HIPAA Compliance

When your facility uses CareMAR to store medication records, physician orders, faxes, signed forms, and other resident information, your facility acts as the Covered Entity and CareMAR acts as a Business Associate as those terms are defined at 45 CFR § 160.103.

We will sign a Business Associate Agreement (BAA) with any paying customer that requests one, at no additional cost. The BAA governs our handling of PHI and supersedes any inconsistent language in the Terms of Use or this page. To request a BAA, email support@caremar.org.

• Access to production systems is restricted to a small number of trained personnel under the principle of least privilege.
• All personnel with access to PHI complete HIPAA awareness and security training before their first access and at least annually thereafter.
• We maintain a written incident response plan that includes breach assessment, customer notification within HIPAA timelines, and documented post-incident review.
• Subprocessor changes that touch PHI are reviewed before rollout and disclosed to customers via this page.
• Access is reviewed at least quarterly and revoked promptly when personnel change roles or leave.

• Encryption in transit: all client traffic to caremar.org and our APIs is served over TLS 1.2 or higher with modern cipher suites and HSTS.
• Encryption at rest: the application database and object storage holding uploaded documents, faxes, and photos are encrypted at rest by the underlying cloud provider (AES-256).
• Authentication: staff log in through Clerk-managed authentication with email-based factors and session expiry. Caregiver portal access is gated by a per-facility PIN that admins can rotate at any time.
• Tenant isolation: every authenticated request is scoped server-side to the user's facility (enforced via the X-Facility-Id header and middleware), so one facility cannot read or modify another's records.
• Audit logging: medication administration, signature events, login attempts, and admin actions are logged with timestamps and actor identity.
• Backups: the production database is backed up by the managed Postgres provider with point-in-time recovery enabled.

CareMAR does not operate its own data centers. All production infrastructure runs on commercial cloud providers that maintain SOC 2 / ISO 27001-attested physical controls (24/7 staffed facilities, biometric access, video surveillance, redundant power and cooling). Our team has no physical access to those facilities.

We use the following third parties to provide the Service. Each handles a defined slice of data and operates under its own security and compliance program. Where the subprocessor handles PHI, we have either a signed BAA or a contractual equivalent in place.

• Replit / Replit Deployments — application hosting and Postgres database (PHI; BAA available on request through Replit).
• Google Cloud Storage — encrypted object storage for uploaded PDFs, photos, and faxes (PHI; covered by Google Cloud's BAA).
• Clerk — staff authentication and session management (limited to email + name, not PHI).
• Stripe — subscription billing (no PHI; only billing identifiers).
• Sinch — inbound and outbound fax delivery (PHI; BAA in place).
• Brevo — transactional email delivery for password resets and notifications (limited to email metadata).
• OpenAI — AI-assisted document extraction for medication labels and faxed orders. Requests are made through OpenAI's zero-data-retention API and are not used to train models.
• Cloudflare — email routing for inbound photo and fax import (PHI in transit only).

We will give customers at least 30 days' advance notice of new subprocessors that will handle PHI by updating this page. If you require a list of subprocessors as of a specific date for your own audit, email support@caremar.org.

In the event of a breach of unsecured PHI, CareMAR will notify the affected facility without unreasonable delay and in no event later than 60 calendar days after discovery, as required by 45 CFR § 164.410. Notifications will describe what happened, the categories of PHI involved, the steps the facility should take to protect itself, the steps we are taking to remediate, and a contact for follow-up questions.

The facility (as Covered Entity) remains responsible for any further notifications required to affected individuals, the U.S. Department of Health and Human Services (HHS), and the media under the Breach Notification Rule.

HIPAA compliance is a shared responsibility. CareMAR provides the secure infrastructure and access controls; facilities are responsible for using them correctly. In particular, your facility must:

• Limit administrator accounts to staff who are authorized to access resident records.
• Rotate the Caregiver Portal PIN whenever care staff change.
• Promptly deactivate accounts for departing staff.
• Use strong, unique passwords and enable any available second-factor options.
• Verify recipients before sending faxes or signature requests.
• Sign a BAA with CareMAR before storing PHI in the platform.

If you believe you've discovered a vulnerability or have witnessed an incident involving CareMAR, please report it to support@caremar.org with "Security report" in the subject line. We respond to security reports within one business day.

Please do not test for vulnerabilities against live customer data. Use a free trial account for any proof-of-concept work.

We may update this page as our practices evolve or as we add subprocessors. The "Last Updated" date at the top reflects the most recent revision. Material changes that affect customers' BAA obligations will also be announced by email.