Skip to main content

HIPAA Compliance

45 CFR § 164 safeguards, mapped

HIPAA compliance is not a checkbox. It is the floor every control has to sit on. CareMAR maps to administrative, physical, and technical safeguards under 45 CFR § 164 — and the architecture makes it easier, not harder, for your facility to pass an audit.

A note on what we don't claim

CareMAR does not guarantee state-survey outcomes. State survey results depend on your clinical practice, training, and policies — not just software. What CareMAR does provide is the auditable record that surveyors look for: complete, chronological, tamper-evident.

Administrative safeguards (§ 164.308)

  • Role-based access (facility_admin / nurse / cna) with documented permissions per role.
  • Security awareness training materials included for staff onboarding.
  • Incident response plan: 1-hour classification, 24-72 hour notification per § 164.404.
  • Sanction policy template for workforce members who violate policies.
  • Documented periodic review of audit logs by facility administrator.

Physical safeguards (§ 164.310)

  • All data stored in customer's AWS account. AWS datacenter physical controls inherit (SOC 2 Type II, ISO 27001).
  • No on-premise servers required at the facility.
  • Device-level recommendations: shared nursing devices use sessionStorage tokens only, never localStorage or cookies. Automatic session timeout after 15 minutes of inactivity.
  • Screen-lock policy enforced via Cognito session expiry.

Technical safeguards (§ 164.312)

  • AES-256 at rest (AWS KMS-managed keys).
  • TLS 1.3 in transit. No older cipher suites supported.
  • MFA on every user account (TOTP primary, SMS fallback).
  • Append-only audit trail: every medication administration event is immutable. The 2-hour note edit window does not modify the underlying medication entry.
  • Schedule II medications require dual-witness sign-off (DEA 21 CFR 1304.21).
  • Automated session timeout (15 minutes idle).

Business Associate Agreement (BAA)

CareMAR signs a BAA with every facility before any data is stored. Our BAA mirrors the HHS sample BAA structure and covers: permitted uses and disclosures, safeguards, reporting obligations, subcontractor terms (AWS as a downstream subcontractor with its own BAA), and termination.

We provide the template at the start of onboarding. Most facilities sign within one business day. Email hello@caremar.us to request the current template.

Breach notification

Per 45 CFR § 164.404, if an incident occurs that meets the definition of a breach under § 164.402, CareMAR notifies the covered entity within 24 hours of classification. Final notification to affected individuals occurs no later than 60 days after discovery. State-specific notification timelines (Illinois 815 ILCS 530, etc.) layered on top.

A healthcare regulatory attorney is engaged on retainer to advise on notification scope, content, and state-by-state requirements at the time of any incident.

State-survey readiness

When IDPH (or your state equivalent) arrives, the audit trail exports in two formats: machine-readable CSV for the surveyor and a printable PDF organized by resident and date. The PDF includes administration time, dose, route, administering staff, and any witness sign-off — chronologically, immutable, surveyor-friendly.

More on the underlying architecture: security page.

Compliance officer questions

If you have a HIPAA security officer, compliance counsel, or privacy officer reviewing CareMAR, email hello@caremar.us with subject "HIPAA review." We respond with the BAA template, a 45 CFR § 164 control matrix, and our most recent security architecture diagram.