CareWorx Healthcare Solutions

Compliance & Security

Healthcare-grade compliance, built into every engagement.

CareWorx operates as a healthcare growth partner — which means HIPAA, SOC 2-aligned controls, and California-specific privacy law aren't add-ons. They're the floor.

Posture at a glance

Six pillars of our compliance program

The controls below apply to every CareWorx engagement, regardless of size — from a single landing page to a full growth system.

HIPAA-aligned operations

Every workflow that could touch PHI is reviewed, scoped, and documented before it ships — from intake forms to analytics tags.

SOC 2-aligned controls

Our internal controls map to the SOC 2 Trust Services Criteria: security, availability, confidentiality, and processing integrity.

Encryption everywhere

TLS 1.2+ in transit and AES-256 at rest across the systems we operate and the vendors we recommend.

Least-privilege access

Role-based access, SSO/MFA on every production system, and quarterly access reviews for every team member and contractor.

Auditability by default

Admin actions, deployments, and data access are logged and retained so we can answer 'who, what, when' on demand.

Incident response

Documented IR runbook with defined severities, on-call rotation, and a 72-hour client notification commitment for confirmed PHI incidents.

Data handling

How we treat PHI and member data

The standards below govern every system we operate and every vendor we put in front of a client.

Data minimization

We only collect the PHI and PII strictly required to deliver the engagement — and we document the lawful basis for each field.

US-based infrastructure

Production workloads run in US regions on HIPAA-eligible cloud services. No PHI is processed outside the United States.

BAAs with every subprocessor

Business Associate Agreements are in place with every vendor that could create, receive, maintain, or transmit PHI on our behalf.

Documented retention & disposal

Defined retention schedules with secure, verifiable destruction at end of life — including backups and analytics exports.

Workforce training

Mandatory HIPAA Privacy & Security training at onboarding and annually thereafter, tracked per team member.

Continuous monitoring

Vulnerability scanning, dependency monitoring, and uptime/error telemetry on every system we operate.

Frameworks & standards

What we align to

We map our internal controls to recognized healthcare, security, and privacy frameworks so our work plugs cleanly into your existing compliance program.

  • HIPAA Privacy, Security & Breach Notification Rules
    Aligned
  • SOC 2 Trust Services Criteria
    Aligned controls
  • NIST Cybersecurity Framework (CSF 2.0)
    Mapped
  • California Consumer Privacy Act (CCPA / CPRA)
    Compliant
  • 42 CFR Part 2 (SUD records)
    Honored where applicable
  • WCAG 2.1 AA accessibility
    Standard for shipped sites

Alignment statements describe the design of our control environment. CareWorx is not a covered entity; we operate as a business associate to our clients under HIPAA.

FAQ

Common compliance questions

The questions procurement, privacy, and security teams ask us most often.

Need our full compliance package?

We'll share our security overview, subprocessor list, BAA template, and a current SOC 2-aligned controls summary under NDA.