1. Introduction

HomeCare SaaS ("we," "our," or "us") operates the HomeCare SaaS Portal (the "Portal"). This Privacy Policy describes how we collect, use, store, and protect your personal information and Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and applicable state laws.

2. Information We Collect

We collect the following categories of information:

• •Identity Information: Name, date of birth, email address, phone number, and mailing address.
• •Employment Information (Caregivers): Social Security Number (SSN), work schedules, and clock-in/out records.
• •Health Information (Clients): Care plans, care notes, emergency contacts, and service records.
• •Location Data: GPS coordinates captured at clock-in and clock-out for Electronic Visit Verification (EVV) compliance.
• •Usage Data: Login timestamps, session activity, and audit trail records.

3. How We Use Your Information

• •To provide and manage home care services, scheduling, and billing.
• •To comply with Electronic Visit Verification (EVV) requirements under the 21st Century Cures Act.
• •To submit required data to the Illinois HHAeXchange state aggregator for Medicaid reimbursement.
• •To maintain audit logs for HIPAA compliance and security monitoring.
• •To communicate with caregivers, clients, and administrators via the Portal messaging system.

4. Data Security

We implement the following safeguards to protect your information:

• •Encryption at Rest: PHI fields (names, addresses, phone numbers, care notes) and SSNs are encrypted using AES-256-CBC encryption before storage.
• •Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2+.
• •Access Controls: Role-based access control (admin, caregiver, client) limits data visibility.
• •Multi-Factor Authentication (MFA): Available for all users via TOTP authenticator apps.
• •Session Security: Automatic logout after 15 minutes of inactivity. JWT tokens expire after 1 hour.
• •Audit Logging: All PHI access and modifications are logged with user identity, timestamp, and action details.
• •Rate Limiting: Login attempts are rate-limited to prevent brute-force attacks.

5. Data Retention

We retain PHI and audit logs for a minimum of 6 years in compliance with HIPAA requirements. After the retention period, data is securely deleted. You may request deletion of non-required data at any time by contacting us.

6. Data Sharing

We may share your information with:

• •State Agencies: EVV data is submitted to Illinois HHAeXchange for Medicaid compliance.
• •Service Providers: We use secure hosting and infrastructure providers who are bound by Business Associate Agreements (BAAs).

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Your Rights

Under HIPAA, you have the right to:

• •Request access to your PHI held by us.
• •Request corrections to inaccurate PHI.
• •Request an accounting of disclosures of your PHI.
• •Request restrictions on certain uses of your PHI.
• •File a complaint if you believe your privacy rights have been violated.

8. Contact Information

For privacy-related inquiries, to exercise your rights, or to report a concern:

9. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated revision date. Continued use of the Portal after changes constitutes acceptance of the revised policy.