WaiverCare Pro logoWaiverCarePro

HIPAA Compliance You Can Count On

WaiverCarePro is architected from the ground up with HIPAA Privacy and Security Rules in mind — protecting every piece of PHI your agency handles.

Administrative, Technical & Physical Safeguards

Technical Safeguards

  • AES-256 encryption for all PHI at rest
  • TLS 1.3 enforced for all data in transit
  • Secure JWT authentication (30-min access tokens, 7-day refresh)
  • API rate limiting and request validation
  • SQL injection and XSS prevention throughout

Administrative Safeguards

  • Role-based access control (RBAC) — 6 roles with least-privilege
  • Full audit logging on all PHI access and modifications
  • Multi-factor authentication (MFA) support
  • Tenant isolation — data never crosses between agencies
  • User activity monitoring and session management

Physical Safeguards

  • Hosted on Render infrastructure (SOC 2 Type II certified data centers)
  • PostgreSQL 16 with encrypted volumes
  • Automated daily backups with point-in-time recovery
  • No PHI stored on developer workstations

Organizational Safeguards

  • Business Associate Agreement (BAA) available for Enterprise customers
  • Staff security awareness training documentation
  • Incident response plan and breach notification procedures
  • Privacy policy and data retention policies in compliance with HIPAA

EVV Compliance — 21st Century Cures Act

All Medicaid HCBS providers are required to use Electronic Visit Verification. WaiverCarePro's EVV meets federal and state requirements.

21st Century Cures Act compliant EVV implementation
GPS coordinates captured and stored at clock-in/out
Geofence validation with configurable radius per patient
Exception flagging for missing GPS, early/late clock-in, and service mismatches
Visit verification records maintained for Medicaid audit trail
State EVV aggregator export support (Enterprise)

Complete Audit Trail

Every action taken on PHI — create, read, update, delete — is logged with user identity, timestamp, tenant, and change summary. Audit logs are immutable and retained per HIPAA requirements.

# Sample audit log entry
{
  "timestamp": "2026-03-05T14:32:10Z",
  "userId": "usr_abc123",
  "tenantId": "tnt_xyz789",
  "action": "UPDATE",
  "entity": "patient",
  "entityId": "pat_def456",
  "changes": { dob: '...' }
}

Need a Business Associate Agreement (BAA)?

BAAs are available for all Enterprise plan customers. Contact our sales team to get started.

Contact Sales →