This page describes how the CareWave platform (the "Service"), operated by WAVE TECHNOLOGIES LLC (the "Company"), interacts with federal and state regulations applicable to home-care operations. It is informational only and does not constitute legal advice. Customer is responsible for its own compliance with all applicable laws and should consult counsel about its specific obligations.
1. HIPAA and HITECH
When Customer transmits Protected Health Information through the Service, the Company acts as a Business Associate within the meaning of HIPAA. The Company maintains the safeguards described on the HIPAA Compliance page and executes a Business Associate Agreement with each Customer that transmits PHI through the Service. Customer remains responsible for its own obligations as a Covered Entity or upstream Business Associate, including the Notice of Privacy Practices, minimum-necessary determinations, and individual rights under the HIPAA Privacy Rule.
2. State Home-Care Regulations
Home-care operations are regulated primarily at the state level. State requirements vary widely and may cover, without limitation:
- agency licensure and ownership disclosures;
- caregiver registries and credential verification;
- minimum training hours and continuing education;
- criminal background-check screening and re-screening cadences;
- plan-of-care documentation and supervisory visits;
- incident reporting to state regulators;
- complaint-handling procedures; and
- infection-control and abuse-prevention training.
The Service offers workflows that support these requirements, including credential tracking with expiration reminders, training-hour logging, document upload for licensure and certification artifacts, location-verified visits, and configurable supervisor sign-off. Customer remains the responsible party for satisfying its state's licensure, registry, and reporting obligations, and the Company makes no warranty that the Service's features alone are sufficient to satisfy any particular state-law requirement.
3. Electronic Visit Verification (21st Century Cures Act)
Section 12006 of the 21st Century Cures Act requires states to implement Electronic Visit Verification ("EVV") for Medicaid-funded personal-care and home-health services. EVV data elements typically include the type of service performed, the individual receiving the service, the date of the service, the location of the service delivery, the individual providing the service, and the time the service begins and ends.
The Service captures location-verified clock-in and clock-out events with timestamps and supports recording of service type and recipient. Customers may use the Service's EVV-aligned exports to satisfy reporting obligations to their state's EVV aggregator. Customer is responsible for selecting an EVV aggregator authorized by its state, configuring the Service accordingly, transmitting EVV data to the aggregator, and correcting EVV records where required.
4. Wage and Hour Compliance
Caregivers are typically employees covered by the Fair Labor Standards Act ("FLSA") and by state wage-and-hour laws. The Service records clock-in, clock-out, and break events that Customer may use as timekeeping records. Customer is responsible for calculating wages, overtime, sleep-time deductions where permitted, travel-time compensation, and any other pay categories required by federal or state law, and for retaining timekeeping records for the periods required by applicable law (generally, three (3) years under the FLSA).
The Service is not a payroll system and does not transmit pay to caregivers. Customer is responsible for selecting and operating its own payroll provider.
5. Background Checks and Caregiver Registries
Most states require home-care agencies to conduct criminal background checks on caregivers prior to providing services and to check caregivers against one or more registries (for example, state abuse and neglect registries, nurse-aide registries, and the federal OIG List of Excluded Individuals/Entities and System for Award Management). The Service supports document upload, expiration tracking, and role-based access controls that Customer may use to manage these obligations. See the User Verification page for more detail on the verification workflows the Service supports.
6. State Privacy Laws
The Company supports Customer's compliance with state privacy laws applicable to the personal information processed through the Service. Notable laws include:
- California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA). The Company does not sell or share personal information for cross-context behavioral advertising. To exercise rights of access, correction, deletion, or limitation of use of sensitive personal information, contact hello@carewave.us.
- Washington My Health My Data Act. The Company processes consumer health data only as necessary to provide the Service and as permitted by law, applies reasonable security practices, and does not sell consumer health data.
- New York SHIELD Act. The Company maintains reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of private information.
- Texas Data Privacy and Security Act, Virginia CDPA, Colorado Privacy Act, Connecticut Data Privacy Act, and similar state laws. The Company acts as a processor or service provider on behalf of Customer for personal information governed by these laws and processes such information only as instructed by Customer or as required by law.
Customer is the controller or business with respect to personal information of End Users and clients submitted to the Service and is responsible for providing required notices, honoring consumer rights, and meeting any opt-out or consent requirements specific to its industry and jurisdiction.
7. International Use
The Service is intended for use by organizations based in the United States. The Company does not target the Service to residents of the European Union, the United Kingdom, Switzerland, or other jurisdictions outside the United States. The Company is not currently registered with any non-U.S. data protection authority. Customer is responsible for assessing its own cross-border transfer obligations to the extent it processes personal information of non-U.S. residents through the Service.
8. Accessibility
The Company designs the Service with accessibility in mind and aligns its work with the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA. The Company does not yet provide a third-party VPAT (Voluntary Product Accessibility Template), and acknowledges that gaps exist. Accessibility feedback may be sent to hello@carewave.us; the Company prioritizes accessibility issues that affect End Users with disabilities.
9. Children
The Service is not directed to individuals under the age of sixteen (16). The Company does not knowingly collect personal information from individuals under sixteen through marketing channels. The Service may, in the ordinary course, process personal information of pediatric clients of Customer's home-care operations where Customer is authorized to provide such services; in that case, the Customer is responsible for parental or guardian authorization where required by law.
10. Allocation of Responsibility
Compliance with regulations applicable to home-care operations is a shared responsibility. As a general matter:
- The Company is responsible for the security and availability of the Service, for maintaining its program as a Business Associate, and for honoring its commitments in the Terms of Service, Privacy Policy, and BAA.
- The Customer is responsible for its licensure, registry compliance, employment-law compliance, EVV transmission, payroll, individual-rights handling, and for ensuring that its use of the Service complies with all laws applicable to its business.
Contact Us
For regulatory or compliance questions, including requests for additional documentation, contact us by email at hello@carewave.us.