Carelytic

Compliance & Security

HIPAA hygiene by default. Conservative claims, real controls.

17 permission groups, 51 distinct permissions, 10 default role templates. RBAC enforced at view dispatch — before any PHI is loaded. Tenant scoping enforced everywhere via a single helper. Audit trail of every CRUD, login, and export.

Book a demo Tour the product

Role-based access control

Permissions enforced at view dispatch — before PHI is loaded.

Most platforms gate UI elements but leave the underlying URL accessible. Carelytics's RolePermissionMixin runs the perm check in dispatch() — if a user without the right perm types the URL, they get a 403 before any database query touches PHI.

17 permission groups · 51 perms

Clients, Scheduling, Authorizations, Billing, Reconciliation, Payroll, Users & Settings, Reports, Intake, Clinical, EVV, HR, Compliance, Documents, Help Tickets, Audit, Tools.

10 default role templates

Agency Admin · Manager · Scheduler · Biller · Skilled Nurse · Therapist · Clinical Manager/QA · Payroll/HR · Intake/Admissions · Office Staff/Read-Only.

Scope perms, not just verb perms

clients.view_assigned_only narrows the queryset for clinicians and aides — they only see clients they're assigned to. Defense in depth, not just UI gating.

Tenant scoping helper

visible_clients(user, tenant) is the canonical replacement for Client.objects.all(). Used in every list view, dropdown, autocomplete, and dashboard count.

Action-implies-read

Holding evv.checkin auto-grants evv.view — you can't perform the action without seeing the surface to navigate to it. Never the reverse.

Field-staff dashboard

Caregivers see a separate dashboard — no revenue numbers, no agency-wide KPIs. Routed automatically by clients.view_assigned_only.

Modern authentication

Passkeys, trusted devices, and offline drafts that stay encrypted.

Most home health platforms still ask clinicians to type a TOTP code on every login. We treat the second factor as a problem to solve at the device level — not a hoop the user re-jumps every shift.

WebAuthn / passkeys

Touch ID, Face ID, Windows Hello, hardware keys — all supported via WebAuthn. Once enrolled, login is one biometric tap. No SMS codes, no authenticator app to lose with the phone.

Trusted device for the second factor

After the first successful MFA on a device, that device is trusted for a configurable window. The clinician's phone stops re-prompting between shifts — but a new browser or a stolen session still pays the full MFA cost.

Email recovery — built in

Lost authenticator? Self-service email recovery code with a 15-minute TTL, single-use, rate-limited. Plus tenant-admin and super-admin reset paths — all audit-logged with the reason.

Encrypted offline chart drafts

Clinical drafts saved while offline are encrypted in the browser with WebCrypto — AES-GCM with a per-device key. The PHI never sits in localStorage in the clear, even on a device that's been lost.

Mandatory 2FA on every fresh session

TOTP enrollment is required for every user account. The middleware forces enrollment on first login and verification on every fresh session. No opt-out — not even for the agency owner.

Auth-only lock screens

The MFA verify, password reset, and email recovery pages render with no sidebar, no nav, no chrome. A half-locked-out session can't peek at navigation, KPIs, or client lists.

Audit trail

Every CRUD. Every login. Every export. With diffs.

Every significant action logs to ActivityLog with user, IP, before/after diffs, and entity type. Queryable per entity, per user, per action, per date range. Available to users with the audit.view_activity perm.

  • Client / Authorization / Visit / OASIS / SN Note / Therapy Note / Claim / Payment / Help Ticket / User
  • Status transitions (Draft → Signed → Locked) logged with actor and timestamp
  • Login / logout / failed login captured via allauth signals
  • OASIS CMS exports logged with file name and assessment count
  • Field-level diffs on every UPDATE — what changed, what it was, what it became
app.carelytic.ai/audit/?entity_type=visit
Activity audit log — every CRUD + login + export with user, IP, timestamp, and field-level diff

Required, not optional

The defaults most platforms make optional.

Three things that competitors leave to per-tenant toggles or off-platform workflows. Carelytics ships them on by default, in the platform, audit-logged.

Mandatory TOTP 2FA — every user, every session

Every Carelytics user enrolls TOTP and verifies on every fresh session. No per-tenant opt-out, no admin override. Three audit-logged recovery paths: email self-recovery, tenant admin reset, super admin reset.

In-platform HETS attestation

The CMS HETS Trading Partner Agreement is signed inside Carelytics — Settings → Compliance → HETS Attestation. Captures signer name, title, IP, timestamp, exact agreement text + version. Immutable audit log. Required by the CMS 2026-05-11 deadline for Medicare FFS eligibility.

Audit-logged support access

When a CSM views your tenant for support, a sticky red banner appears across every page and every action is logged with session id, reason, and duration. You can see the full impersonation history in your audit log. Standard B2B SaaS pattern (Stripe, Linear, Intercom) — but most home health vendors don't disclose how their support team accesses your data.

HIPAA hygiene

Defaults that don't ask the agency to opt in to safety.

Email-only authentication

No usernames. allauth-backed. Branded password reset and email-change flows with confirmation links. Every login goes through the mandatory TOTP 2FA gate above.

Lock-on-sign across forms

Signed clinical documents are read-only everywhere. No backdoor edit URLs. No "open the locked form, change a field, hope no one notices."

Form Registry preview lockdown

Agency admins can review forms in preview mode without altering data. Submit and sign actions are CSS+JS-disabled. Single-source-of-truth lockdown — works for every form automatically.

Outbound email log

Every email Carelytics sends — invites, password resets, HETS reminders, onboarding nudges — is logged with delivery status. Support can answer "did you receive the X email?" without guessing.

Sentry events scrubbed of PHI

PHI URL prefix scrubber blanks request bodies on clinical surfaces. User dict stripped to id + role. Cookies and auth headers redacted everywhere. Browser session replay only on staging until BAA is signed.

Browser replay masking

When replay is enabled, maskAllText: true + blockAllMedia: true. No fetch/XHR bodies in the replay timeline. No chart screenshots in error sessions.

What we don't claim

Conservative on certifications. Honest about status.

SOC 2: Not yet certified. We follow SOC 2 Type II controls (RBAC, audit log, encrypted data at rest, encryption in transit, change management) but do not claim a clean SOC 2 audit until we've finished one.
HIPAA BAA: Available with Enterprise tier. We can sign earlier on a case-by-case basis with Professional. Our Sentry browser session replay is staging-only until we have a signed BAA with Sentry.
Multi-state expansion: Single-state per tenant is the model today. Multi-state expansion within a single tenant is a roadmap item, not shipped.
Native mobile apps: Carelytics is responsive web — iPad, phone, desktop all tested. Native iOS/Android apps are a roadmap item, not shipped.