Security & Compliance

HIPAA Compliant Home Health Software

CareLX is built from the ground up for HIPAA compliance. Every feature, every database query, every access event is designed to protect your agency and your clients' Protected Health Information.

Request a DemoView Our BAA

HIPAA Compliant

Full compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

AES-256 Encryption

All PHI encrypted at rest with AES-256-GCM — the gold standard in data encryption.

Per-Tenant Isolation

Each agency gets a dedicated database. Your data is never commingled with other agencies.

Immutable Audit Trail

Every access, modification, and disclosure of PHI is logged and available for audit review.

Role-Based Access

Granular permission controls ensure users only access information relevant to their role.

SOC 2 Infrastructure

Hosted on Microsoft Azure with SOC 2 Type II certified data centers.

How We Protect PHI

Comprehensive HIPAA Security Safeguards

CareLX implements administrative, physical, and technical safeguards that meet or exceed HIPAA Security Rule requirements.

Data Encryption & Secure Transmission

CareLX encrypts all Protected Health Information using industry-leading encryption standards to prevent unauthorized access at every point.

  • AES-256-GCM encryption for all data at rest, including SSN, banking information, and medical records
  • TLS 1.2+ encryption for all data in transit between clients and servers
  • Encrypted database connections and secure API endpoints
  • Encryption key management following NIST guidelines
  • Regular cryptographic assessment and key rotation procedures

Multi-Tenant Database Isolation

Unlike shared-database platforms, CareLX uses a one-database-per-agency architecture that provides absolute data isolation between tenants.

  • Each agency's PHI stored in a completely separate PostgreSQL database
  • Tenant resolution through JWT claims — impossible to access another agency's data
  • Catalog database for tenant metadata contains zero PHI
  • Database-level access controls in addition to application-level controls
  • Isolated backup and restore per tenant for disaster recovery

Access Controls & Authentication

CareLX implements comprehensive access controls to ensure that only authorized individuals can access Protected Health Information.

  • Role-based access control (RBAC) with granular permissions per feature
  • Multi-factor authentication (MFA) support for all user accounts
  • OAuth 2.0 integration with Google and Microsoft for enterprise SSO
  • Session management with configurable idle timeout and automatic lockout
  • IP-based access restrictions and device trust policies

Audit Trail & PHI Access Logging

Every interaction with Protected Health Information is logged in an immutable audit trail designed for Joint Commission and HIPAA compliance.

  • Immutable append-only audit log — records cannot be modified or deleted
  • Tracks: who accessed PHI, what was accessed, when, and from where
  • PHI-specific logging middleware captures all access to sensitive fields
  • SSN and banking data access logged separately with enhanced detail
  • Audit reports exportable for compliance reviews and Joint Commission audits

Breach Detection & Response

CareLX maintains comprehensive breach detection capabilities and a documented incident response plan in compliance with the HIPAA Breach Notification Rule.

  • Real-time monitoring for suspicious access patterns and anomalies
  • Documented incident response procedures with defined escalation paths
  • Breach notification to covered entities within 30 days of discovery
  • Cooperation with agency breach notification obligations under 45 CFR §§164.404-408
  • Regular security assessments and vulnerability scanning

Administrative & Physical Safeguards

Beyond technical controls, CareLX maintains comprehensive administrative policies and physical safeguards to protect PHI.

  • Employee security training and HIPAA awareness programs
  • Background checks for all personnel with PHI access
  • Business Associate Agreements (BAA) with all subcontractors
  • Microsoft Azure physical data center security with 24/7 monitoring
  • Annual risk assessments and security policy reviews

Built by a Team That Knows Security

CareLX is built by Loffa Interactive Group, a company with deep roots in Wall Street compliance and financial services security. We brought that same security-first DNA to healthcare.

20+

Years in regulated industries

Zero

Data breaches in company history

Annual

Security audits & risk assessments

HIPAA Compliance Without Compromise

Ready to see how CareLX protects your agency's data while making your team more productive? Schedule a demo and we'll walk you through our security architecture.

Request a DemoView Our BAA

See also our security & compliance overview.