Legal

HIPAA Compliance

Last updated: January 28, 2026

Effective Date: January 28, 2026

1. Our Commitment to HIPAA Compliance

AveeCare LLC ("AveeCare," "we," "us," or "our") is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable federal and state regulations.

As a technology platform serving home care, home healthcare, hospice, and disability care agencies, we act as a Business Associate under HIPAA when we create, receive, maintain, or transmit PHI on behalf of our customers (Covered Entities).

This document describes our HIPAA compliance program, the safeguards we implement to protect PHI, and our commitments as a Business Associate.

HIPAA Compliant

Full compliance with Privacy Rule, Security Rule, and Breach Notification Rule

AES-256 Encryption

Enterprise-grade encryption for data at rest and in transit

SOC 2 Type II

Hosted on AWS infrastructure with SOC 2 Type II certification

BAA Available

Business Associate Agreement provided to all covered entity customers

2. Business Associate Agreement (BAA)

We provide a Business Associate Agreement to all customers who are HIPAA Covered Entities or Business Associates. Our BAA:

  • Defines the permitted and required uses and disclosures of PHI
  • Establishes safeguards to prevent unauthorized use or disclosure
  • Requires reporting of unauthorized uses, disclosures, and security incidents
  • Requires subcontractors who handle PHI to sign BAAs
  • Provides for return or destruction of PHI upon termination
  • Permits the Covered Entity to audit our compliance
  • Commits to breach notification within required timeframes

Request a BAA: To obtain a Business Associate Agreement, please contact us at legal@aveecare.com or request one during your account setup process. A BAA must be executed before your organization inputs PHI into our platform.

3. HIPAA Privacy Rule Compliance

We implement policies and procedures to ensure compliance with the HIPAA Privacy Rule:

3.1 Minimum Necessary Standard

  • Our role-based access control (RBAC) system limits access to PHI based on job function
  • Users can only access the minimum PHI necessary for their assigned tasks
  • Administrators can configure granular permissions for each user role
  • System features are designed to request and display only necessary information

3.2 Use and Disclosure Limitations

  • We only use PHI as permitted by our BAA and applicable law
  • PHI is used solely to provide services to our customers
  • We do not sell PHI or use it for marketing purposes
  • De-identified data may be used for product improvement in compliance with HIPAA de-identification standards

3.3 Individual Rights

Our platform supports the exercise of individual HIPAA rights by providing features that enable our customers (Covered Entities) to:

  • Provide individuals with access to their PHI upon request
  • Make amendments to PHI as requested
  • Generate accountings of disclosures
  • Apply restrictions requested by individuals
  • Export patient data in standard formats

4. HIPAA Security Rule Compliance

We implement comprehensive administrative, physical, and technical safeguards as required by the HIPAA Security Rule:

4.1 Administrative Safeguards

Security Management Process

  • Designated Security Officer responsible for HIPAA security compliance
  • Designated Privacy Officer responsible for HIPAA privacy compliance
  • Regular risk assessments identifying vulnerabilities and threats
  • Risk management policies to reduce identified risks
  • Sanction policy for workforce members who violate policies
  • Regular review and audit of security measures

Workforce Security

  • Background checks for all employees with access to PHI
  • Role-based authorization procedures
  • Termination procedures including immediate access revocation
  • Annual HIPAA training for all workforce members
  • Confidentiality agreements for all employees

Information Access Management

  • Access authorization policies and procedures
  • Principle of least privilege for system access
  • Regular access reviews and certification
  • Documented procedures for access establishment and modification

4.2 Physical Safeguards

Facility and Workstation Security

  • AWS Data Centers: Our infrastructure is hosted on Amazon Web Services, which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance
  • Physical access controls including biometric authentication and 24/7 security
  • Environmental controls (fire suppression, climate control, backup power)
  • Workstation use policies for remote employees
  • Mobile device management for company devices
  • Secure disposal procedures for media containing PHI

4.3 Technical Safeguards

Access Controls

  • Unique user identification for all system users
  • Strong password requirements (minimum length, complexity, expiration)
  • Multi-factor authentication (MFA) support and recommendation
  • Automatic logoff after inactivity period
  • Role-based access control (RBAC) with configurable permissions
  • Emergency access procedures for break-glass scenarios

Audit Controls

  • Comprehensive audit logging of all system activity
  • Logging of all access to PHI including who, what, when, and from where
  • Tamper-evident audit logs that cannot be modified or deleted
  • Audit log retention for minimum of 6 years (subject to system availability and backup integrity)
  • Regular audit log review and anomaly detection
  • Real-time alerting for suspicious activities

Encryption and Integrity

  • Data at Rest: AES-256 encryption for all stored data
  • Data in Transit: TLS 1.2+ encryption for all network communications
  • Database Encryption: Encrypted database storage with key management
  • Backup Encryption: All backups encrypted with separate keys
  • Integrity verification mechanisms to detect unauthorized modifications
  • Secure key management with regular key rotation

Transmission Security

  • HTTPS enforced for all web communications
  • Secure API endpoints with authentication
  • Certificate pinning in mobile applications
  • Secure messaging for in-app communications

5. Breach Notification

We maintain comprehensive breach detection, response, and notification procedures:

5.1 Breach Detection

  • 24/7 security monitoring and intrusion detection systems
  • Real-time alerting for potential security incidents
  • Automated anomaly detection and threat intelligence
  • Regular vulnerability scanning and penetration testing
  • Employee reporting mechanisms for suspected incidents

5.2 Incident Response

  • Documented incident response plan with defined roles and procedures
  • Incident response team with 24/7 availability
  • Containment, eradication, and recovery procedures
  • Root cause analysis and remediation
  • Post-incident review and improvements

5.3 Notification Procedures

Breach Notification Commitment:

  • We will notify affected Covered Entities of any breach of unsecured PHI without unreasonable delay, and in no case later than 60 days after discovery
  • Notification will include identification of affected individuals, description of the breach, types of information involved, and steps taken
  • We will cooperate with Covered Entities in their notification obligations to individuals and HHS
  • We maintain documentation of all breaches and notifications for 6 years (subject to system availability)

6. AI Features and PHI

Our platform includes artificial intelligence features that may process PHI. We maintain the following safeguards for AI-related processing:

6.1 AI Processing Safeguards

  • Secure Processing: All AI processing of PHI occurs within our secure, HIPAA-compliant infrastructure
  • Access Controls: AI features respect the same role-based access controls as other system features
  • Audit Logging: All AI interactions involving PHI are logged in our audit system
  • Data Minimization: AI models process only the minimum necessary PHI for the requested function
  • No External Sharing: PHI is not shared with external AI services without a BAA

6.2 AI Training Data

  • We do not use identifiable PHI to train AI models without explicit authorization
  • Any data used for model improvement is de-identified according to HIPAA Safe Harbor or Expert Determination methods
  • Customers can opt out of having their de-identified data used for model improvement

6.3 AI Limitations Disclosure

Important: AI-generated content, including reports, recommendations, and documentation, is provided as a tool to assist healthcare professionals. All AI outputs involving clinical information should be reviewed and verified by qualified personnel before use. AI features do not provide medical advice and should not replace professional clinical judgment.

6.4 Customer Responsibility for PHI in AI Features

CRITICAL HIPAA NOTICE - CUSTOMER LIABILITY FOR AI USAGE:

As a Covered Entity or Business Associate using our Services, you bear primary responsibility for ensuring appropriate use of AI features with Protected Health Information:

  • Minimum Necessary Standard: You are responsible for ensuring that your users only submit the minimum necessary PHI to AI features to accomplish the intended purpose. Submitting excessive or unnecessary PHI to AI systems is your organization's compliance responsibility, not AveeCare's.
  • Workforce Training: You MUST train your workforce (including caregivers, administrators, and staff) on the appropriate and inappropriate use of AI features with PHI. This training must address what types of queries and information submissions are acceptable under your HIPAA policies.
  • Policy Implementation: You are solely responsible for developing and implementing internal policies governing the use of AI features with PHI, including restrictions, approval processes, and monitoring procedures.
  • User Supervision: You must supervise and monitor your users' interactions with AI features to prevent inappropriate disclosure of PHI. Any unauthorized or inappropriate PHI submissions by your users are your organization's responsibility.
  • Risk Assessment: You must include AI feature usage in your organization's HIPAA risk assessment and determine whether additional safeguards are necessary for your specific use cases.

6.5 Required Patient and Workforce Notifications

As a condition of using AI features that process PHI, you agree to maintain the following notification practices:

  • Notice of Privacy Practices: Your Notice of Privacy Practices (NPP) must adequately disclose your use of AI-powered tools that process PHI, including the purposes for which AI is used and any associated risks.
  • Patient Notification: Patients whose PHI may be processed by AI features must be notified of this practice. This notification should explain that AI tools are used as part of your care management processes.
  • Caregiver and Staff Notification: All workforce members who use AI features or whose activities are documented through AI-assisted tools must be informed about: (a) the presence of AI features; (b) how AI processes information; (c) your organization's policies for appropriate AI use; and (d) consequences of policy violations.
  • Authorization When Required: If your use of AI features involves uses or disclosures of PHI that require patient authorization under HIPAA, you must obtain such authorization before processing.

Compliance Responsibility: AveeCare provides AI tools; YOU are responsible for using those tools in compliance with HIPAA. Failure to properly train workforce members, notify patients, or implement appropriate policies regarding AI usage may constitute a HIPAA violation for which your organization—not AveeCare—is responsible.

7. Location Data and Visit Verification

Our platform includes GPS-based visit tracking features that collect location data. This data is treated as PHI and protected accordingly:

  • Data Collection: Location data is collected with appropriate consent and disclosure
  • Minimum Necessary: Only necessary location data elements are collected
  • Secure Storage: Location data is stored using the same encryption and security controls as other PHI
  • Access Controls: Location data is subject to the same access controls as other PHI
  • Audit Trail: All location data access is logged for security and audit purposes

Customer Responsibility: While AveeCare provides tools that may assist with visit documentation and location tracking, customers are solely responsible for their own regulatory compliance, including but not limited to Electronic Visit Verification (EVV) requirements under the 21st Century Cures Act, state Medicaid agency requirements, and any other applicable regulations. AveeCare does not guarantee compliance with any regulatory requirements and shall not be liable for any audit failures, penalties, or regulatory actions arising from customer use of our Services.

8. Subcontractors and Third Parties

We carefully vet all subcontractors who may have access to PHI:

  • BAA Requirements: All subcontractors who create, receive, maintain, or transmit PHI sign a Business Associate Agreement
  • Security Assessment: Subcontractors undergo security assessment before engagement
  • Ongoing Monitoring: We monitor subcontractor compliance and security practices
  • Limited Access: Subcontractors receive only the minimum necessary access for their function

Key Subcontractors

  • Amazon Web Services (AWS): Cloud infrastructure provider with HIPAA BAA
  • Payment Processors: PCI-DSS compliant processors (do not have access to PHI)

9. Risk Assessment and Management

We conduct regular risk assessments as required by the HIPAA Security Rule:

  • Annual Risk Assessment: Comprehensive assessment of threats, vulnerabilities, and risks to PHI
  • Continuous Monitoring: Ongoing assessment of security posture and emerging threats
  • Penetration Testing: Annual third-party penetration testing of our systems
  • Vulnerability Scanning: Regular automated scanning of infrastructure and applications
  • Risk Mitigation: Documented risk management plans with prioritized remediation
  • Board Reporting: Regular security and compliance reporting to leadership

10. Training and Awareness

All AveeCare workforce members receive comprehensive training:

  • Initial Training: HIPAA privacy and security training during onboarding
  • Annual Refresher: Mandatory annual training on HIPAA requirements and company policies
  • Role-Specific Training: Additional training for roles with elevated access or responsibilities
  • Security Awareness: Ongoing security awareness including phishing simulations
  • Policy Updates: Training on policy changes and new requirements
  • Documentation: Training completion records maintained for 6 years (subject to system availability)

11. Customer Responsibilities

While AveeCare maintains robust security and compliance measures, our customers (Covered Entities) also have important responsibilities:

  • Execute BAA: Ensure a Business Associate Agreement is in place before inputting PHI
  • User Management: Properly configure user access and promptly remove terminated users
  • Training: Train your workforce on proper use of the platform and handling of PHI
  • Strong Authentication: Enable and require MFA for your users
  • Incident Reporting: Promptly report any suspected security incidents
  • Compliance: Maintain your own HIPAA compliance program
  • Patient Rights: Fulfill patient requests for access, amendment, and accounting of disclosures
  • Consent: Obtain appropriate patient consents and authorizations

12. Certifications and Attestations

Our compliance program includes the following certifications and attestations:

Infrastructure (AWS)

  • SOC 2 Type II
  • ISO 27001
  • HIPAA Eligible
  • FedRAMP

AveeCare Platform

  • Annual HIPAA Risk Assessment
  • Annual Penetration Testing
  • Business Associate Agreements
  • Documented Policies and Procedures

13. Contact Information

For questions about our HIPAA compliance program or to report a security concern:

AveeCare LLC

Privacy Officer / Security Officer

Phoenix, Arizona, United States

HIPAA Compliance: compliance@aveecare.com

Security Incidents: security@aveecare.com

Legal: legal@aveecare.com

Report Security Incidents: If you believe there has been unauthorized access to PHI or a security incident, please report it immediately to security@aveecare.com or call our security hotline. Prompt reporting helps us respond quickly and minimize any potential impact.

14. Related Documents

Please also review our other legal documents: