Privacy Policy

Last updated: March 2026

CareSignals is committed to protecting the privacy and security of patient health information (PHI) and personal data. This Privacy Policy describes how we collect, use, store, and protect information when you use our platform.

CareSignals is HIPAA-compliant and designed from the ground up to secure sensitive patient feedback data used by home health agencies.

What Data We Collect

Patient Information

  • • Patient name
  • • Phone number (for SMS survey delivery)
  • • Survey responses (star ratings and written comments)
  • • Timestamps of survey completion

Clinician Information

  • • Clinician name and role
  • • Agency affiliation
  • • Survey performance metrics

Agency Leadership Information

  • • Name, email, and phone number
  • • Agency name and location
  • • Dashboard access logs and report downloads

How We Protect Your Data

Encryption in Transit & at Rest

All patient health information is encrypted using AES-256-GCM per-tenant encryption. Each agency has its own encryption key, ensuring that even our engineers cannot read patient data without proper authorization.

Secure Data Storage

Data is stored in Supabase with Row Level Security (RLS) enforced at the database level. Users can only access records they are authorized to view based on their role and agency affiliation.

No PHI in URLs

Patient survey links use secure, randomly generated 128-character hexadecimal tokens. Patient identifiable information is never exposed in URLs, preventing data leakage through browser history, server logs, or referrer headers.

Access Controls

Role-based access controls (RBAC) ensure that clinicians only see their own feedback, agency leaders see aggregate data for their organization, and administrators have appropriate oversight capabilities.

Audit Logging

All access to patient data is logged immutably. These logs are retained for compliance verification and can be provided to auditors upon request.

SMS Surveys & Patient Consent

CareSignals delivers patient surveys via SMS through Twilio, our SMS service provider. Surveys are only sent to patients who have consented to receive them.

Consent Management: Agencies must obtain explicit consent from patients before sending surveys. Consent status is documented in the agency's records and within CareSignals.

Opt-Out: Patients can opt out of SMS surveys at any time by replying STOP to any survey message. They will not receive further surveys after opting out, and the agency is notified of the opt-out status.

Data Handling: Twilio acts as a Business Associate. SMS message delivery logs are retained in accordance with HIPAA requirements but do not contain survey response data.

Data Retention

CareSignals retains patient survey data, clinician feedback, and agency reports for 7 years from the date of collection, in accordance with HIPAA requirements and CMS documentation standards.

After 7 years, all patient-identifiable data is securely deleted using cryptographic erasure and permanent deletion from our database backups. Aggregated, de-identified data may be retained indefinitely for benchmarking and product improvement purposes.

Third-Party Services

CareSignals uses the following third-party services to operate the platform:

  • Supabase: Database and authentication infrastructure
  • Twilio: SMS delivery (Business Associate Agreement in place)
  • Vercel: Application hosting

All third-party providers have signed Business Associate Agreements and are contractually obligated to protect PHI according to HIPAA standards.

Your Responsibilities

As an agency user of CareSignals, you are responsible for:

  • • Obtaining proper patient consent before enrolling them in surveys
  • • Keeping your account credentials secure and not sharing login information
  • • Complying with HIPAA regulations in your use of patient feedback data
  • • Notifying CareSignals immediately of any unauthorized access or suspected data breach
  • • Using the platform only for authorized business purposes

Questions or Concerns?

If you have questions about this Privacy Policy, believe your data has been compromised, or wish to exercise your HIPAA rights, please contact us:

CareSignals Privacy Team

info@caresignals.org

We aim to respond to all privacy inquiries within 48 business hours. For urgent data breach notifications, please call immediately.

Changes to This Policy

CareSignals may update this Privacy Policy from time to time. We will notify you of material changes via email and update the "Last updated" date at the top of this page. Your continued use of the platform after updates constitute your acceptance of the revised policy.

Back to HomeView Terms & Conditions