Carelytics

Compliance & Security

HIPAA hygiene by default. Conservative claims, real controls.

17 permission groups, 51 distinct permissions, 10 default role templates. RBAC enforced at view dispatch — before any PHI is loaded. Tenant scoping enforced everywhere via a single helper. Audit trail of every CRUD, login, and export.

See a demo Tour the product

Role-based access control

Permissions enforced at view dispatch — before PHI is loaded.

Most platforms gate UI elements but leave the underlying URL accessible. Carelytics's RolePermissionMixin runs the perm check in dispatch() — if a user without the right perm types the URL, they get a 403 before any database query touches PHI.

17 permission groups · 51 perms

Clients, Scheduling, Authorizations, Billing, Reconciliation, Payroll, Users & Settings, Reports, Intake, Clinical, EVV, HR, Compliance, Documents, Help Tickets, Audit, Tools.

10 default role templates

Agency Admin · Manager · Scheduler · Biller · Skilled Nurse · Therapist · Clinical Manager/QA · Payroll/HR · Intake/Admissions · Office Staff/Read-Only.

Scope perms, not just verb perms

clients.view_assigned_only narrows the queryset for clinicians and aides — they only see clients they're assigned to. Defense in depth, not just UI gating.

Tenant scoping helper

visible_clients(user, tenant) is the canonical replacement for Client.objects.all(). Used in every list view, dropdown, autocomplete, and dashboard count.

Action-implies-read

Holding evv.checkin auto-grants evv.view — you can't perform the action without seeing the surface to navigate to it. Never the reverse.

Field-staff dashboard

Caregivers see a separate dashboard — no revenue numbers, no agency-wide KPIs. Routed automatically by clients.view_assigned_only.

Audit trail

Every CRUD. Every login. Every export. With diffs.

Every significant action logs to ActivityLog with user, IP, before/after diffs, and entity type. Queryable per entity, per user, per action, per date range. Available to users with the audit.view_activity perm.

  • Client / Authorization / Visit / OASIS / SN Note / Therapy Note / Claim / Payment / Help Ticket / User
  • Status transitions (Draft → Signed → Locked) logged with actor and timestamp
  • Login / logout / failed login captured via allauth signals
  • OASIS CMS exports logged with file name and assessment count
  • Field-level diffs on every UPDATE — what changed, what it was, what it became
app.carelytics.com/audit/?entity_type=visit
Audit

Activity log filtered to one entity, showing diffs

Each row: timestamp, user, action, entity, before → after diff for changed fields.

↳ Capture: /audit/ filtered to a Visit with a status change history

Required, not optional

The defaults most platforms make optional.

Three things that competitors leave to per-tenant toggles or off-platform workflows. Carelytics ships them on by default, in the platform, audit-logged.

Mandatory TOTP 2FA — every user, every session

Every Carelytics user enrolls TOTP and verifies on every fresh session. No per-tenant opt-out, no admin override. Three audit-logged recovery paths: email self-recovery, tenant admin reset, super admin reset.

In-platform HETS attestation

The CMS HETS Trading Partner Agreement is signed inside Carelytics — Settings → Compliance → HETS Attestation. Captures signer name, title, IP, timestamp, exact agreement text + version. Immutable audit log. Required by the CMS 2026-05-11 deadline for Medicare FFS eligibility.

Audit-logged support access

When a CSM views your tenant for support, a sticky red banner appears across every page and every action is logged with session id, reason, and duration. You can see the full impersonation history in your audit log. Standard B2B SaaS pattern (Stripe, Linear, Intercom) — but most home health vendors don't disclose how their support team accesses your data.

HIPAA hygiene

Defaults that don't ask the agency to opt in to safety.

Email-only authentication

No usernames. allauth-backed. Branded password reset and email-change flows with confirmation links. Every login goes through the mandatory TOTP 2FA gate above.

Lock-on-sign across forms

Signed clinical documents are read-only everywhere. No backdoor edit URLs. No "open the locked form, change a field, hope no one notices."

Form Registry preview lockdown

Agency admins can review forms in preview mode without altering data. Submit and sign actions are CSS+JS-disabled. Single-source-of-truth lockdown — works for every form automatically.

Outbound email log

Every email Carelytics sends — invites, password resets, HETS reminders, onboarding nudges — is logged with delivery status. Support can answer "did you receive the X email?" without guessing.

Sentry events scrubbed of PHI

PHI URL prefix scrubber blanks request bodies on clinical surfaces. User dict stripped to id + role. Cookies and auth headers redacted everywhere. Browser session replay only on staging until BAA is signed.

Browser replay masking

When replay is enabled, maskAllText: true + blockAllMedia: true. No fetch/XHR bodies in the replay timeline. No chart screenshots in error sessions.

What we don't claim

Conservative on certifications. Honest about status.

SOC 2: Not yet certified. We follow SOC 2 Type II controls (RBAC, audit log, encrypted data at rest, encryption in transit, change management) but do not claim a clean SOC 2 audit until we've finished one.
HIPAA BAA: Available with Enterprise tier. We can sign earlier on a case-by-case basis with Professional. Our Sentry browser session replay is staging-only until we have a signed BAA with Sentry.
Multi-state expansion: Single-state per tenant is the model today. Multi-state expansion within a single tenant is a roadmap item, not shipped.
Native mobile apps: Carelytics is responsive web — iPad, phone, desktop all tested. Native iOS/Android apps are a roadmap item, not shipped.