CareNoteIQ covers all 24 Medicare Hospice Conditions of Participation. HIPAA-compliant infrastructure, immutable audit logs, and a BAA executed before any PHI is enabled.
All 24 Conditions of Participation under 42 CFR Part 418. Green = shipped and live in the demo. Every regulation is enforced by in-app workflows, not just documentation.
| Regulation | Condition of Participation | CareNoteIQ Feature | Status | Demo |
|---|---|---|---|---|
| §418.52 | Patient Rights | Signed rights acknowledgments, advance directives vault (DNR/POLST/living will), grievance log with 14-day resolution clock, state hotline tracking | ✓ Shipped | View demo → |
| §418.54 | Comprehensive Assessment | Initial ≤5-day + 15-day updates; 7 §418.54(c) sections; automated due-date alerts; sign/lock; IDG review link | ✓ Shipped | View demo → |
| §418.56 | Plan of Care | Versioned POC with AI synthesis from clinical notes; problems list, goals, interventions, visit frequencies; IDG 15-day review cycle; immutable sign/lock | ✓ Shipped | View demo → |
| §418.58 | QAPI Program | 9 seeded quality indicators; monthly auto-computation; PIPs with PDSA cycles; quarterly governing body review with dual sign-off; trend charts | ✓ Shipped | View demo → |
| §418.60 | Infection Control | Infection trend tracking surfaced in the QAPI indicators dashboard; reportable disease tracking in compliance module | ~ Partial | View demo → |
| §418.62 | Licensed Professional Services | NP face-to-face documentation; physician recertification narrative (AI-drafted); RN admission + visit notes; IDG attestation | ✓ Shipped | View demo → |
| §418.64 | Core Services | Social worker psychosocial notes (6 sections + AI narrative); chaplain/spiritual care notes; bereavement risk assessment + 13-month contact schedule | ✓ Shipped | View demo → |
| §418.66 | Nursing Services | RN admission assessment, visit notes, supervisory evaluations, NP face-to-face; all sign/lock with timestamp | ✓ Shipped | View demo → |
| §418.68 | Counseling Services | Spiritual care (chaplain) and social work visit notes with structured counseling fields; grief counseling logged in bereavement contact records | ✓ Shipped | View demo → |
| §418.70 | Short-term Inpatient Care | GIP justification log (5 CMS-approved symptoms; daily log; 5-day consecutive warning); LOC change orders with ordering physician | ✓ Shipped | View demo → |
| §418.72 | Physical / OT / SLP Therapy | Therapy services tracked as visit frequency entries in the Plan of Care; discipline-specific visit notes on roadmap | ~ Partial | View demo → |
| §418.74 | Waiver of Certain Conditions | Documented in Plan of Care waiver notes; physician order tracking | ~ Partial | View demo → |
| §418.76 | Hospice Aide Services | Aide roster (CNA/HHA cert tracking); care plans; visit notes with vitals + care tasks; RN 14-day supervisory evaluations; 12 hr/yr in-service tracking; monthly quota alerts | ✓ Shipped | View demo → |
| §418.78 | Volunteer Services | Volunteer roster; training tracker (HIPAA, infection control, etc.); hours log with direct/indirect patient care categorization; 5% ratio compliance; annual DON recruitment narrative | ✓ Shipped | View demo → |
| §418.100 | Organization & Administration / Governing Body | Governing body roster; meeting minutes with MD evaluation + QAPI review flags; annual MD evaluation (5 scored sections); services under arrangement; hospice locations + org chart | ✓ Shipped | View demo → |
| §418.102 | Medical Director | MD/DO designation (NPI, license, board cert, contract on file); physician designee coverage roster with active date ranges | ✓ Shipped | View demo → |
| §418.104 | Clinical Records | Completeness tracking (7 required elements); AI-assisted transfer/discharge summaries; configurable retention policy (min 6 yr, default 7); authorized disclosure access log; daily expiry alerts | ✓ Shipped | View demo → |
| §418.106 | Drugs & Biologicals | Active medication list; allergy/adverse reaction records; pharmacist drug regimen review per cert period; controlled substance count log + disposal records; polypharmacy flagging; med reconciliation events | ✓ Shipped | View demo → |
| §418.108 | Short-term Inpatient (Contracted) | LOC periods tracking (RHC/CHC/GIP/IRC); CHC daily nursing/HHA hours threshold; GIP daily justification log; level-of-care billing tile | ✓ Shipped | View demo → |
| §418.110 | Hospices Providing Inpatient Care | GIP documentation requirements covered via GIP justification log; symptom tracking; continuous LOC period management | ~ Partial | View demo → |
| §418.112 | SNF/NF/ICF Coordination | Coordination notes tracked in clinical records; transfer/discharge summary module; facility contact documented in election statement | ~ Partial | View demo → |
| §418.113 | Emergency Preparedness | All-hazards risk assessment; written EP plan (versioned); staff contact tree + patient notification protocols; annual training log; full-scale + tabletop exercise log; patient evacuation tiers; quarterly cron alerts | ✓ Shipped | View demo → |
| §418.114 | Personnel Qualifications | Credential vault per staff member; OIG LEIE + SAM.gov monthly exclusion checks; license expiry alerts (60/30/7 days); staff competency assessments; onboarding checklist; professional references (3 per CHAP) | ✓ Shipped | View demo → |
| CMS HOPE | HOPE Assessments (eff. Oct 2025) | CMS HOPE V1.00; 4 timepoints (Admission, HUV1, HUV2, Discharge); CMS-specified item codes; iQIES-compatible XML export; timeliness alerts | ✓ Shipped | View demo → |
Every §164.312 specification implemented in the platform. Access to PHI is blocked by default until a BAA is executed and phi_enabled is flipped by CareNoteIQ staff.
| §164.312 Spec | CareNoteIQ Implementation | Audit Evidence |
|---|---|---|
| §164.312(a)(1) Access Control |
8-role RBAC
Developer, Owner, Admin, DON, Physician, NP, RN, Social Worker, Chaplain, Hospice Aide, Office Staff. Every API endpoint enforces role check via lib/rbac.js. PHI routes return 403 before the query executes.
|
Role assignment logged at user creation; access attempts logged to audit_logs with user_id, role, endpoint, IP, timestamp |
| §164.312(b) Audit Controls |
Append-only audit_logs table Every PHI read, create, update, and delete event records: user_id, patient_id, action, resource_type, IP address, timestamp. Uses PostgreSQL bigserial PK — rows are never updated or deleted. | 2M+ events/year for active orgs; queryable in compliance dashboard by DON+; exportable for surveyor requests |
| §164.312(c)(1) Integrity |
Immutable sign/lock pattern
Clinical notes, POC, HOPE, IDG, and all care documents become immutable after signing — the signed_at / locked flags are set and any UPDATE to locked rows returns a 409 Conflict. Passwords use bcrypt (12 rounds).
|
locked=true check enforced in DB layer before every UPDATE; bcrypt hash verified against stored hash — plaintext never persisted |
| §164.312(d) Person/Entity Authentication |
Session-based auth with idle timeout Login issues a cryptographically random session token (stored httpOnly cookie, 24h TTL, server-side session table). Idle timeout: 30 minutes. Password reset via 1h expiry token. Rate limited to 5 attempts / 15 min / IP. | sessions table indexed for fast lookup; expired sessions garbage-collected; MFA on roadmap (Q3 2026) |
| §164.312(e)(1) Transmission Security |
TLS 1.2+ enforced by Render All traffic served over HTTPS; HTTP requests upgrade to HTTPS at the load balancer. TLS certificates auto-provisioned and rotated by Render's managed certificate infrastructure. No plaintext PHI is ever transmitted. | HSTS header enforced; Render infrastructure enforces TLS minimum at the edge; certificate expiry monitored by Render |
| §164.312(a)(2)(i) Unique User ID |
Per-user accounts only — no shared logins
Every user account is individually provisioned with a unique email address. Shared credentials are blocked by unique constraint on the users.email column.
|
All audit_logs entries carry the individual user_id; shared logins are architecturally impossible |
| §164.312(a)(2)(iii) Automatic Logoff |
30-minute idle session termination Inactivity beyond 30 minutes invalidates the server-side session and redirects to login. The session token cookie becomes invalid immediately server-side. | Session last_activity timestamp updated on every authenticated request; comparison triggers logoff |
PHI is protected at rest, in transit, and in backup. No plaintext credentials or tokens are stored.
Hosted on Neon Serverless Postgres. Storage is AES-256 encrypted at rest on AWS infrastructure. Neon manages key rotation automatically.
AES-256All connections use TLS 1.2+. HTTPS enforced by Render's edge. HSTS headers prevent downgrade attacks. No plaintext PHI leaves the origin server.
TLS 1.2+Clinical documents (advance directives, license scans, discharge summaries) stored in Cloudflare R2. Objects are encrypted server-side with AES-256 by Cloudflare.
AES-256Session tokens are cryptographically random (Node.js crypto.randomBytes). Stored as httpOnly cookies — not accessible to JavaScript. Tokens expire in 24h and are purged on logout.
Third-party OAuth tokens are encrypted with AES-256-GCM before storage in service_connections.metadata. Keys are scoped to the application environment.
Neon provides automated point-in-time recovery with encrypted backup storage. Backup retention: 7 days on the hosted plan. Backup keys managed by Neon / AWS KMS.
AWS KMS§418.114 personnel requirements enforced by the platform — not spreadsheets. Expiry alerts fire automatically before credentials lapse.
Every staff member is checked against the OIG List of Excluded Individuals/Entities and SAM.gov Excluded Parties List on hire and monthly thereafter. Results logged to exclusion_checks — clean, match, or inconclusive. Monthly audit emails fire on the 1st at 07:00 UTC. Discharge from care is flagged automatically on a match. Satisfies §424.516 and the §418.114 background check requirement.
The Personnel Credentials module tracks license number, state, issued date, expiry, primary source verification (PSV) date and method, and document scan for every staff member. Alert emails fire at 60, 30, and 7 days before expiry. Expired credentials are flagged in-app and block care documentation sign-off. Satisfies §418.114 active license verification requirements.
HIPAA training completion is tracked per staff member in personnel_files with completion date and renewal due date. CareNoteIQ blocks clinical documentation access for staff with lapsed training. Annual renewal due dates auto-compute from completion date. DON receives alert before lapse.
Initial and annual competency evaluations tracked per staff member by role (RN/NP/SW/Chaplain/Volunteer). 17 CMS-required aide skills tracked individually with rating. Remediation plans and next evaluation due dates computed automatically. Satisfies §418.100(g) and §418.76(c)(1).
CareNoteIQ acts as a HIPAA Business Associate. PHI access is architecturally blocked until a BAA is executed and the organization's phi_enabled flag is set by CareNoteIQ staff — not by the customer.
Our BAA template aligns with the HHS model Business Associate Agreement provisions and covers all HIPAA Privacy Rule, Security Rule, and Breach Notification Rule obligations. The agreement governs permitted uses and disclosures of PHI, breach notification timelines (within 60 days of discovery), data return or destruction on termination, and subcontractor (sub-BA) obligations with Neon Postgres, Render, and Cloudflare R2.
Every production customer executes a BAA before PHI is enabled. The signing record — acceptance timestamp, signing user ID, IP address, and version — is stored in the organizations table and displayed in the Organization settings for audit purposes.
CMS, CHAP, and Joint Commission surveyors ask for documentation you can produce in minutes — not days. The Survey Readiness Workbench surfaces every compliance gap before the surveyor does.
One-click generation of a cross-CoP compliance audit PDF. Covers all 12 major CoPs, flags open deficiencies with the specific regulation citation, and watermarks clearly as a practice document.
Open Survey Workbench →Retention policy configurable per organization (minimum 6 years per §418.104(c); CareNoteIQ default is 7 years). Legal hold toggle. Daily alerts fire 90 days before a record reaches its retention end date.
See in demo →Every patient record access is logged with access type, resource type, user, IP, and timestamp in clinical_record_access_log. Surveyors can receive a printable disclosure report for any date range per §418.104(d).
The Survey Readiness dashboard shows green / yellow / red tiles for each CoP in real time. Mock Surveyor Mode toggles a simulated surveyor view. Gaps are linked directly to the relevant documentation workflow.
Open scorecard →DON/Admin/Owner can generate a ZIP of all clinical documentation for a patient cohort and date range. Download links expire in 7 days. Packets are stored in Cloudflare R2 and never cached on the server.
See in demo →CMS HOPE V1.00 data elements exported as iQIES-compatible XML for CMS submission. Submission events logged immutably with status (generated / submitted / accepted / rejected). Timeliness window enforcement built in.
See in demo →