Legal

HIPAA Compliance

Last updated: May 27, 2026. An overview of the safeguards CareWave applies to protected health information, and the responsibilities each party carries.

This page describes the program WAVE TECHNOLOGIES LLC (the "Company") maintains to protect Protected Health Information ("PHI") that Customer transmits, receives, creates, or maintains through the CareWave platform (the "Service"). It is informational only. The parties' binding obligations with respect to PHI are set forth in an executed Business Associate Agreement ("BAA"). Capitalized terms used but not defined here have the meanings given in the BAA or in the Terms of Service.

The Company has designed its program in alignment with the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, "HIPAA"), and the implementing regulations at 45 CFR Parts 160 and 164. The Company is not certified by the U.S. Department of Health and Human Services ("HHS"); HHS does not certify any entity as "HIPAA compliant."

1. CareWave's Role under HIPAA

When a Customer that is a Covered Entity (or a Business Associate acting on behalf of a Covered Entity) uses the Service to create, receive, maintain, or transmit PHI, the Company acts as a Business Associate within the meaning of 45 CFR 160.103. In that capacity, the Company will use and disclose PHI only as permitted by the BAA, by the HIPAA Privacy Rule, and by other applicable law.

The Service is not designed for use by, and the Company does not market the Service to, individuals seeking healthcare for themselves. End Users access the Service in their professional capacity as employees or contractors of a Customer.

2. Key Definitions

The following terms have the meanings assigned at 45 CFR 160.103 unless otherwise indicated:

  • Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI.
  • Business Associate means a person who, on behalf of a Covered Entity, performs functions or activities involving the use or disclosure of PHI.
  • Covered Entity means a health plan, a health-care clearinghouse, or a health-care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
  • ePHI means PHI that is transmitted by or maintained in electronic media.
  • PHI means individually identifiable health information transmitted or maintained in any form or medium, excluding information in education or employment records and information regarding persons deceased more than 50 years.
  • Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  • Subcontractor means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.
  • Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Business Associate, is under the direct control of such Business Associate.

3. Administrative Safeguards (45 CFR 164.308)

3.1 Security Management Process

The Company maintains a written security management process that addresses risk analysis, risk management, a sanction policy for workforce members who fail to comply with security policies, and periodic information-system activity review.

3.2 Assigned Security Responsibility

The Company has designated a Security Officer responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule. Contact the Security Officer at hello@carewave.us.

3.3 Workforce Security

The Company implements procedures to authorize and supervise workforce members who work with ePHI, screens workforce members prior to granting access, and terminates access promptly upon role change or separation.

3.4 Information Access Management

Access to ePHI is granted on a least-privilege basis. The Company maintains documented procedures for authorizing, establishing, and modifying access to systems that contain ePHI.

3.5 Security Awareness and Training

All workforce members receive security awareness training at hire and at least annually thereafter. Workforce members in engineering, support, and operations roles with PHI access receive role-specific training. The Company maintains training records.

3.6 Security Incident Procedures

The Company maintains documented procedures for identifying, responding to, mitigating, documenting, and reporting Security Incidents.

3.7 Contingency Plan

The Company maintains a contingency plan addressing data backup, disaster recovery, emergency mode operation, periodic testing and revision, and applications and data criticality analysis.

3.8 Evaluation

The Company performs periodic technical and non-technical evaluations of its safeguards in response to environmental or operational changes affecting the security of ePHI.

3.9 Business Associate Contracts

The Company will enter into a written BAA with each Customer prior to using or disclosing PHI on the Customer's behalf, and into written agreements containing the required Business Associate provisions with each Subcontractor that creates, receives, maintains, or transmits PHI on the Company's behalf.

4. Physical Safeguards (45 CFR 164.310)

4.1 Facility Access Controls

The Service is hosted in data centers operated by cloud infrastructure providers that publish SOC 2 reports addressing physical security. The Company does not operate its own data centers. The Company will, on request and subject to NDA, identify its primary cloud infrastructure providers.

4.2 Workstation Use and Workstation Security

The Company maintains workstation use and security policies that specify the functions to be performed on workstations that may access ePHI, the manner in which those functions are performed, and the physical attributes of the surroundings of those workstations.

4.3 Device and Media Controls

The Company maintains procedures addressing the disposal and reuse of electronic media that contain ePHI, accountability for hardware and electronic media movements, and the creation of retrievable, exact copies of ePHI before equipment is moved.

5. Technical Safeguards (45 CFR 164.312)

5.1 Access Control

The Service requires unique user identification, supports role-based access, enforces automatic session timeout, supports optional multi-factor authentication, and encrypts ePHI at rest.

5.2 Audit Controls

The Service generates audit logs of access to and modification of records that may contain ePHI. Logs are retained consistent with the Company's record-retention schedule and are reviewed periodically.

5.3 Integrity

The Company implements measures designed to prevent improper alteration or destruction of ePHI, including checksums, transactional database controls, and immutable audit logs for high-sensitivity events.

5.4 Person or Entity Authentication

The Service authenticates users via bearer-token authentication tied to a verified email or phone identifier. Optional secondary factors include time-based one-time passwords (TOTP) and device biometrics.

5.5 Transmission Security

All transmissions of ePHI between End User devices and the Service occur over TLS 1.2 or higher. The Service rejects connections that do not satisfy minimum cryptographic requirements.

6. Organizational Requirements (45 CFR 164.314)

The Company executes a BAA with each Customer before using or disclosing PHI on the Customer's behalf and flows down the required Business Associate provisions to its Subcontractors. See the Business Associate Agreement page for the process to execute a BAA with the Company.

7. Policies, Procedures, and Documentation (45 CFR 164.316)

The Company maintains its HIPAA Security Rule policies and procedures in writing, retains them for at least six (6) years from the date of their creation or the date when they were last in effect, whichever is later, and reviews and updates them as needed in response to environmental or operational changes.

8. Breach Notification (45 CFR 164.410)

The Company will, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach, notify the affected Customer of any Breach of unsecured PHI. The notification will include, to the extent then known: a description of what happened; the types of PHI involved; the steps Customer should consider; the steps the Company is taking to investigate, mitigate, and prevent recurrence; and a Company contact for further information.

The Company will reasonably cooperate with the Customer's Breach risk assessment and any notification obligations the Customer owes under 45 CFR 164.404 and 164.406 or under applicable state law.

To report a suspected Breach or Security Incident, contact hello@carewave.us.

9. Workforce Training

All workforce members complete HIPAA privacy and security training at hire and at least annually thereafter. Engineers, support staff, and other workforce members with potential access to PHI receive additional role-specific training. The Company maintains documentation of training completions and applies its sanction policy in the event of non-compliance.

10. Customer Obligations

The Company's ability to operate as a HIPAA-aligned Business Associate depends on Customer fulfilling its own obligations as a Covered Entity or upstream Business Associate. Customer is responsible for:

  • maintaining a Notice of Privacy Practices and providing it to individuals as required by 45 CFR 164.520;
  • obtaining any required authorizations under 45 CFR 164.508 before disclosing PHI to the Company for uses or disclosures not otherwise permitted by the Privacy Rule;
  • applying the minimum-necessary standard when transmitting PHI through the Service;
  • managing individuals' rights of access, amendment, accounting of disclosures, restriction, and confidential communications under 45 CFR 164.522 through 164.528;
  • configuring Authorized User access in the Service so that workforce members access only the PHI necessary for their roles;
  • deactivating Authorized User accounts promptly upon role change or workforce member separation;
  • executing a BAA with the Company prior to transmitting any PHI through the Service; and
  • complying with any state-law requirements that are more stringent than HIPAA, including notification, recordkeeping, or consent obligations.

11. Reporting

Customer may report a suspected Breach, Security Incident, or other HIPAA-related concern to hello@carewave.us. Workforce members may report concerns anonymously through the same channel without retaliation, consistent with the Company's sanction and non-retaliation policies.

Contact Us

If You have any questions about this HIPAA Compliance overview or about the Company's safeguards, You can contact us by email at hello@carewave.us.