1-877-696-6775

Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

No Retaliation: You will not be penalized, retaliated against, or denied services for filing a complaint.

Contact Information

For questions about this HIPAA Compliance Statement, to exercise your rights, or to request a paper copy:

SASH HIPAA Privacy Officer

Email: [email protected]

Phone: (555) 123-4567

Fax: (555) 123-4568

Mail: SASH HIPAA Privacy Officer
123 Housing Boulevard
Champaign, IL 61820, USA

For general privacy inquiries not related to health information, contact [email protected].

We use cookies

We use cookies to enhance your browsing experience, analyze site traffic, and provide personalized content. By clicking "Accept All", you consent to our use of cookies. You can manage your preferences or learn more in our Privacy Policy.