1. HIPAA Compliance

The HomeCare SaaS Portal is designed and operated in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. This means:

• •Protected Health Information (PHI) is handled with the highest standard of care.
• •All team members are trained on HIPAA requirements and data handling procedures.
• •We maintain Business Associate Agreements (BAAs) with all service providers who may access PHI.
• •We follow the HIPAA minimum necessary standard — only the information needed for a specific purpose is accessed or shared.

2. Data Encryption

Your data is protected by strong encryption both when it travels over the internet and when it is stored in our systems:

• •In Transit: All connections to the portal are encrypted using TLS (Transport Layer Security), the same technology used by banks and financial institutions.
• •At Rest: Sensitive data — including personal identifiers, health information, and financial details — is encrypted before being stored in our database.
• •Passwords: Your password is never stored in readable form. It is cryptographically hashed so that even our team cannot view it.

3. Multi-Factor Authentication

We offer multi-factor authentication (MFA) for all portal accounts. When enabled, signing in requires both your password and a one-time code from an authenticator app on your phone. This means that even if someone obtains your password, they cannot access your account without your physical device. We strongly recommend enabling MFA in your account settings.

4. Role-Based Access Control

Not everyone sees the same information. Our portal uses role-based access control to ensure that each user — whether an administrator, caregiver, or client — only has access to the information and features relevant to their role. Caregivers see their own schedules and assigned clients. Clients see their own care plans and invoices. Administrators manage operations. No one sees more than they need to.

5. Automatic Session Protection

To prevent unauthorized access if you step away from your device, the portal automatically logs you out after a period of inactivity. You will see a warning before being signed out, giving you a chance to stay logged in if you are still present. This is especially important in healthcare settings where devices may be shared or left unattended.

6. Brute-Force Protection

Our login system includes rate limiting that temporarily locks accounts after repeated failed sign-in attempts. This protects your account from automated attacks that try many password combinations. If your account is temporarily locked, wait for the cooldown period to expire or contact support for assistance.

7. Audit Logging

All significant actions in the portal — such as accessing records, making changes, and signing in — are recorded in a detailed audit log. These logs include who performed the action, when it occurred, and what was accessed or changed. Audit logs help us detect unauthorized activity, investigate incidents, and demonstrate HIPAA compliance.

8. Secure Infrastructure

Our portal is hosted on professionally managed infrastructure with firewall protection, intrusion monitoring, and regular security updates. We keep all software components up to date with the latest security patches to protect against known vulnerabilities.

9. HIPAA Compliance Suite

Beyond technical safeguards, HomeCare SaaS includes a comprehensive administrative compliance toolkit:

• •BAA Tracking: Manage Business Associate Agreements with every vendor who handles PHI. Track expiration dates, PHI types shared, and renewal status.
• •Risk Assessments: Schedule and document annual HIPAA risk assessments as required by 45 CFR 164.308. Assign risk scores, track findings, and document remediation efforts.
• •Breach Incident Management: Log security incidents with severity classification and manage the HHS 60-day notification timeline for reportable breaches.
• •Training Records: Track staff security awareness training with completion dates, scores, and automatic expiry alerts to ensure ongoing compliance.
• •Disaster Recovery: Document DR plans with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Log test results and maintain a DR test history.
• •Backup Verification: Log backup operations with verification results and restore testing records. Ensure your data recovery procedures actually work.
• •Physical Safeguards: Document facility access controls, workstation security, and device management policies as required by 45 CFR 164.310.

10. Data Retention & Disposal

We retain data only as long as necessary to fulfill our obligations and comply with regulatory requirements, including the HIPAA-mandated 6-year minimum retention period for health records. When data is no longer needed, it is securely deleted using methods that prevent recovery.

11. What You Can Do

Security is a shared responsibility. Here are steps you can take to protect your account:

• •Enable MFA: Turn on multi-factor authentication in your account settings for an extra layer of protection.
• •Use a strong password: Choose a unique password that you don't use on other websites or services.
• •Don't share credentials: Never share your login information with anyone, even coworkers.
• •Lock your device: Always lock your computer or phone when stepping away, especially in shared spaces.
• •Report concerns: If you notice anything suspicious — unexpected login alerts, unfamiliar activity, or anything that doesn't look right — contact us immediately.

12. Report a Security Concern

If you believe your account has been compromised, or if you have any security-related questions or concerns, please contact us right away: