Legal

Audit and Reporting

Last updated: May 27, 2026. The audit logging, reporting, and Customer audit rights available on the CareWave platform.

This page describes the audit logging, reporting capabilities, and audit rights that WAVE TECHNOLOGIES LLC (the "Company") makes available through the CareWave platform (the "Service"). The artifacts described below are intended to support Customer's internal compliance program, payer audit responses, and regulator inquiries. They do not substitute for Customer's own record-keeping obligations under HIPAA, state home-care licensure rules, or other applicable law.

1. Audit Logging

The Service maintains audit logs of, at a minimum:

  • authentication events (successful logins, failed logins, multi-factor challenges, password and PIN changes);
  • access to records that may contain PHI, by user, timestamp, and record identifier;
  • administrative actions, including user provisioning, role changes, permission grants, and Account configuration changes;
  • shift-lifecycle events, including clock-in and clock-out with timestamp and location;
  • messaging events, including thread creation and message delivery;
  • document upload, view, replacement, and deletion events; and
  • administrative or support actions performed by the Company's workforce on the Customer's Account.

Audit logs are stored in append-only storage that is tamper-evident, segregated from primary application storage, and retained for a period that meets or exceeds the six-year requirement at 45 CFR 164.316(b)(2) for HIPAA-relevant records. Specific retention periods are described in the executed Business Associate Agreement and are configurable for enterprise Customers on Order Form request.

2. Customer Access to Audit Logs

Customer administrators may export audit logs through the Service's reporting interface for the rolling retention window applicable to their plan. For longer historical windows, Customer may request an export by writing to hello@carewave.us with the date range and event categories required. The Company will provide exports in a machine-readable format and, where practicable, within ten (10) business days of a complete request.

3. Standard Reports

The Service generates standard reports that Customer may use for internal management and external compliance, including:

  • shift schedules, completed shifts, and missed-shift reports;
  • billable-hour and payroll-hour summaries (the Service is not a payroll system; Customer is responsible for pay calculations);
  • EVV-aligned exports describing visit data per state requirements;
  • credential expiration and training-hour reports;
  • clinical or service-documentation reports, including sanitization and quality-assurance review reports where applicable;
  • incident reports submitted through the Service; and
  • communication summaries.

4. Periodic Internal Reviews

The Company performs periodic internal security and operational reviews to evaluate the effectiveness of its safeguards, identify deficiencies, and track remediation. The Company will, on request and subject to non-disclosure, provide a summary attestation of its most recent internal review, including the in-scope systems, the categories of controls reviewed, and the status of any open remediation items.

5. Customer-Initiated Audits

For enterprise Customers that have executed an Order Form providing for audit rights, the Company will accept reasonable audit requests subject to the following conditions:

  • the Customer provides at least thirty (30) days' prior written notice;
  • the audit is conducted during normal business hours and in a manner that does not unreasonably interfere with the Company's operations;
  • the audit is conducted no more frequently than once per calendar year, unless required by law, regulator, or in response to a confirmed material Breach involving Customer's PHI;
  • the audit is conducted at the Customer's expense and is subject to a written non-disclosure agreement between the parties;
  • the audit is limited to systems, controls, and records relevant to the Service provided to Customer and to the Company's obligations under the BAA; and
  • the audit excludes the Company's privileged or attorney-client communications, multi-tenant data attributable to other Customers, and trade secrets unrelated to the Customer's use of the Service.

In lieu of on-site audits, the Company will respond to industry-standard security questionnaires (for example, Shared Assessments SIG, CSA CAIQ, or HECVAT) within a reasonable period.

6. Regulator Cooperation

The Company will cooperate in good faith with inquiries from the U.S. Department of Health and Human Services, the Office for Civil Rights, state attorneys general, state home-care licensure boards, and other regulators with authority over the Service or over Customer's operations. The Company will, where consistent with law, notify the affected Customer prior to responding to a regulator inquiry directed at the Customer's data.

7. Breach Reporting

The Company's Breach and Security Incident reporting obligations are described in detail on the HIPAA Compliance page and in the executed BAA. In summary, the Company will notify the affected Customer of a Breach of unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery. Customer is responsible for individual and regulator notifications under 45 CFR 164.404, 164.406, and applicable state law, with the Company's reasonable cooperation.

8. Subprocessor Reviews

The Company performs risk-based reviews of Subprocessors that handle Customer data prior to engagement and at least annually thereafter. Where a Subprocessor handles PHI, the Company will execute a written agreement containing the required Business Associate provisions. The current Subprocessor list, including the category of service and the jurisdictions in which each Subprocessor operates, is available to Customer on request under non-disclosure.

9. Records Retention

The Company retains records as follows:

  • HIPAA-Governed Records. Policies, procedures, training records, risk analyses, and other records required by the HIPAA Security Rule are retained for at least six (6) years from the date of creation or the date when last in effect, whichever is later, consistent with 45 CFR 164.316(b)(2).
  • Application Data. Customer Content is retained per the executed BAA and Order Form. Default retention windows are described in the Privacy Policy; enterprise Customers may agree to longer or shorter retention in an Order Form.
  • Audit Logs. Audit logs are retained for at least six (6) years, with longer retention available on Order Form request.
  • Financial Records. Records relating to Subscription Fees, invoices, and payment history are retained for the period required by applicable tax and financial-reporting law.

On termination of the underlying services relationship, the Company will return or destroy Customer Content in accordance with the executed BAA and the Terms of Service.

Contact Us

To request an audit-log export, a security questionnaire response, or a summary attestation of the Company's internal compliance reviews, contact us by email at hello@carewave.us.