HIPAA & Data Security
We work with third-party vendors to provide our Digital Family Room and client services. We take your privacy and security seriously.
How We Protect Your Information
Colorado CareAssist follows industry-standard security practices to protect client data across every touchpoint — from your first call to ongoing care coordination.
HIPAA-Covered Entity
Colorado CareAssist is a HIPAA-covered entity. We comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We maintain administrative, physical, and technical safeguards to protect all protected health information (PHI) in our care.
Business Associate Agreements
We have signed Business Associate Agreements (BAAs) with all vendors that handle PHI. Our current BAA inventory: Google Cloud/Workspace (covers Vertex AI, Drive, Gmail), WellSky (EHR), RingCentral (HIPAA + HITRUST + SOC 2+HIPAA certified), Retell AI (HIPAA-compliant voice agents), and EBizCharge (payment processing). A sample BAA is available for download in our downloads.
Encryption
All data in transit is protected by TLS 1.3 encryption via Cloudflare. Data at rest is encrypted with AES-256 in our database (FileVault disk encryption) and in all backups (GPG-encrypted before offsite storage to Google Drive). Client portal data uses additional field-level encryption for sensitive financial information.
Access Controls
We enforce role-based access controls across all systems. Staff access is restricted to the minimum necessary for their role. All PHI access is logged to an audit trail with user identity, timestamp, and resource accessed. Multi-factor authentication is required for administrative access. Session tokens expire after 24 hours and are invalidated on logout.
Audit Logging
All access to PHI is logged in our audit system. This includes: who accessed what data and when, all changes to client records (with full before/after snapshots), all document views and downloads, login attempts (successful and failed), and all data exports. Audit logs are retained for a minimum of 7 years.
Data Retention & Disposal
Client records and PHI are retained for a minimum of 7 years as required by Colorado law and HIPAA. We have automated retention policies: assessment/MV/IR records 7 years, operational logs 90 days to 2 years, Gigi conversation transcripts 7 days. Data exceeding retention periods is automatically purged. We follow secure disposal practices for all PHI.
Portal Security
Our client and employee portals use Google OAuth 2.0 authentication with domain restriction. Client portal access is scoped per-client — users can only see their own data. Employee portal uses time-limited signed URLs for intake forms. All portal pages are behind HTTPS with HSTS enabled. We do not use Google Analytics on authenticated portal pages.
AI Voice Agent (Gigi)
Our AI assistant Gigi processes voice calls and messages. All voice calls are handled through Retell AI (HIPAA BAA signed). The AI brain runs on Google Vertex AI (covered under Google Cloud BAA). Gigi's conversation transcripts are retained for 7 days and then automatically purged. The AI has access controls that verify caller identity before sharing any client information.
Requests & Incident Reporting
To request a BAA, access your PHI, request amendments, receive an accounting of disclosures, or report a security concern, email [email protected] and include the term “Security/Compliance Request” in the subject line. We respond to all HIPAA requests within 30 days as required by law.
Have a Security or Compliance Question?
Our team is available to assist with BAA requests, access log inquiries, and any security concerns. We respond to all compliance requests within one business day.
[email protected]Include “Security/Compliance Request” in the subject line for fastest routing.
Take the Next Step
Questions About Your Privacy?
Speak directly with our team about data handling, BAA requirements, or any security concerns. We are here to help.