Skip to main content

Legal Compliance

Effective April 9, 2026|Document Version 1.0

Company: CareTraceAI, Inc.
Contact: compliance@caretrace.ai
Classification:Confidential — Internal and Regulatory Use

1. Introduction and Scope

1.1 Purpose

This Legal Compliance Document establishes the regulatory framework, policies, and procedures governing the operation of CareTraceAI, an AI-powered voice documentation platform for nurses and caregivers in assisted living facilities. This document serves as the authoritative reference for all compliance obligations applicable to Care Trace’s products, services, and operations.

1.2 Product Description

CareTraceAI is a mobile application (React Native) with a planned Chrome browser extension for Electronic Health Record (EHR) integration. The platform enables nurses and caregivers to dictate patient notes verbally, which are then transcribed using AI-powered speech recognition (OpenAI Whisper) and structured into clinical documentation using large language models (Anthropic Claude). Target EHR integrations include PointClickCare and MatrixCare.

1.3 Regulatory Environment

CareTraceAI operates within the following regulatory landscape:

1.4 Definitions

2. HIPAA Compliance

2.1 CareTraceAI’s Role as a Business Associate

2.1.1 Business Associate Designation

CareTraceAI functions as a Business Associate under HIPAA when it creates, receives, maintains, or transmits PHI on behalf of Covered Entities (RCFE facilities and their associated health care providers). This designation arises because CareTraceAI processes voice recordings containing patient health information, transcribes and structures clinical documentation, stores structured clinical notes in its database, and transmits documentation to or from EHR systems.

2.1.2 Scope of Business Associate Obligations

As a Business Associate, CareTraceAI shall comply with all applicable provisions of the HIPAA Privacy Rule and Security Rule, limit uses and disclosures of PHI to those permitted or required by contract or law, implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, report any unauthorized use, disclosure, or security incident to the Covered Entity, ensure that any subcontractors or agents that access PHI agree to the same restrictions, and make PHI available to individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) as required.

2.2 Business Associate Agreement (BAA)

2.2.1 BAA Availability

CareTraceAI shall execute a Business Associate Agreement with every Covered Entity customer prior to the processing of any PHI. The BAA shall be available upon request and must be fully executed before the facility begins using the CareTraceAI platform.

2.2.2 BAA Requirements

Each BAA shall include the following provisions:

2.2.3 BAA Maintenance

CareTraceAI shall maintain a registry of all executed BAAs, review each BAA at least annually, update BAAs as needed to reflect changes in law, services, or subprocessor arrangements, and retain copies of all BAAs for a minimum of six (6) years from the date of termination.

2.3 Administrative Safeguards

2.3.1 Security Management Process

CareTraceAI shall conduct a comprehensive risk analysis at least annually, or whenever significant changes occur to the platform, to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Risk assessments shall follow NIST SP 800-30 methodology and address all electronic systems that create, receive, maintain, or transmit ePHI.

2.3.2 Risk Management

Based on the results of each risk analysis, CareTraceAI shall implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Risk mitigation plans shall be documented, assigned to responsible parties, and tracked to completion.

2.3.3 Sanction Policy

CareTraceAI shall apply appropriate sanctions against workforce members who fail to comply with this compliance document or any related security policies and procedures. Sanctions shall be proportionate to the severity of the violation and may include verbal warning, written reprimand, suspension, termination, or referral for legal action.

2.3.4 Information System Activity Review

CareTraceAI shall implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Reviews shall occur no less frequently than monthly, with critical system logs reviewed in real time or near-real time using automated monitoring.

2.3.5 Workforce Training

All CareTraceAI workforce members shall receive HIPAA privacy and security training within thirty (30) days of hire, annual refresher training on HIPAA requirements and CareTraceAI’s security policies, additional training when material changes occur to policies or procedures, and role-specific training appropriate to the workforce member’s access to PHI. Training completion shall be documented and records maintained for a minimum of six (6) years.

2.3.6 Access Management

CareTraceAI shall implement role-based access controls following the principle of least privilege. Access management procedures shall include formal authorization and approval processes for granting access to ePHI, unique user identification for each workforce member with system access, periodic review of access rights (no less than quarterly), prompt modification or revocation of access upon change in role or termination of employment, and emergency access procedures for situations requiring immediate access to ePHI.

2.3.7 Security Officer Designation

CareTraceAI shall designate a Security Officer responsible for the development and implementation of HIPAA Security Rule policies and procedures. The Security Officer shall report directly to executive leadership, have authority to implement and enforce security measures, maintain current knowledge of HIPAA requirements and industry best practices, and coordinate with the Privacy Officer on matters involving both privacy and security. The Security Officer’s identity and contact information shall be documented and communicated to all workforce members.

2.3.8 Privacy Officer Designation

CareTraceAI shall designate a Privacy Officer responsible for the development and implementation of HIPAA Privacy Rule policies and procedures. The Privacy Officer may be the same individual as the Security Officer, provided the individual has adequate resources and expertise to fulfill both roles.

2.3.9 Incident Response

CareTraceAI shall maintain a formal Security Incident Response Plan that includes procedures for identifying, containing, and mitigating security incidents, roles and responsibilities of incident response team members, communication protocols (internal and external), evidence preservation procedures, post-incident analysis and remediation, and documentation and reporting requirements. The Incident Response Plan shall be tested at least annually through tabletop exercises or simulated incidents.

2.4 Physical Safeguards

2.4.1 Facility Access Controls

CareTraceAI’s physical offices and any data processing locations shall implement facility security plans, access control and validation procedures, maintenance records for physical security systems, and visitor logs and escort procedures.

2.4.2 Device and Media Controls

CareTraceAI shall maintain policies governing the receipt, removal, movement, and disposal of hardware and electronic media containing ePHI. These policies shall address hardware inventory and tracking, secure disposal or sanitization of media containing ePHI (following NIST SP 800-88 guidelines), data backup procedures before moving equipment, and accountability records for hardware and media movements.

2.4.3 Workstation Use Policies

CareTraceAI shall establish policies specifying the proper functions to be performed at workstations and the manner in which those functions shall be performed. Workstation use policies shall address physical attributes of the surrounding environment (screen visibility, access restrictions), automatic screen lock after a period of inactivity (maximum fifteen (15) minutes), prohibition of PHI storage on local workstation drives unless encrypted, and secure configuration standards for all workstations.

2.4.4 Mobile Device Security (Applicable to End Users)

Given that CareTraceAI is a mobile application, the following mobile device security requirements shall be communicated to Covered Entity customers for implementation by their workforce:

2.5 Technical Safeguards

2.5.1 Access Controls

CareTraceAI shall implement the following technical access controls:

2.5.2 Encryption Standards

CareTraceAI shall employ the following encryption standards:

2.5.3 Audit Controls

CareTraceAI shall implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. Audit logs shall capture the following at a minimum: user identification, type of event (access, modification, deletion, transmission), date and time of the event, the component of the system affected, and the outcome of the event (success or failure). Audit logs shall be protected against tampering, stored securely for a minimum of six (6) years, and reviewed regularly per Section 2.3.4.

2.5.4 Integrity Controls

CareTraceAI shall implement policies and procedures to protect ePHI from improper alteration or destruction. Integrity controls shall include mechanisms to authenticate ePHI and confirm that it has not been altered or destroyed in an unauthorized manner, input validation on all data entry points, database integrity checks, and version control for all clinical documentation modifications, preserving a complete audit trail of all changes.

2.5.5 Transmission Security

CareTraceAI shall implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Transmission security shall include end-to-end encryption for all PHI transmissions, certificate-based authentication for API communications, integrity verification (hashing and checksums) for transmitted data, and secure API endpoints with rate limiting, input validation, and authentication.

2.5.6 Authentication

CareTraceAI shall implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. Authentication mechanisms shall include multi-factor authentication (MFA) for all administrative access, strong password requirements (minimum twelve (12) characters, complexity requirements), token-based authentication for API access, and session management controls including secure session tokens and session expiration.

2.6 PHI Handling Procedures

2.6.1 Minimum Necessary Standard

CareTraceAI shall apply the HIPAA minimum necessary standard to all uses, disclosures, and requests for PHI. Specifically, CareTraceAI shall identify the workforce members or classes of workforce members who need access to PHI, limit the PHI accessed to the minimum necessary for the intended purpose, ensure that AI processing components receive only the minimum data necessary for transcription and structuring, and implement role-based access controls that restrict PHI access based on job function.

2.6.2 Permitted Uses and Disclosures

CareTraceAI shall use and disclose PHI only as follows:

2.6.3 De-Identification

When PHI is used for purposes that do not require individually identifiable information (e.g., quality assurance, AI model performance monitoring, aggregate analytics), CareTraceAI shall de-identify data in accordance with 45 CFR Section 164.514. De-identification shall follow the Safe Harbor method (removal of eighteen (18) specified identifiers) or the Expert Determination method (statistical or scientific assessment). De-identified data shall be maintained separately from identifiable data and shall not be re-identified except as permitted by law.

2.6.4 PHI Disposal

CareTraceAI shall implement procedures for the secure disposal of PHI, including electronic media sanitization in accordance with NIST SP 800-88, secure deletion of voice recordings after transcription and verification, database record purging in accordance with the data retention schedule (Section 5.5), and documentation of all disposal activities. PHI shall not be disposed of in a manner that could reasonably allow it to be recovered or reconstructed.

2.7 Breach Notification Procedures

2.7.1 Breach Definition

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless CareTraceAI demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following four factors:

2.7.2 Breach Discovery

A breach is considered discovered as of the first day on which the breach is known to CareTraceAI or, by exercising reasonable diligence, would have been known to CareTraceAI. CareTraceAI shall implement monitoring systems and procedures to detect potential breaches in a timely manner.

2.7.3 Investigation

Upon discovery of a potential breach, CareTraceAI shall immediately initiate an investigation, document the investigation process and findings, conduct the four-factor risk assessment described in Section 2.7.1, preserve all evidence related to the breach, and determine the scope of the breach (number of individuals affected, types of PHI involved).

2.7.4 Notification Timelines

CareTraceAI shall adhere to the following notification timelines:

2.7.5 Notification Content

Breach notifications to Covered Entities shall include, to the extent possible, a description of the nature of the breach including the types of PHI involved, identification of each individual whose PHI has been or is reasonably believed to have been accessed or acquired, the date of the breach and the date of discovery, a description of CareTraceAI’s investigation and response, a description of mitigation efforts undertaken, and contact information for CareTraceAI’s Privacy Officer.

2.7.6 Documentation

CareTraceAI shall maintain documentation of all breach investigations, risk assessments, and notifications for a minimum of six (6) years. This documentation shall include the substance of the breach notification, evidence of delivery of notification, and records of any remediation efforts.

2.8 Subcontractor and Subprocessor Compliance

2.8.1 Subprocessor Identification

As of the effective date of this document, CareTraceAI utilizes the following subprocessors that may create, receive, maintain, or transmit PHI:

2.8.2 Subprocessor BAA Requirements

CareTraceAI shall execute a Business Associate Agreement (or equivalent subcontractor agreement compliant with 45 CFR Section 164.314(a)(2)) with each subprocessor that creates, receives, maintains, or transmits PHI on CareTraceAI’s behalf. Specifically:

2.8.3 Subprocessor Due Diligence

Prior to engaging any new subprocessor that will access PHI, Care Trace shall conduct a security and privacy assessment of the subprocessor, verify the subprocessor’s HIPAA compliance posture (e.g., SOC 2 Type II reports, HITRUST certification, or equivalent), execute a BAA, document the assessment and approval, and notify affected Covered Entities of the new subprocessor as required by applicable BAAs.

2.8.4 Subprocessor Monitoring

CareTraceAI shall monitor each subprocessor’s compliance on an ongoing basis by reviewing updated SOC reports or equivalent certifications at least annually, reassessing subprocessor risk as part of the annual risk analysis, maintaining records of subprocessor compliance documentation, and promptly addressing any identified deficiencies.

2.8.5 Zero Data Retention Policy for AI Subprocessors

CareTraceAI shall contractually require and technically verify that OpenAI and Anthropic operate under zero data retention policies for PHI processed through their APIs. This means that voice recordings sent to OpenAI Whisper shall not be stored by OpenAI after transcription is complete, text data sent to Anthropic Claude shall not be stored by Anthropic after processing is complete, and neither OpenAI nor Anthropic shall use PHI transmitted by CareTraceAI for the purpose of training, improving, or developing their AI models.

3. California State Compliance

3.1 Title 22 — California Code of Regulations (RCFE Documentation Requirements)

3.1.1 Applicability

CareTraceAI is designed to support compliance with the documentation requirements set forth in Title 22, Division 6, Chapter 8 of the California Code of Regulations, which governs Residential Care Facilities for the Elderly (RCFEs) licensed by the California Department of Social Services, Community Care Licensing Division (CCLD).

3.1.2 Documentation Requirements Supported

CareTraceAI shall facilitate compliance with the following Title 22 documentation requirements:

3.1.3 Record Retention

In accordance with Title 22, Section 87468, CareTraceAI shall retain resident documentation for a minimum of three (3) years following a resident’s discharge from the facility. CareTraceAI shall support longer retention periods where required by individual BAAs or other applicable law. Where a Covered Entity terminates its agreement with CareTraceAI, CareTraceAI shall return or destroy all PHI in accordance with the BAA, or if neither return nor destruction is feasible, shall continue to protect the information and limit further uses and disclosures.

3.1.4 Record Accessibility

CareTraceAI shall ensure that documentation is available for inspection by authorized representatives of the Community Care Licensing Division during business hours. Documentation shall be producible in printed or electronic format as requested. CareTraceAI shall support the export of records in standard formats suitable for regulatory inspection.

3.1.5 Documentation Integrity

All clinical documentation generated through CareTraceAI shall include the identity of the caregiver or nurse who authored the note, the date and time the note was created, the date and time the note was reviewed and finalized, indication that the note was generated with AI assistance (see Section 4.1), and a complete audit trail of all modifications.

3.2 CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

3.2.1 Applicability

The CCPA, as amended by the CPRA, applies to CareTraceAI to the extent that CareTraceAI collects, uses, or discloses personal information of California residents in its capacity as a business. However, the CCPA contains an exemption for protected health information collected by a Covered Entity or Business Associate governed by HIPAA (Cal. Civ. Code Section 1798.145(c)(1)).

3.2.2 Scope of CCPA/CPRA Obligations

CareTraceAI’s CCPA/CPRA obligations primarily apply to personal information that is not PHI governed by HIPAA, including employee personal information, website visitor data, marketing and sales prospect data, and facility administrator account information not constituting PHI.

3.2.3 Consumer Rights

For personal information subject to the CCPA/CPRA, CareTraceAI shall honor the following consumer rights:

3.2.4 Privacy Notice

CareTraceAI shall maintain a publicly accessible privacy notice that complies with CCPA/CPRA requirements, including disclosure of the categories of personal information collected, the purposes for which personal information is collected and used, the categories of third parties with whom personal information is shared, and information about consumer rights and how to exercise them.

3.2.5 Data Processing Agreements

Where CareTraceAI acts as a “service provider” under the CCPA/CPRA, the applicable contract shall include CCPA/CPRA-compliant data processing terms prohibiting the retention, use, or disclosure of personal information for any purpose other than performing services specified in the agreement.

3.3 CMIA (Confidentiality of Medical Information Act)

3.3.1 Applicability

The Confidentiality of Medical Information Act (California Civil Code Section 56 et seq.) applies to CareTraceAI as a provider of software and services that receive and process medical information of California residents. Under the CMIA, CareTraceAI may be classified as a “provider of health care” (to the extent it maintains medical information) or, more likely, as a recipient of medical information from providers of health care.

3.3.2 Prohibitions

Under the CMIA, CareTraceAI shall not disclose medical information regarding a patient without first obtaining a valid written authorization from the patient or as otherwise permitted by law. Care Trace shall not use medical information for purposes not authorized by the patient or permitted under the CMIA. CareTraceAI shall not share, sell, or otherwise use medical information for marketing purposes without explicit authorization.

3.3.3 Patient Authorization

Where required by the CMIA, patient authorization for the disclosure of medical information shall include the specific uses and limitations on the use of medical information, the name or functions of the persons authorized to make the disclosure, the name or functions of the persons authorized to receive the disclosure, the specific information to be disclosed, the date or event upon which the authorization expires, and the patient’s signature and date.

3.3.4 Penalties

Violations of the CMIA may result in civil penalties including compensatory damages, punitive damages of up to three thousand dollars ($3,000), attorneys’ fees of up to one thousand dollars ($1,000), and costs of litigation. Willful violations may result in additional administrative fines of up to twenty-five thousand dollars ($25,000) per violation under Cal. Civ. Code Section 56.36. Care Trace shall implement controls and training to prevent CMIA violations.

3.3.5 CMIA and HIPAA Interplay

Where both the CMIA and HIPAA apply, CareTraceAI shall comply with the more restrictive of the two requirements. In general, the CMIA imposes stricter requirements regarding patient authorization for disclosure, while HIPAA provides a more comprehensive framework for security safeguards.

3.4 California Data Breach Notification Law (Civil Code Section 1798.82)

3.4.1 Notification Obligations

In the event of a breach of the security of the system involving personal information of a California resident, CareTraceAI shall provide notification to the affected individual in the most expedient time possible and without unreasonable delay. If the breach affects more than five hundred (500) California residents, CareTraceAI shall also submit an electronic copy of the breach notification to the California Attorney General.

3.4.2 Personal Information Defined

For purposes of Section 1798.82, “personal information” includes an individual’s first name or first initial and last name in combination with any one or more of the following, when the name or data element is not encrypted or redacted: Social Security number, driver’s license or California identification card number, account number or credit or debit card number in combination with any required security code, medical information, health insurance information, unique biometric data, and information collected through automated license plate recognition.

3.4.3 Notification Content

Breach notifications under California law shall include the name and contact information of CareTraceAI, a list of the types of personal information that were or are reasonably believed to have been the subject of the breach, the date of the breach (if known) and the date of discovery, a general description of the breach incident, the toll-free telephone numbers and addresses of the major credit reporting agencies (if applicable), and a statement advising the individual to review account statements and credit reports.

3.4.4 Coordination with HIPAA Breach Notification

Where a breach involves both PHI subject to HIPAA and personal information subject to California Civil Code Section 1798.82, Care Trace shall coordinate breach notification efforts to ensure compliance with both sets of requirements, adhering to the more stringent timeline in each case.

3.5 California Electronic Signature Laws

3.5.1 Uniform Electronic Transactions Act (UETA)

CareTraceAI shall comply with California’s adoption of the Uniform Electronic Transactions Act (Cal. Civ. Code Section 1633.1 et seq.) for all electronic transactions, including the execution of BAAs, user agreements, and electronic attestations.

3.5.2 Electronic Signatures for Clinical Documentation

Where a nurse or caregiver electronically signs or attests to the accuracy of a clinical note generated through CareTraceAI, the electronic signature shall be attributable to the signer, reflect the intent of the signer to sign the document, be associated with the specific document being signed, and create a non-repudiable record of the signature event including the signer’s identity, timestamp, and the document version signed.

3.5.3 Consent to Electronic Transactions

CareTraceAI shall obtain affirmative consent from users to conduct transactions electronically, including clear disclosure that the user is agreeing to use electronic records and signatures, information on how to withdraw consent, information on how to obtain paper copies, and notification of any hardware or software requirements.

4. AI and Technology Compliance

4.1 AI Transparency Requirements

4.1.1 Disclosure of AI-Generated Content

CareTraceAI shall ensure that all clinical documentation generated through the platform clearly indicates that it was produced with AI assistance. Specifically:

4.1.2 Transparency to Facilities

CareTraceAI shall provide facility administrators with clear documentation explaining how AI is used in the documentation process, what AI models are employed (OpenAI Whisper for transcription, Anthropic Claude for structuring), the limitations and potential inaccuracies of AI-generated content, the human review requirements (Section 4.3), and how to report concerns about AI-generated content.

4.1.3 Transparency to Patients and Residents

Where required by facility policy or applicable law, CareTraceAI shall support disclosure to patients and residents that their care documentation may be generated with AI assistance. CareTraceAI shall provide template disclosure language that facilities can incorporate into their admission agreements and patient notice materials.

4.2 AI Bias Monitoring and Mitigation

4.2.1 Bias Risk Assessment

CareTraceAI shall conduct periodic assessments of potential bias in AI-generated documentation, including:

4.2.2 Bias Monitoring Program

CareTraceAI shall implement an ongoing bias monitoring program that includes regular sampling and review of AI-generated documentation for accuracy and consistency, comparative analysis of AI output quality across demographic groups (where data is available in de-identified or aggregate form), tracking and investigation of user-reported concerns regarding bias, and documentation of bias monitoring activities, findings, and remediation actions.

4.2.3 Bias Mitigation

Where bias is identified, CareTraceAI shall promptly investigate the root cause, implement corrective measures (which may include prompt engineering adjustments, model selection changes, or pre/post-processing filters), verify the effectiveness of corrective measures, and document the bias finding and remediation in the quality assurance record.

4.3 Human-in-the-Loop Requirement

4.3.1 Mandatory Human Review

CareTraceAI shall enforce a mandatory human-in-the-loop requirement for all AI-generated clinical documentation. No AI-generated note shall be saved, finalized, or transmitted to an EHR system without first being reviewed and affirmatively approved by the authoring nurse or caregiver.

4.3.2 Review Process

The human review process shall include the following steps:

4.3.3 Prohibition on Unreviewed Documentation

CareTraceAI shall not provide any mode, feature, or configuration option that allows AI-generated clinical documentation to bypass human review. Auto-save of draft notes is permitted, but finalization and submission to EHR systems shall always require affirmative human action.

4.4 Accuracy Monitoring and Quality Assurance

4.4.1 Transcription Accuracy

CareTraceAI shall monitor the accuracy of AI transcription (OpenAI Whisper) through periodic sampling and review of transcription output against original audio, tracking of user correction rates (frequency and nature of edits made during human review), investigation of patterns in transcription errors (e.g., specific medical terminology, accents, environmental noise), and documentation of accuracy metrics and trends.

4.4.2 Structuring Accuracy

CareTraceAI shall monitor the accuracy of AI clinical note structuring (Anthropic Claude) through periodic review of structured output for clinical accuracy and completeness, tracking of user modification rates during human review, verification that structured notes capture the essential clinical information from the transcription, and assessment of whether structured notes comply with facility documentation standards.

4.4.3 Quality Assurance Reviews

CareTraceAI shall conduct quality assurance reviews of AI output at least quarterly. Reviews shall assess overall accuracy rates and trends, identify recurring errors or deficiencies, evaluate the effectiveness of any corrective actions taken, and produce a written quality assurance report with findings and recommendations.

4.4.4 Error Reporting

CareTraceAI shall provide users with a mechanism to report errors or concerns about AI-generated content. All reports shall be logged, investigated, and responded to within a reasonable timeframe. Patterns of errors shall trigger a formal review under Section 4.4.3.

4.5 Model Versioning and Change Management

4.5.1 AI Model Inventory

CareTraceAI shall maintain a current inventory of all AI models used in production, including model name and provider, model version, purpose and function within CareTraceAI, date of initial deployment, date of most recent update, and known limitations or risks.

4.5.2 Change Management Process

Before deploying any change to an AI model or AI-related processing logic, CareTraceAI shall follow a formal change management process that includes impact assessment (potential effects on transcription accuracy, structuring quality, bias, and compliance), testing in a non-production environment using representative data (de-identified or synthetic), comparison of output quality between current and proposed model versions, approval by the designated technical lead and compliance officer, documentation of the change including rationale, testing results, and approval, and a rollback plan in the event the change produces unacceptable results.

4.5.3 Version Tracking

CareTraceAI shall record the AI model version used to process each clinical note. This information shall be stored as metadata associated with the note and shall be available for audit and quality assurance purposes.

4.5.4 Vendor Model Updates

When OpenAI or Anthropic releases updates to their models (Whisper, Claude), CareTraceAI shall evaluate the update for potential impact on accuracy, bias, and compliance before deploying the updated model in production. CareTraceAI shall not automatically adopt vendor model updates without internal review.

5. Data Governance

5.1 Data Classification

5.1.1 Classification Categories

CareTraceAI shall classify all data according to the following categories:

5.1.2 Classification Responsibilities

The data owner (the business function that generates or collects the data) is responsible for classifying data at the time of creation or collection. The Security Officer shall review data classifications as part of the annual risk assessment.

5.2 Data Flow Mapping

5.2.1 Clinical Documentation Data Flow

The following describes the data flow for clinical documentation processing:

Step 1 — Voice Capture (Mobile Device):The nurse or caregiver records a verbal patient note using the CareTraceAI mobile application. The voice recording is captured on the device, encrypted locally, and stored temporarily in the application’s secure storage.

Step 2 — Transmission to CareTraceAI API:The encrypted voice recording is transmitted from the mobile device to CareTraceAI’s API server over TLS 1.2 or higher. The API server authenticates the request using token-based authentication.

Step 3 — Transcription (OpenAI Whisper): The CareTraceAI API transmits the voice recording to the OpenAI Whisper API for speech-to-text transcription. The transmission occurs over an encrypted connection. OpenAI processes the audio and returns a text transcription. Under the BAA with OpenAI, the audio is not retained by OpenAI after processing.

Step 4 — Clinical Structuring (Anthropic Claude): The transcribed text is transmitted to the Anthropic Claude API for clinical note structuring. The transmission occurs over an encrypted connection. Anthropic processes the text and returns a structured clinical note. Under the BAA with Anthropic, the text is not retained by Anthropic after processing.

Step 5 — Storage (Supabase):The structured clinical note is stored in CareTraceAI’s Supabase database, encrypted at rest using AES-256. Access to stored data is governed by role-based access controls.

Step 6 — Human Review (Mobile Device): The structured note is transmitted back to the mobile device over TLS for review by the authoring caregiver. The caregiver reviews, edits if necessary, and approves the note.

Step 7 — Finalization and EHR Integration (Future): Upon approval, the finalized note is marked as complete in the database. In the future, the Chrome extension will transmit the note to the facility’s EHR system (PointClickCare or MatrixCare) via secure API integration.

5.2.2 Data Flow Diagram Maintenance

CareTraceAI shall maintain current data flow diagrams that are updated whenever material changes are made to the system architecture, data processing activities, or third-party integrations. Data flow diagrams shall be reviewed at least annually as part of the risk assessment process.

5.3 Data Residency

5.3.1 United States Processing and Storage

All PHI processed and stored by CareTraceAI shall reside within the United States. Specifically:

5.3.2 Subprocessor Data Residency

CareTraceAI shall contractually require each subprocessor to process and store PHI exclusively within the United States. Compliance with this requirement shall be verified as part of the subprocessor due diligence and monitoring process described in Sections 2.8.3 and 2.8.4.

5.3.3 Prohibition on Offshore Access

No CareTraceAI workforce member or contractor located outside the United States shall have access to unencrypted PHI. If CareTraceAI engages offshore personnel for non-PHI functions (e.g., general software development), technical controls shall prevent those personnel from accessing PHI.

5.4 Data Retention Schedule

5.4.1 Retention Periods

5.4.2 Retention Enforcement

CareTraceAI shall implement automated processes to enforce retention schedules, including automated deletion of voice recordings after the specified retention period and regular review (at least quarterly) of data stores to identify records eligible for disposal.

5.5 Data Disposal Procedures

5.5.1 Electronic Data Disposal

When PHI or PII reaches the end of its retention period or disposal is otherwise required (e.g., BAA termination), CareTraceAI shall dispose of the data using methods that render it unrecoverable:

5.5.2 Disposal Documentation

All data disposal activities shall be documented, including the date of disposal, the type and category of data disposed, the method of disposal, the identity of the person who performed or verified disposal, and confirmation that the disposal was completed successfully.

5.5.3 Third-Party Disposal

When a subprocessor is required to dispose of PHI (e.g., upon termination of the subprocessor agreement), CareTraceAI shall obtain written certification from the subprocessor that disposal has been completed in accordance with applicable requirements.

5.6 Third-Party Data Processing Agreements

5.6.1 Agreement Requirements

CareTraceAI shall execute written data processing agreements with all third parties that process personal information or PHI on behalf of CareTraceAI. These agreements shall specify the nature, purpose, and duration of the processing, the types of data processed, the obligations of the processor, the rights of the controller (Care Trace), subprocessing restrictions and approval requirements, data return and deletion obligations upon termination, audit rights, breach notification requirements, and data residency requirements.

5.6.2 Agreement Registry

CareTraceAI shall maintain a registry of all third-party data processing agreements, including the parties, effective dates, data types covered, and renewal or termination dates. The registry shall be reviewed at least annually.

6. Regulatory Reporting

6.1 State Licensing Inspection Readiness (Community Care Licensing Division)

6.1.1 Inspection Support

CareTraceAI shall be prepared to support Covered Entity customers during inspections by the California Department of Social Services, Community Care Licensing Division (CCLD). Specifically, CareTraceAI shall maintain the ability to produce clinical documentation records in printed or electronic format upon request, provide documentation demonstrating the integrity and authenticity of records generated through the platform (including audit trails and AI disclosure indicators), and make technical support available to facilities during inspections to assist with record retrieval and export.

6.1.2 Documentation Format

Records produced for CCLD inspection shall be in a clear, readable format, include all required elements (author, date, time, content, AI disclosure, review attestation), and be organized in a manner consistent with Title 22 requirements.

6.1.3 Inspection Response Time

CareTraceAI shall respond to facility requests for documentation production in support of a CCLD inspection within four (4) business hours during normal business hours (Monday through Friday, 8:00 AM to 6:00 PM Pacific Time) and within eight (8) business hours outside normal business hours.

6.2 Incident Reporting Obligations

6.2.1 Security Incident Reporting

CareTraceAI shall report security incidents as follows:

6.2.2 Operational Incident Reporting

CareTraceAI shall report operational incidents (system outages, data integrity issues, AI malfunction) to affected Covered Entities as follows:

6.3 Audit Trail Requirements

6.3.1 Audit Trail Scope

CareTraceAI shall maintain comprehensive audit trails that capture user authentication events (login, logout, failed attempts), all access to PHI (view, create, modify, delete, export, transmit), administrative actions (user provisioning, access changes, configuration changes), system events (backups, restores, updates, errors), AI processing events (model version, processing timestamps, confidence scores where available), and clinical documentation lifecycle events (creation, review, approval, modification, export).

6.3.2 Audit Trail Integrity

Audit trails shall be protected against tampering through write-once storage mechanisms or equivalent protections, access restrictions (audit logs shall be modifiable only by automated systems, not by individual users), integrity verification (hashing or digital signatures), and regular backup to a separate, secure location.

6.3.3 Audit Trail Availability

Audit trail records shall be available for review by authorized Care Trace personnel (Security Officer, Privacy Officer, Compliance Officer), authorized representatives of Covered Entities (as specified in BAAs), and the Secretary of HHS (as required by HIPAA). Audit trail records shall be retained for a minimum of six (6) years.

6.4 Record-Keeping Obligations

6.4.1 HIPAA Record-Keeping

In accordance with 45 CFR Section 164.530(j), CareTraceAI shall maintain the following records for a minimum of six (6) years from the date of creation or the date when the record was last in effect, whichever is later:

6.4.2 State Record-Keeping

CareTraceAI shall maintain records as required by California state law, including CCPA/CPRA request records (twenty-four (24) months), data breach notification records (five (5) years), and employment records as required by California labor law.

7. Compliance Program

7.1 Compliance Officer Designation

7.1.1 Appointment

CareTraceAI shall designate a Compliance Officer who shall have overall responsibility for the compliance program described in this document. The Compliance Officer may be the same individual as the Privacy Officer and/or Security Officer designated under Sections 2.3.7 and 2.3.8, provided the individual has adequate resources, expertise, and authority to fulfill all roles.

7.1.2 Responsibilities

The Compliance Officer shall be responsible for overseeing and monitoring the implementation of the compliance program, developing and updating compliance policies and procedures, conducting or overseeing compliance risk assessments, coordinating compliance training and education, investigating compliance concerns and complaints, reporting compliance matters to executive leadership and the board of directors (or equivalent governing body), serving as the primary point of contact for regulatory agencies on compliance matters, and maintaining current knowledge of applicable laws, regulations, and industry standards.

7.1.3 Authority

The Compliance Officer shall have the authority to access all information and personnel necessary to perform compliance functions, engage outside legal counsel or consultants as needed, require corrective action to address compliance deficiencies, and escalate compliance matters directly to executive leadership or the board.

7.1.4 Contact Information

The Compliance Officer may be reached at: compliance@caretrace.ai.

7.2 Regular Risk Assessments

7.2.1 Comprehensive Risk Assessment

CareTraceAI shall conduct a comprehensive risk assessment at least annually. The risk assessment shall cover HIPAA Security Rule risk analysis requirements (identifying threats and vulnerabilities to ePHI), privacy risk assessment (identifying risks to the privacy of PHI under the HIPAA Privacy Rule, CMIA, and CCPA/CPRA), AI risk assessment (identifying risks related to AI accuracy, bias, and transparency), operational risk assessment (identifying risks to system availability, data integrity, and business continuity), and third-party risk assessment (evaluating risks associated with subprocessors and other third parties).

7.2.2 Triggered Risk Assessments

In addition to the annual comprehensive assessment, CareTraceAI shall conduct targeted risk assessments when significant changes occur to the platform or its architecture, new subprocessors are engaged, new regulatory requirements take effect, a security incident or breach occurs, or material changes occur in the threat landscape.

7.2.3 Risk Assessment Documentation

Each risk assessment shall be documented, including the scope of the assessment, the methodology used, the threats and vulnerabilities identified, the risk level assigned to each finding, the recommended mitigation measures, the responsible parties and timelines for implementation, and executive approval of the risk assessment and mitigation plan.

7.3 Staff Training Requirements

7.3.1 Training Program

CareTraceAI shall maintain a comprehensive training program covering the following topics:

7.3.2 Training for Covered Entity Users

CareTraceAI shall provide or make available training materials for Covered Entity customers on the proper use of the CareTraceAI application, including human review requirements for AI-generated documentation, mobile device security best practices, incident reporting procedures, and HIPAA considerations specific to voice-based documentation tools.

7.3.3 Training Documentation

All training activities shall be documented, including the date of training, the topics covered, the trainer’s identity, the attendees’ names and signatures (or electronic attestations), and the training materials used. Training records shall be retained for a minimum of six (6) years.

7.4 Policy Review Schedule

7.4.1 Annual Review

All compliance policies and procedures, including this Legal Compliance Document, shall be reviewed at least annually to ensure continued accuracy and effectiveness. The annual review shall assess whether policies remain aligned with current laws and regulations, identify any gaps or deficiencies, evaluate whether policies are being followed in practice, and recommend updates as needed.

7.4.2 Triggered Reviews

In addition to the annual review, policies shall be reviewed and updated as needed when new laws or regulations take effect, significant regulatory guidance is issued, a security incident or breach reveals policy deficiencies, material changes occur to Care Trace’s products, services, or operations, or audit or assessment findings indicate a need for policy changes.

7.4.3 Review Documentation

Each policy review shall be documented, including the reviewer(s), the date of review, the findings, any changes made, and approval by the Compliance Officer and executive leadership.

7.4.4 Version Control

All compliance policies and procedures shall be maintained under version control. Each version shall include the version number, effective date, summary of changes from the prior version, and approval by the Compliance Officer.

7.5 Complaint and Reporting Procedures

7.5.1 Reporting Channels

CareTraceAI shall maintain the following channels for reporting compliance concerns:

7.5.2 Non-Retaliation Policy

CareTraceAI shall not retaliate against any individual who in good faith reports a compliance concern, participates in a compliance investigation, or refuses to participate in conduct that the individual reasonably believes is unlawful. This non-retaliation policy shall be communicated to all workforce members and included in training materials.

7.5.3 Complaint Investigation

All compliance complaints shall be promptly investigated. The investigation process shall include acknowledgment of the complaint within three (3) business days, assignment of an investigator (the Compliance Officer or designee), investigation conducted with appropriate confidentiality, documentation of the investigation findings, corrective action as warranted, and communication of the outcome to the complainant (unless the complaint was anonymous or disclosure would compromise the investigation).

7.5.4 Regulatory Complaints

If CareTraceAI receives a complaint from a regulatory agency (HHS Office for Civil Rights, California Attorney General, CCLD, or other), the Compliance Officer shall be notified immediately, and the complaint shall be addressed in accordance with applicable regulatory procedures and timelines.

7.5.5 Complaint Log

CareTraceAI shall maintain a log of all compliance complaints, including the date received, the nature of the complaint, the investigation status, the findings, and any corrective action taken. The complaint log shall be reviewed by the Compliance Officer at least quarterly and reported to executive leadership.

8. Document Control

8.1 Document Information

8.2 Revision History

8.3 Approval

This document has been reviewed and approved by the CareTraceAI Compliance Officer and executive leadership. It shall remain in effect until superseded by a subsequent version.

8.4 Distribution

This document shall be distributed to all CareTraceAI workforce members, made available to Covered Entity customers upon request, and made available to regulatory agencies as required by law.

CareTraceAI, Inc.
compliance@caretrace.ai

This document is confidential and intended for internal and regulatory use. Unauthorized distribution is prohibited.