Compliance & Security
Healthcare-grade compliance, built into every engagement.
CareWorx operates as a healthcare growth partner — which means HIPAA, SOC 2-aligned controls, and California-specific privacy law aren't add-ons. They're the floor.
Posture at a glance
Six pillars of our compliance program
The controls below apply to every CareWorx engagement, regardless of size — from a single landing page to a full growth system.
HIPAA-aligned operations
Every workflow that could touch PHI is reviewed, scoped, and documented before it ships — from intake forms to analytics tags.
SOC 2-aligned controls
Our internal controls map to the SOC 2 Trust Services Criteria: security, availability, confidentiality, and processing integrity.
Encryption everywhere
TLS 1.2+ in transit and AES-256 at rest across the systems we operate and the vendors we recommend.
Least-privilege access
Role-based access, SSO/MFA on every production system, and quarterly access reviews for every team member and contractor.
Auditability by default
Admin actions, deployments, and data access are logged and retained so we can answer 'who, what, when' on demand.
Incident response
Documented IR runbook with defined severities, on-call rotation, and a 72-hour client notification commitment for confirmed PHI incidents.
Data handling
How we treat PHI and member data
The standards below govern every system we operate and every vendor we put in front of a client.
Data minimization
We only collect the PHI and PII strictly required to deliver the engagement — and we document the lawful basis for each field.
US-based infrastructure
Production workloads run in US regions on HIPAA-eligible cloud services. No PHI is processed outside the United States.
BAAs with every subprocessor
Business Associate Agreements are in place with every vendor that could create, receive, maintain, or transmit PHI on our behalf.
Documented retention & disposal
Defined retention schedules with secure, verifiable destruction at end of life — including backups and analytics exports.
Workforce training
Mandatory HIPAA Privacy & Security training at onboarding and annually thereafter, tracked per team member.
Continuous monitoring
Vulnerability scanning, dependency monitoring, and uptime/error telemetry on every system we operate.
Frameworks & standards
What we align to
We map our internal controls to recognized healthcare, security, and privacy frameworks so our work plugs cleanly into your existing compliance program.
- HIPAA Privacy, Security & Breach Notification RulesAligned
- SOC 2 Trust Services CriteriaAligned controls
- NIST Cybersecurity Framework (CSF 2.0)Mapped
- California Consumer Privacy Act (CCPA / CPRA)Compliant
- 42 CFR Part 2 (SUD records)Honored where applicable
- WCAG 2.1 AA accessibilityStandard for shipped sites
Alignment statements describe the design of our control environment. CareWorx is not a covered entity; we operate as a business associate to our clients under HIPAA.
FAQ
Common compliance questions
The questions procurement, privacy, and security teams ask us most often.
Need our full compliance package?
We'll share our security overview, subprocessor list, BAA template, and a current SOC 2-aligned controls summary under NDA.




