Skip to content

HIPAA Compliance

Effective April 20, 2026

CareTraceAI, Inc., HIPAA Compliance Statement.

1. About this page

This page describes how CareTraceAI, Inc. (“CareTraceAI”) handles Protected Health Information (“PHI”) in its role as a Business Associate under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HIPAA/HITECH”), and the regulations promulgated at 45 CFR Parts 160 and 164 (the “HIPAA Rules”).

This page is informational. It is not a contract, a warranty, a representation, or a substitute for an executed Business Associate Agreement (“BAA”). CareTraceAI’s obligations with respect to PHI are governed exclusively by the executed BAA and the Terms of Service between CareTraceAI and the applicable covered entity. In the event of any conflict between this page and the BAA or the Terms of Service, the BAA or Terms of Service controls. Nothing on this page constitutes legal, compliance, or clinical advice; covered entities should consult their own counsel and compliance officers.

The controls, commitments, and practices described herein reflect CareTraceAI’s current HIPAA posture and may evolve. CareTraceAI may update this page at any time; the effective date above reflects the most recent revision.

Personal information that is not PHI is addressed in the CareTraceAI Privacy Policy, including rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.).

2. Our role as a Business Associate

CareTraceAI is a Business Associate as defined at 45 CFR § 160.103: a person or entity that, on behalf of a covered entity, creates, receives, maintains, or transmits PHI in connection with a function or activity regulated by the HIPAA Rules. Where CareTraceAI engages a downstream cloud or infrastructure provider to process PHI on its behalf, that provider is a subcontractor Business Associate as defined in the same section and at 45 CFR § 164.502(e)(1)(ii).

CareTraceAI is nota covered entity. CareTraceAI does not deliver health care, issue prescriptions, render diagnoses, or provide clinical judgment. CareTraceAI does not have, and does not assert, any direct treatment relationship with any patient or resident. CareTraceAI’s relationship is with the healthcare facility operating as a covered entity, typically a Skilled Nursing Facility (“SNF”) subject to 42 CFR Part 483 or a Residential Care Facility for the Elderly (“RCFE”) subject to California Title 22 Division 6 Chapter 8, and with that facility’s authorized workforce members who use the Service to document the care they deliver.

The CareTraceAI Service is an AI-assisted documentation tool. It does not diagnose, treat, recommend treatment, or render clinical advice. All documentation generated by the Service must be reviewed, corrected, and signed by the licensed clinician who delivered the underlying care before it is entered into the medical record. Outputs are generated from predictive statistical models and may contain errors, omissions, or misinterpretations; the signing clinician remains the authoritative source of the record.

3. What this page is not

This page is not any of the following, and nothing in it should be read as any of the following:

  • It is not a Notice of Privacy Practices.A Notice of Privacy Practices (“NPP”) is a covered-entity obligation under 45 CFR § 164.520. Residents, patients, family members, and authorized representatives receive their NPP from the SNF or RCFE operating as the covered entity, not from CareTraceAI. CareTraceAI does not issue, and has no obligation under the HIPAA Rules to issue, a Notice of Privacy Practices.
  • It is not a Resident Bill of Rights or Patient Bill of Rights. Resident rights in skilled nursing facilities are codified at 42 CFR § 483.10; personal rights for residents of California Residential Care Facilities for the Elderly are codified at 22 CCR §§ 87468, 87468.1, and 87468.2. These obligations run from the facility operator to the resident. CareTraceAI does not issue or assume those obligations; residents receive their rights disclosures from the facility in which they reside.
  • It is not a HIPAA certification.HIPAA does not establish a certification program for covered entities, Business Associates, or software vendors. No regulator issues a “HIPAA-certified” credential to a software product or cloud service. Any vendor claim to the contrary, by CareTraceAI or any other party, should be read with that limit in mind. CareTraceAI describes its safeguards in terms of the specific implementation specifications at 45 CFR §§ 164.308, 164.310, and 164.312 and applies the flexibility of approach permitted by 45 CFR § 164.306(b).
  • It is not clinical, legal, or compliance advice. Readers should consult their own counsel, compliance officers, and licensed clinicians.

4. Business Associate Agreement

CareTraceAI will not process PHI on behalf of any organization until a BAA has been executed. The BAA, not this page, governs CareTraceAI’s permitted uses and disclosures of PHI, its safeguarding obligations, its breach-reporting duties, its subcontractor-flow-down obligations, and the return or destruction of PHI at termination. The BAA is drafted to include each of the provisions required by 45 CFR § 164.504(e)(2)(ii)(A)–(J) and the organizational requirements at 45 CFR § 164.314(a).

Facility administrators, directors of nursing, compliance officers, and counsel may request the current CareTraceAI BAA by writing to security@caretrace.aiwith the subject line “BAA request.” CareTraceAI targets a response within three (3) business days. This target is informational and does not create a contractual commitment.

5. Administrative, Physical, and Technical Safeguards

CareTraceAI implements administrative, physical, and technical safeguards that it considers reasonable and appropriate to protect the confidentiality, integrity, and availability of PHI, applying the flexibility of approach permitted by 45 CFR § 164.306(b) and aligned with the specific implementation specifications at 45 CFR §§ 164.308, 164.310, 164.312, and 164.316. The safeguards described below reflect CareTraceAI’s current production posture and are reviewed and updated on a recurring basis.

5.1 Administrative safeguards, 45 CFR § 164.308

CareTraceAI maintains a written security management program governing how PHI is handled throughout its lifecycle. The program includes periodic risk analyses and remediation workstreams that identify, assess, and reduce reasonably anticipated threats and vulnerabilities to the confidentiality, integrity, and availability of PHI (§§ 164.308(a)(1)(ii)(A)–(B)). CareTraceAI designates a Security Official who is accountable for the development, implementation, and enforcement of these policies and procedures (§ 164.308(a)(2)); inquiries for the Security Official may be directed to security@caretrace.ai.

Workforce access is provisioned according to role and scope of duties. Access authorization, establishment, and modification follow written procedures (§ 164.308(a)(4)(ii)(B)–(C)); access is revoked promptly upon separation or role change pursuant to workforce-security procedures (§ 164.308(a)(3)(ii)(C)). All workforce members with access to PHI complete HIPAA privacy and security training before they are granted access to the Service and on an annual basis thereafter, with documentation retained for six years from the date of creation or the date when last in effect, whichever is later (§ 164.316(b)(2)(i)).

CareTraceAI maintains written security-incident response procedures to identify, respond to, mitigate, and document Security Incidents and Breaches of Unsecured PHI (§ 164.308(a)(6); § 164.410). CareTraceAI maintains contingency procedures for data backup, disaster recovery, and emergency-mode operations to support continued availability of PHI during adverse events (§§ 164.308(a)(7)(ii)(A)–(E)). CareTraceAI performs periodic technical and non-technical evaluations of its security controls (§ 164.308(a)(8)).

CareTraceAI enters into a BAA with every covered entity before receiving PHI, and with every subcontractor that creates, receives, maintains, or transmits PHI on CareTraceAI’s behalf (§ 164.308(b); § 164.314(a); § 164.502(e)(1)(ii)).

5.2 Physical safeguards, 45 CFR § 164.310

CareTraceAI does not operate its own data-center facilities. All PHI processing occurs within the HIPAA-enabled environments of CareTraceAI’s infrastructure sub-processors, Amazon Web Services, Neon, Fly.io, and AssemblyAI, each of which is bound by a signed BAA. Facility access controls, workstation environmental protections, and physical media disposal (§§ 164.310(a)–(d)) for the underlying infrastructure are inherited from these sub-processors’ United States data-center operations, which are described in each provider’s independently attested compliance program. CareTraceAI workforce members access PHI only from company-managed endpoints subject to CareTraceAI’s workforce-security and acceptable-use policies, which govern workstation use and workstation security (§§ 164.310(b)–(c)).

5.3 Technical safeguards, 45 CFR § 164.312

Every user of the Service is issued a unique identifier and is required to authenticate using multi-factor authentication (§§ 164.312(a)(2)(i), 164.312(d)). Access to PHI is restricted by role-based access controls; database-enforced row-level security policies are designed to prevent cross-facility data access at the storage layer (§ 164.312(a)(1)). User sessions expire after a defined period of inactivity and require re-authentication, implemented as CareTraceAI’s chosen addressable specification under § 164.312(a)(2)(iii). CareTraceAI maintains written emergency-access procedures (Required,§ 164.312(a)(2)(ii)) so that necessary ePHI can be obtained during system incidents.

PHI is encrypted at rest using AES-256 and in transit using TLS 1.3 or higher, implemented as CareTraceAI’s chosen addressable implementation under §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii). Every access, creation, modification, and deletion of PHI is written to an application-enforced append-only audit log with integrity controls designed to detect unauthorized modification; audit logs are retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later (§ 164.312(b); § 164.316(b)(2)(i)). Application logs and diagnostic telemetry are scrubbed to prevent inadvertent PHI exposure in error-reporting and performance data. Cryptographic keys are managed and rotated in accordance with written key-management procedures.

6. Sub-processors and subcontractor Business Associates

CareTraceAI enters into a written BAA with every subcontractor that creates, receives, maintains, or transmits PHI on CareTraceAI’s behalf, as required by 45 CFR § 164.502(e)(1)(ii) and § 164.314(a)(2)(iii). Each such agreement obligates the subcontractor to comply with the applicable provisions of the HIPAA Security Rule, to report Security Incidents and Breaches of Unsecured PHI to CareTraceAI, and to impose equivalent flow-down obligations on any downstream subcontractor that handles PHI.

As of the effective date above, CareTraceAI uses the following sub-processors for PHI processing:

  • AssemblyAI, speech-to-text transcription of audio recordings using a medical-vocabulary configuration, processed in United States regions. BAA executed. AssemblyAI does not use CareTraceAI customer audio to train its foundation models.
  • Amazon Web Services (AWS Bedrock), large-language-model processing of transcribed text (not audio) for clinical-note structuring. BAA executed. Data submitted through the AWS Bedrock API is not used by AWS to train foundation models.
  • Amazon Web Services (AWS Cognito), identity and authentication (user pools, session tokens, multi-factor authentication) in a United States region. BAA executed.
  • Amazon Web Services (AWS S3), object storage for audio recordings in a United States region. BAA executed. Objects are encrypted at rest using AWS KMS-managed keys.
  • Amazon Web Services (AWS KMS), managed cryptographic keys used to encrypt PHI at rest. BAA executed.
  • Neon, managed PostgreSQL database hosted on AWS infrastructure in a United States region. BAA executed.
  • Fly.io, compute hosting for the CareTraceAI application programming interface and associated backend workloads in United States regions. BAA executed on a HIPAA-enabled workspace.

The data flow for a recording is: the CareTraceAI mobile application uploads the audio file directly to AWS S3 using a short-lived presigned URL; the CareTraceAI backend (running on Fly.io) fetches the audio from S3 and submits it to AssemblyAI for transcription under executed BAA; AssemblyAI returns a transcript; the backend then sends the transcript (not the audio) to AWS Bedrock for clinical-note structuring under executed BAA. Structured notes are written to the Neon database; audit records are written to an append-only audit store.

CareTraceAI also uses Sentry for application-error telemetry. Sentry is not a Business Associate; event payloads are passed through an automated PHI-scrubbing function before transmission, and Sentry receives only scrubbed diagnostic signals, not PHI.

CareTraceAI will provide subscribing facilities with advance notice of at least thirty (30) days where practicable, and otherwise as soon as reasonably practicable, of any material change to the sub-processors that process PHI, so that each facility has an opportunity to object under its BAA.

The authoritative and continuously maintained source for CareTraceAI’s sub-processor list is Section 4 of the CareTraceAI Privacy Policy. In the event of any inconsistency between this page and the Privacy Policy with respect to sub-processors, the Privacy Policy controls.

7. Data residency and AI training use

All PHI processed by CareTraceAI is stored and processed in the United States. The managed PostgreSQL database is hosted by Neon on AWS infrastructure in a United States region; audio object storage, identity, key management, and large-language-model processing run on AWS services in United States regions under executed BAA; application compute runs on Fly.io in United States regions; and audio transcription runs on AssemblyAI in United States regions under executed BAA.

CareTraceAI does not use PHI to train, fine-tune, or improve any artificial-intelligence model. Per AWS’s Bedrock Service Terms, customer content submitted to the AWS Bedrock API is not used by AWS to train its foundation models; per AssemblyAI’s BAA and data-use terms in effect, CareTraceAI customer audio submitted to AssemblyAI is not used by AssemblyAI to train its foundation models. CareTraceAI relies on those representations and its executed BAAs. Any future use of data for model improvement will occur only (i) after de-identification in accordance with 45 CFR § 164.514(b), or (ii) pursuant to a valid individual authorization under 45 CFR § 164.508 obtained by the covered entity, and in each case as expressly permitted by the executed BAA.

8. Minimum Necessary and retention

Consistent with 45 CFR § 164.502(b) and the minimum-necessary standard, CareTraceAI limits its uses and disclosures of PHI to the amount reasonably necessary to provide the Service. Retention periods are set to the minimum reasonably required for the Service’s operation, subject to overriding obligations in the BAA:

  • Audio recordings: retained for up to ninety (90) calendar days to permit quality verification and re-processing, then permanently deleted.
  • Structured clinical notes: retained for the duration of the service agreement plus three (3) additional years, consistent with California Title 22 RCFE record-retention requirements (22 CCR § 87506(b)); SNF retention periods under 22 CCR § 72543 may be longer and are set in the BAA.
  • Account data: deleted within thirty (30) days of account deletion; backups containing account data follow a ninety (90) day post-deletion retention window before secure destruction. Facility-level data follows the retention described in Section 5 of the Privacy Policy.
  • Written policies, procedures, and required security-rule documentation: retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later (45 CFR § 164.316(b)(2)(i)).

These retention defaults are operational choices. They are not minima required by the HIPAA Rules and may be adjusted in the BAA to meet a covered entity’s specific retention obligations.

9. Breach notification

CareTraceAI follows the Business Associate breach-notification obligations set out in 45 CFR § 164.410. Upon discovery of a Breach of Unsecured PHI as those terms are defined in 45 CFR § 164.402, CareTraceAI will notify each affected covered entity without unreasonable delay and in no case later than sixty (60) calendar days after discovery, consistent with § 164.410(b).

A Breach is treated as discovered by CareTraceAI on the first day on which the Breach is known to CareTraceAI, or, by exercising reasonable diligence, would have been known to any employee, officer, or agent of CareTraceAI, other than the individual committing the Breach (§ 164.410(a)(2)).

To the extent then known, and supplemented as the investigation develops, CareTraceAI will provide the covered entity with the information required by § 164.410(c), which includes (i) the identification of each individual whose Unsecured PHI was, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach, and (ii) any other information the covered entity is required to include in its notification to individuals under § 164.404(c) that is then available to CareTraceAI.

CareTraceAI will cooperate in good faith with each affected covered entity’s own notification duties under 45 CFR §§ 164.404 and 164.406. Notice is delivered to the facility’s designated HIPAA contact by email and, where appropriate, by written correspondence to the facility administrator. Suspected Breaches should be reported to security@caretrace.ai.

10. Security incidents

As defined in 45 CFR § 164.304 and required to be reported by a business associate under § 164.314(a)(2)(i)(C), CareTraceAI maintains a separate process for reporting Security Incidents, defined as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system.

The large majority of Security Incidents are routine and unsuccessful, for example, network pings, port scans, blocked authentication attempts, or denied access to protected resources. CareTraceAI handles these in aggregate through its monitoring, logging, and alerting systems; they are not individually reported to covered entities. Security Incidents that are successful, that involve PHI, or that are reasonably likely to have involved PHI are escalated, investigated, and, where they meet the statutory threshold of a Breach of Unsecured PHI at § 164.402, reported under the Breach Notification section above.

Questions or reports related to Security Incidents may be directed to security@caretrace.ai.

11. Certifications

As of the effective date of this page, CareTraceAI is pre-pilot and does not currently hold a SOC 2 Type 1 or Type 2 report, a HITRUST CSF certification, or an ISO/IEC 27001 certification. As noted in Section 3, no regulator issues a HIPAA certification to software vendors; any certification statement CareTraceAI makes in the future will specify the framework, the scope, the period covered, the auditor, and the product surface subject to the report.

CareTraceAI’s current roadmap contemplates pursuing a SOC 2 Type 1 engagement prior to general availability, with a Type 2 report following in ordinary course. CareTraceAI will not claim a certification it does not hold and will not imply a certification that is not yet issued. Facilities evaluating CareTraceAI during the pilot period are welcome to request a written description of CareTraceAI’s security controls at security@caretrace.ai.

12. Shared responsibility

HIPAA compliance is a shared responsibility between CareTraceAI, its sub-processors, and each covered-entity facility that uses the Service. CareTraceAI is responsible for the safeguards and commitments described on this page with respect to the Service as CareTraceAI operates it. Each subscribing facility remains responsible for: configuring CareTraceAI consistent with its own HIPAA obligations; provisioning, supervising, and de-provisioning its workforce’s access; obtaining any patient or resident authorizations or consents required by the facility’s own Notice of Privacy Practices and by state law; issuing its Notice of Privacy Practices and Resident Bill of Rights; implementing its own administrative, physical, and technical safeguards at the facility; and fulfilling its direct breach-notification duties to individuals, the Secretary of Health and Human Services, and, where applicable, the media (45 CFR §§ 164.404, 164.406, 164.408). CareTraceAI does not assume or replace any of these facility obligations.

CareTraceAI also handles “medical information” as defined by the California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.) (“CMIA”) and maintains its safeguards to meet CMIA’s requirements applicable to businesses that offer software or hardware to providers of health care (Cal. Civ. Code § 56.06). Nothing on this page waives or modifies any CMIA-specific obligation, right, or defense. California statutory damages and civil remedies for unauthorized disclosure of medical information are set out at Cal. Civ. Code § 56.36.

13. Governing law, jurisdiction, and order of precedence

CareTraceAI is a Delaware corporation with principal operations in California. Questions of governing law, jurisdiction, venue, limitation of liability, indemnification, and dispute resolution relating to the Service are addressed in the CareTraceAI Terms of Service and the BAA, and are not modified by this page. Governing law for the Terms of Service is the State of California, with venue in Los Angeles County.

In the event of any conflict among (a) this page, (b) the CareTraceAI Privacy Policy, (c) the CareTraceAI Terms of Service, and (d) an executed BAA between CareTraceAI and a covered entity, the following order of precedence applies with respect to the treatment of PHI: BAA first, Terms of Service second, Privacy Policy third, this page last.

14. Changes to this page

CareTraceAI may update this page from time to time to reflect changes in its controls, its sub-processors, applicable law, or its certification posture. Material changes affecting the treatment of PHI will be communicated to facility administrators in accordance with the BAA, and in any event at least thirty (30) days in advance where practicable. The effective date at the top of this page reflects the most recent revision.

15. Contact

The CareTraceAI Compliance Team can be reached as follows:

Regulatory citations

This page cites, and was drafted in alignment with, the following authorities:

  • 45 CFR § 160.103, Definitions (Business Associate; subcontractor)
  • 45 CFR § 164.304, Definitions (Security Incident)
  • 45 CFR § 164.306(a)–(b), Security standards; flexibility of approach
  • 45 CFR § 164.308, Administrative safeguards
  • 45 CFR § 164.310, Physical safeguards
  • 45 CFR § 164.312, Technical safeguards
  • 45 CFR § 164.314(a), Organizational requirements; BA contracts
  • 45 CFR § 164.316, Policies, procedures, and documentation requirements
  • 45 CFR § 164.402, Definitions (Breach; Unsecured PHI)
  • 45 CFR § 164.404, Notification to individuals (covered-entity duty)
  • 45 CFR § 164.406, Notification to the media (covered-entity duty)
  • 45 CFR § 164.408, Notification to the Secretary (covered-entity duty)
  • 45 CFR § 164.410, Notification by a Business Associate
  • 45 CFR § 164.502(b), Minimum necessary
  • 45 CFR § 164.502(e), Disclosures to Business Associates; subcontractors
  • 45 CFR § 164.504(e), Business Associate contracts
  • 45 CFR § 164.520, Notice of Privacy Practices (covered-entity duty; not applicable to CareTraceAI)
  • 42 CFR § 483.10, Resident rights in skilled nursing facilities
  • 22 CCR §§ 87468, 87468.1, 87468.2, Personal rights of California RCFE residents

Spend the shift on care.Not charting.

We're ready to pilot and talking with Directors of Nursing and Administrators across California. If you run an LTC facility, we'd like to meet you.

Get in touch