Security & HIPAA

HomeCareAtlas is designed to support HIPAA compliance and operates in accordance with HIPAA security and privacy requirements. We maintain administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Protected Health Information (PHI).

HIPAA Compliance

We have signed Business Associate Agreements (BAAs) with every subprocessor that handles or could access Protected Health Information, and we offer BAAs to all agency customers who use our platform.

• BAAs with subprocessors — signed and in place with our database provider, cloud hosting, SMS provider, and all services in the PHI data path.
• BAAs for customers — available to every agency on the platform. Contact us at security@homecareatlas.com to request yours.
• Minimum necessary principle — we only collect, store, and display the PHI fields that are necessary for care coordination. API endpoints return only the fields the requesting page needs.

Administrative Safeguards

• Workforce training — team members with access to PHI receive HIPAA training on data handling, privacy, and security practices at onboarding and periodically thereafter.
• Access reviews — user access to PHI is reviewed on a regular basis. Access is granted based on job function and revoked promptly when no longer needed.
• Onboarding and offboarding — role-based access provisioning ensures new team members receive only the access they need. Departing team members have access revoked immediately.
• Incident response plan — we maintain a documented incident response plan that covers identification, containment, investigation, notification, and remediation of security incidents.
• Risk assessments — we perform periodic risk assessments to identify threats to PHI and evaluate the effectiveness of our safeguards.

Encryption

• In transit — all data is transmitted over TLS 1.2+ (HTTPS). There are no unencrypted endpoints.
• At rest — the database encrypts all stored data at rest. Sensitive PHI fields (names, phone numbers, addresses, medical information) are additionally encrypted at the application level before being written to the database.
• Application-level encryption — PHI fields such as client names, contact information, allergies, diagnoses, medications, care plans, and emergency contacts are encrypted using AES-256 before storage and decrypted only when accessed by authorized users.

Access Controls

• Authentication — all dashboard access requires authentication via secure session tokens (JWT). Passwords are hashed with bcrypt.
• Multi-factor authentication (MFA) — MFA is available for all user accounts and can be enabled in account settings for an additional layer of security.
• Password requirements — passwords must meet minimum complexity standards. Accounts are protected against brute-force attacks with rate limiting.
• Session management — sessions expire automatically after a period of inactivity. Idle timeout is enforced on the client side.
• Role-based access — users can only access data belonging to their own agency. Every API route verifies the user's session and agency ownership before returning any data.
• No shared access — there are no public API endpoints that return PHI. Every request for client, caregiver, or shift data requires authentication.

Audit Logging

We maintain audit logs for access to Protected Health Information. These logs record:

• Who accessed PHI (user ID)
• What was accessed (resource type and ID)
• When it was accessed (timestamp)
• The action performed (view, create, update, delete)
• IP address and user agent

Audit logs are retained and available for compliance review. Shift-level changes are additionally logged in a separate shift log for operational transparency.

Security Monitoring

• Anomaly detection — we monitor for suspicious access patterns, including unusual login locations, repeated failed authentication attempts, and bulk data access.
• Rate limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks.
• Alerting — security-relevant events trigger alerts for review and investigation.

Infrastructure

• Hosting — the application is hosted on AWS (Amazon Web Services), which maintains SOC 2, ISO 27001, and HIPAA compliance certifications. We use AWS Amplify for deployment with no public access to internal infrastructure.
• Database — PostgreSQL hosted on Neon, which provides a signed BAA, SOC 2 Type II compliance, encryption at rest, and isolated compute per tenant. The database runs in the US (us-east region).
• File storage — uploaded documents (care plans, contracts, compliance documents) are stored in Amazon S3 with server-side encryption. Access is controlled via pre-signed URLs that expire after a short window. Files are never served from public routes.
• No PHI in client-side storage — we do not store Protected Health Information in localStorage, sessionStorage, cookies, or any client-side cache.

Physical Safeguards

All infrastructure is hosted in AWS and Neon data centers with strict physical access controls, including biometric authentication, 24/7 surveillance, and environmental protections. These facilities maintain SOC 2 and ISO 27001 certifications.

Data Backup & Recovery

• Automated backups — the database is backed up automatically on a daily basis.
• Point-in-time recovery — our database provider supports point-in-time recovery, allowing restoration to any moment within the retention window.
• Disaster recovery — we maintain a disaster recovery plan with defined recovery time and recovery point objectives. Backups are stored in a separate location from the primary database.

Vulnerability Management

• Dependency updates — third-party packages and dependencies are updated regularly to address known vulnerabilities.
• Automated scanning — we run automated security scans to identify vulnerabilities in application code and dependencies.
• Penetration testing — periodic penetration testing is performed to evaluate the security of the application and infrastructure.

Subprocessors

The following third-party services may process or store data on behalf of HomeCareAtlas:

This list is updated as subprocessors change. Analytics and marketing tools do not receive PHI.

Data Handling Practices

• No PHI in URLs — client names, health conditions, and other sensitive data are never included in URLs, query parameters, or browser history.
• No PHI in analytics — our analytics tools receive only anonymized, non-PHI usage data (page views, feature usage). No client names, health data, or identifying information is sent to analytics providers.
• No PHI in error logs — error reporting is configured to exclude PHI from log output and error messages.
• Secure deletion — when a client or caregiver record is deleted, all associated data (including encrypted PHI) is permanently removed from the database.

Data Retention & Ownership

• Your data is yours — agencies retain full ownership of all data they enter into the platform, including client records, caregiver profiles, shift history, and documents.
• Retention — data is retained only as long as necessary for service delivery and legal obligations.
• Export and deletion — agencies may request a full export or deletion of their data at any time by contacting security@homecareatlas.com.

Breach Notification

In the event of a data breach involving PHI, we will notify affected agencies within 72 hours of discovery, as required by the HIPAA Breach Notification Rule. We will provide details of the breach, the data affected, and the steps being taken to remediate.

Questions or Concerns

If you have questions about our security practices, need a BAA, or want to report a security concern:

• Email: security@homecareatlas.com

See also: Privacy Policy · Terms of Service