CareCentra - Predicting health. Preventing decline.
Compliance

HIPAA Compliance

CareCentra is designed from the ground up to meet the requirements of the Health Insurance Portability and Accountability Act. Protecting patient health information is not just a legal obligation -- it is central to our mission.

OUR COMMITMENT

CareCentra as a Business Associate

Under HIPAA, CareCentra operates as a Business Associate to covered entities -- health systems, provider groups, and health plans. We execute Business Associate Agreements (BAAs) with every customer before any protected health information is created, received, maintained, or transmitted through our platform.

BAA Included with Every Contract

CareCentra provides a BAA as a standard part of every customer agreement. No separate negotiation required. Our BAA covers all platform services including the mobile patient application, clinician dashboard, AI prediction engine, and data analytics layer.

HIPAA SAFEGUARDS

Administrative, Physical, and Technical

HIPAA requires covered entities and their business associates to implement safeguards across three domains. Here is how CareCentra meets each.

Administrative Safeguards

Designated Privacy and Security Officers oversee our compliance program. All workforce members complete HIPAA training at onboarding and annually. We maintain written policies covering access management, incident response, risk assessment, and sanctions for violations. Risk analyses are conducted annually and whenever material changes occur.

Physical Safeguards

CareCentra's infrastructure is hosted in SOC 2-certified data centers with 24/7 physical security, biometric access controls, video surveillance, and environmental protections. Workstations accessing PHI are encrypted, managed, and subject to automatic screen lock and remote wipe capabilities.

Technical Safeguards

Unique user identification and multi-factor authentication for all system access. Automatic session termination after inactivity. AES-256 encryption at rest and TLS 1.2+ in transit. Comprehensive audit controls logging every access to ePHI, with tamper-evident log integrity verification.

DATA HANDLING

How We Handle Protected Health Information

CareCentra collects, processes, and stores PHI only as necessary to deliver clinical services under our agreements with covered entities.

What We Collect

The types of PHI processed through our platform include:

  • Patient demographics (name, date of birth, contact information)
  • Clinical data (diagnoses, medications, spirometry readings, oxygen saturation)
  • Device-generated data (smart inhaler usage, pulse oximetry, air quality sensor readings)
  • Patient-reported outcomes (symptom surveys, quality of life assessments)
  • Care team interactions (escalation notes, intervention records, care plan updates)

Minimum Necessary Standard

CareCentra applies the HIPAA minimum necessary standard to all uses and disclosures of PHI. Our role-based access model ensures that each user -- whether a respiratory therapist, pulmonary navigator, or administrator -- sees only the data required for their specific function. AI models are trained on de-identified datasets; individual patient predictions use the minimum data elements required for clinical accuracy.

Retention and Disposal

PHI is retained for the duration specified in our BAA with each covered entity, or as required by applicable law -- typically a minimum of six years from the date of creation or last effective date. Upon contract termination, PHI is returned or securely destroyed in accordance with NIST SP 800-88 media sanitization guidelines, with written certification provided to the covered entity.

BREACH NOTIFICATION

If Something Goes Wrong

CareCentra maintains a documented breach response program aligned with the HIPAA Breach Notification Rule (45 CFR Parts 160 and 164, Subparts D and E).

Notification Timelines

In the event of a confirmed breach of unsecured PHI, CareCentra will notify the affected covered entity without unreasonable delay and in no case later than 60 calendar days from discovery -- and in practice, we target notification within 72 hours for material incidents. Our notification includes the identification of affected individuals, the nature of the PHI involved, recommended steps for mitigation, and a description of our investigation and remediation actions.

Investigation Process

  • Immediate containment and preservation of evidence
  • Four-factor risk assessment per HHS guidance (nature of PHI, unauthorized recipient, whether PHI was actually acquired or viewed, extent of risk mitigation)
  • Root cause analysis and remediation plan
  • Post-incident review and policy updates as warranted
  • Cooperation with covered entity's own notification obligations to individuals and HHS

PATIENT RIGHTS

Supporting Individual Rights Under HIPAA

While the covered entity (your health system or health plan) is the primary party responsible for fulfilling individual rights requests, CareCentra supports these obligations through our platform and processes.

Right of Access

Our platform enables covered entities to export patient records in standard formats. We support data portability through HL7 FHIR APIs, allowing patients and their providers to access health information held in CareCentra in a timely and machine-readable format.

Right to Amendment

Covered entities can request amendments to PHI maintained in CareCentra. Our platform supports amendment workflows including appending corrections while preserving the integrity of the original clinical record.

Right to an Accounting of Disclosures

CareCentra maintains audit logs sufficient to support covered entities in providing patients with an accounting of disclosures made through our platform for the six-year period required by HIPAA.

WORKFORCE TRAINING

A Culture of Compliance

Policies are only as effective as the people who follow them.

Training Program

  • All employees and contractors complete comprehensive HIPAA training within 30 days of onboarding
  • Annual refresher training covers regulatory updates, emerging threats, and lessons learned from industry incidents
  • Role-specific training for employees with direct access to PHI (engineering, clinical operations, customer success)
  • Training completion is tracked and audited; non-completion triggers access suspension
  • Sanctions policy enforced for policy violations, up to and including termination

Questions About Our HIPAA Program?

Our compliance team is available to walk through our practices, provide BAA documentation, or support your vendor risk assessment.

Contact Our Compliance Team