Enterprise hospice procurement asks one question: "Send your security overview." This is that document — with links, not fluff.
CareNoteIQ operates as a Business Associate under HIPAA. We sign BAAs with every covered entity we serve, binding ourselves to the full HIPAA Security Rule as both a contractual obligation and direct regulatory liability.
Signed BAA flow is live. Request a BAA →
| Safeguard Category | What CareNoteIQ Implements |
|---|---|
| Administrative | Privacy/Security Officer designation, workforce training, incident response plan, annual risk analysis, vendor management with BAA flow-down to all subprocessors |
| Physical | Colocation in US-based Render facilities with biometric access, power redundancy, fire suppression, and environmental controls per facility specifications |
| Technical | Unique user IDs, RBAC, audit logging, encryption at rest and in transit, MFA enforcement, automatic session timeout, PHI access logging |
We use and disclose PHI only for treatment, payment, and healthcare operations as defined under 45 CFR §164.501. No PHI is sold, rented, or used for marketing. All workforce members with PHI access have signed confidentiality agreements and completed HIPAA training.
In the event of a breach of unsecured PHI, CareNoteIQ will notify the covered entity within 60 days of identification, consistent with the HIPAA Breach Notification Rule (45 CFR §§164.400–414). Notification includes: discovery date, scope of breach, types of PHI involved, and remediation steps taken.
CareNoteIQ maintains immutable audit logs for all access to and modification of Protected Health Information.
[ Audit log viewer screenshot — columns: User, Action, Patient, Document Type, Timestamp, IP ]
Patient identifiers redacted for display. Available on request under NDA.
All data is encrypted using industry-standard algorithms. Encryption is enforced at the infrastructure layer — it cannot be disabled by any user role.
| Layer | Standard | Implementation |
|---|---|---|
| Data at rest | AES-256 | PostgreSQL encryption via Supabase (US region); database-level encryption enabled |
| Data in transit | TLS 1.2+ | Auto-provisioned by Render; TLS 1.3 preferred; no fallback to earlier versions |
| Credentials | bcrypt + salt | User passwords hashed with bcrypt (cost factor 12); salt stored per-user; no plaintext storage ever |
| Session tokens | HTTP-only, Secure cookie | Session tokens stored in HTTP-only Secure cookies; no token stored in localStorage or URL; 8-hour expiration with sliding refresh |
Role assignment is tied to job function. No role grants broader access than necessary for clinical care delivery. All role checks are enforced server-side on every API call.
| Role | Admission Notes | Clinical Notes | HCTI / Recert | Plan of Care | Med Profile | IDG / Care Plan | Analytics | Admin Settings | User Mgmt |
|---|---|---|---|---|---|---|---|---|---|
| Developer | — | — | — | — | — | — | — | View | — |
| Superadmin | Full | Full | Full | Full | Full | Full | Full | Full | Full |
| Physician | — | View | Create/Sign | — | View | — | — | — | — |
| NP | Full | Full | Draft | View | Edit | View | — | — | — |
| RN | Full | Full | — | — | Edit | — | — | — | — |
| MSW | — | Own only | — | — | — | — | — | — | — |
| Chaplain | — | Own only | — | — | — | — | — | — | — |
| Aide | — | Visit notes | — | — | — | — | — | — | — |
CareNoteIQ is built on a US-based infrastructure stack with clear data handling boundaries.
| Component | Provider | Region | HIPAA Status |
|---|---|---|---|
| Application hosting | Render | US (Virginia) | ✓ BAA signed |
| Primary database | Supabase (PostgreSQL) | US East | ✓ BAA signed |
| Email delivery | Postmark | US | ✓ BAA signed |
| AI model providers | OpenAI / Anthropic | US | No PHI transmitted |
| DNS / CDN | Render edge | US | No PHI |
CareNoteIQ explicitly filters PHI from application and infrastructure logs. Patient names, MRNs, clinical content, and any field mapping to a patient record are excluded from log output at the application layer. Log entries capture metadata (action type, record type, user) but never patient content.
Clear answers to the questions procurement always asks.
| Topic | Policy |
|---|---|
| Data residency | All data stored and processed exclusively in US-based infrastructure. No cross-border transfer. |
| Data export | Any authorized clinician can export patient data via CSV export in the Analytics Dashboard — already shipped. Formal export requests fulfilled within 5 business days. |
| Data deletion | Upon contract termination, all ePHI deleted within 30 days. Deletion confirmation certificate provided on request. |
| Minimum necessary | Every data access request is scoped to the minimum dataset required for the operation, enforced at the API layer. |
CareNoteIQ does not use PHI, clinical notes, or any patient-derived data to train, fine-tune, or improve AI models. No PHI is transmitted to AI providers. All AI processing uses de-identified or synthetic data. BAAs with AI subprocessors are not required because PHI never leaves the HIPAA-covered environment before AI processing.
CareNoteIQ is designed to support hospice agencies during CMS surveys, state audits, and internal compliance reviews.
The built-in Compliance Dashboard tracks overdue items across every CMS Condition of Participation in real time:
| CoP Section | CareNoteIQ Module |
|---|---|
| §418.54 | Comprehensive Assessment (HOPE V1.00, iQIES XML export) |
| §418.56 | Plan of Care with IDG ownership and version tracking |
| §418.58 | Quality Assessment and Performance Improvement (QAPI) |
| §418.64 | Bereavement Services (7-factor risk assessment, 13-month plan) |
| §418.72 | Patient Rights (DNR/POLST upload, grievance intake, state hotline disclosure) |
| §418.76 | Hospice Aide and Homemaker Services (visit tracker, supervisory alerts) |
All clinical notes, HCTI narratives, and compliance records can be exported as PDF directly from the application — no export tool or developer access required. PDFs include document type, author, date, and digital signature status.
A live 0–100 composite score computed from 13 weighted compliance domains. Green (≥90) means survey ready. Amber (75–89) means gaps to address. Red (<75) means immediate attention required.
CareNoteIQ maintains BAAs with all subprocessors who access, process, or store ePHI. AI model providers (OpenAI, Anthropic) do not receive PHI — no BAA is required. Subprocessors are reviewed quarterly.
| Subprocessor | Service | BAA Status | Data Accessed |
|---|---|---|---|
| Render | Application hosting, TLS | ✓ Signed | Application code, session data; no PHI in logs |
| Supabase (PostgreSQL) | Primary database | ✓ Signed | All ePHI stored in database |
| Postmark | Transactional email | ✓ Signed | Recipient email addresses; no clinical content |
| OpenAI | AI text generation (HCTI drafts) | No PHI transmitted | De-identified/synthetic data only; PHI does not leave the HIPAA-covered environment before AI processing |
| Anthropic | AI narrative drafting | No PHI transmitted | De-identified/synthetic data only; PHI does not leave the HIPAA-covered environment before AI processing |
No PHI is transmitted to AI providers. All AI processing uses de-identified or synthetic data. BAAs with AI subprocessors (OpenAI, Anthropic) are not required because PHI never leaves the HIPAA-covered environment before AI processing. CareNoteIQ's architecture ensures PHI is processed and de-identified within the covered environment before any data is sent to external AI model providers.
We take security seriously and welcome responsible disclosure. No bug bounty program yet — just a real human who responds.
security@carenoteiq.polsia.appScope: the CareNoteIQ production environment and all first-party code. We do not accept reports for third-party libraries, CDN infrastructure, or end-user devices.
We will not claim certifications we do not have. This page is updated when certifications are achieved, not when planned.
| Certification | Status | Target |
|---|---|---|
| HITRUST | Under evaluation | No target date set |
| Annual Risk Analysis | Active | Completed annually |
If your procurement process requires a specific certification not listed here, reach out: security@carenoteiq.polsia.app
Enterprise procurement asks the same five questions. Here are the answers.