WaiverCare Pro logoWaiverCarePro

HIPAA Compliance You Can Count On

WaiverCarePro is architected from the ground up with HIPAA Privacy and Security Rules in mind โ€” protecting every piece of PHI your agency handles.

Administrative, Technical & Physical Safeguards

๐Ÿ”’

Technical Safeguards

  • โœ“AES-256 encryption for all PHI at rest
  • โœ“TLS 1.3 enforced for all data in transit
  • โœ“Secure JWT authentication (30-min access tokens, 7-day refresh)
  • โœ“API rate limiting and request validation
  • โœ“SQL injection and XSS prevention throughout
๐Ÿ“‹

Administrative Safeguards

  • โœ“Role-based access control (RBAC) โ€” 6 roles with least-privilege
  • โœ“Full audit logging on all PHI access and modifications
  • โœ“Multi-factor authentication (MFA) support
  • โœ“Tenant isolation โ€” data never crosses between agencies
  • โœ“User activity monitoring and session management
๐Ÿข

Physical Safeguards

  • โœ“Hosted on Render infrastructure (SOC 2 Type II certified data centers)
  • โœ“PostgreSQL 16 with encrypted volumes
  • โœ“Automated daily backups with point-in-time recovery
  • โœ“No PHI stored on developer workstations
๐Ÿ“œ

Organizational Safeguards

  • โœ“Business Associate Agreement (BAA) available for Enterprise customers
  • โœ“Staff security awareness training documentation
  • โœ“Incident response plan and breach notification procedures
  • โœ“Privacy policy and data retention policies in compliance with HIPAA

EVV Compliance โ€” 21st Century Cures Act

All Medicaid HCBS providers are required to use Electronic Visit Verification. WaiverCarePro's EVV meets federal and state requirements.

โœ“21st Century Cures Act compliant EVV implementation
โœ“GPS coordinates captured and stored at clock-in/out
โœ“Geofence validation with configurable radius per patient
โœ“Exception flagging for missing GPS, early/late clock-in, and service mismatches
โœ“Visit verification records maintained for Medicaid audit trail
โœ“State EVV aggregator export support (Enterprise)

Complete Audit Trail

Every action taken on PHI โ€” create, read, update, delete โ€” is logged with user identity, timestamp, tenant, and change summary. Audit logs are immutable and retained per HIPAA requirements.

# Sample audit log entry
{
ย  "timestamp": "2026-03-05T14:32:10Z",
ย  "userId": "usr_abc123",
ย  "tenantId": "tnt_xyz789",
ย  "action": "UPDATE",
ย  "entity": "patient",
ย  "entityId": "pat_def456",
ย  "changes": { dob: '...' }
}

Need a Business Associate Agreement (BAA)?

BAAs are available for all Enterprise plan customers. Contact our sales team to get started.

Contact Sales โ†’