Your data is protected

CareSphere was built from the ground up for healthcare data security. HIPAA compliance, encryption, audit trails, and a BAA with every customer — not an afterthought, but a foundation.

HIPAA Compliant BAA Included TLS Everywhere Encrypted at Rest

We sign a BAA with every customer

A Business Associate Agreement is not optional. We require one for every CareSphere customer, and we execute it before you go live. Your legal obligations under HIPAA are covered on day one.

Request a BAA
🔒

HIPAA Compliance

CareSphere is designed to meet the HIPAA Security Rule requirements for electronic protected health information (ePHI).

Encryption

  • All data encrypted at rest using AES-256
  • All data in transit protected by TLS 1.2+
  • Database-level encryption for all PHI fields
  • Encrypted backups stored off-site

Access Controls

  • Unique credentials required for every user
  • Role-based permissions — six distinct access levels
  • Facility-scoped access for multi-site organizations
  • No shared logins or shared accounts permitted

Session Management

  • Automatic session timeout after inactivity
  • Secure session tokens, not persistent cookies
  • Forced re-authentication for sensitive operations
  • Admin visibility into active sessions

Audit Logging

  • Every action logged: create, read, update, delete
  • Logs include user, timestamp, IP address, and record
  • Immutable audit records — cannot be edited or deleted
  • Searchable audit trail available to administrators
👥

Role-Based Access Control

Every user has a defined role that determines exactly what they can see and do within CareSphere.

The six roles

  • Owner / Admin — Full system access, settings, users, all data
  • Nurse — Clinical access, medication documentation, incident reporting
  • Med Tech — eMAR documentation, limited clinical scope
  • Prescriber — Prescription and order management for assigned clients
  • Staff — Shift notes, tasks, basic documentation
  • Auditor — Read-only access to all records and reports

Facility-level scoping

In multi-facility organizations, users are assigned to specific facilities. A staff member at one location cannot view resident records, shift notes, or compliance data from another location unless explicitly granted access.

Administrators can set cross-facility visibility for directors and compliance officers as needed.

🗂️

Audit Trail

A complete, tamper-proof log of everything that happens in CareSphere.

What is logged

  • All medication documentation events
  • Client record creation and edits
  • Incident reports and status changes
  • Document uploads and acknowledgments
  • Task completions and compliance events
  • User login and logout events
  • Settings and configuration changes
  • Any data deletion or status change

How it works

Every audit record captures the acting user, the action taken, the affected record, the timestamp, and the originating IP address. Records are written at the database level and cannot be modified or deleted through the application.

Administrators can search the audit trail by user, date range, record type, or action. The audit log is available as a CSV export for external review or compliance documentation.

☁️

Infrastructure & Data Security

CareSphere runs on secure, modern cloud infrastructure with strict data handling practices.

Data storage

  • PostgreSQL database with encryption at rest
  • PHI fields encrypted at the application layer
  • No PHI stored in application logs
  • No PHI in URLs or query parameters
  • Automated encrypted backups on a defined schedule

Network security

  • TLS 1.2+ enforced on all connections
  • HTTP Strict Transport Security (HSTS) enabled
  • Containerized services with network isolation
  • No direct database access from the public internet

Multi-tenancy

Each CareSphere customer is a fully isolated tenant. Your organization's data is stored with organization-level keys and is never accessible to other customers. Tenant isolation is enforced at every layer of the application stack.

Uptime & reliability

  • Cloud-hosted with automated failover
  • Docker containerized for consistent deployments
  • Automated daily backups with retention policy
  • Health monitoring with alerting
  • Planned maintenance communicated in advance

Questions about security?

Our team is happy to walk through our security posture, provide documentation for your compliance review, or answer questions from your IT department.

Contact Us

support@bostonmit.com