🛡 HIPAA Compliant
Your clients' data is safe
with Colabr8.
We take HIPAA compliance seriously — not as a checkbox, but as a core part of how we build and operate our platform.
AWS HIPAA-eligible infrastructure
Encrypted at rest and in transit
BAA available for every agency
Role-based access controls
BAA Included
We sign a Business Associate Agreement with every agency before any client data is stored.
Encrypted Data
All data is encrypted in transit (TLS) and encrypted at rest on AWS infrastructure.
AWS Hosting
Hosted on HIPAA-eligible AWS services — the same infrastructure trusted by major US health systems.
Audit Logging
Every access to protected health information is logged with user, timestamp, and action.
Our Commitments
How we protect your clients' information
These are not marketing promises — they are the technical and operational controls we have in place today.
HIPAA-eligible AWS infrastructure
Colabr8 is hosted on Amazon Web Services using HIPAA-eligible services including RDS (database), S3 (file storage), and EC2 (servers). AWS has signed a HIPAA Business Associate Addendum with us, covering all PHI stored and processed on their infrastructure.
Encryption in transit and at rest
All data transmitted between your devices and Colabr8 is encrypted using TLS 1.2+. All protected health information stored in our database is encrypted at rest. File attachments — including wound care photos and clinical documents — are stored in encrypted S3 buckets.
Business Associate Agreement (BAA)
We sign a BAA with every home care agency before any protected health information enters the platform. The BAA defines our obligations as your Business Associate under HIPAA, including how we handle, protect, and — if required — report any breach of PHI.
Role-based access controls
Access to client health information is strictly controlled by role. Care workers see only the clients assigned to them. Coordinators have broader access. Administrators control all permissions. No user can access data outside their defined role.
Full audit logging
Every access to protected health information is recorded — who accessed it, what they did, and when. Audit logs are tamper-resistant and retained for the period required by HIPAA. Coordinators can request an audit report at any time.
Staff training and policies
All Colabr8 team members who have access to the platform or client data complete HIPAA training and sign our internal HIPAA policy. We maintain written security policies, a breach notification procedure, and a designated HIPAA privacy officer.
Breach notification
In the unlikely event of a security incident involving PHI, we have a documented breach notification procedure. We will notify affected agencies within the timeframes required by the HIPAA Breach Notification Rule — within 60 days of discovery.
Secure mobile application
The Colabr8 mobile app for care workers does not store PHI locally on the device. All data is transmitted securely to our encrypted servers. The app requires authentication on every session and supports multi-factor authentication.
Business Associate Agreement
Ready to sign before you go live
Every agency that stores client health information in Colabr8 receives a signed BAA before their account goes live. No exceptions.
What is a BAA and why does it matter?
Under HIPAA, any vendor that handles Protected Health Information (PHI) on behalf of a covered entity — like a home care agency — is called a Business Associate. The law requires a signed Business Associate Agreement between you and every vendor that touches your clients' health data.
Colabr8 is your Business Associate. We provide a standard BAA as part of our onboarding process. It is reviewed, signed, and countersigned before your first client record is entered into the platform. You keep a copy. We keep a copy. Done.
Request a BAA →
Colabr8 is your Business Associate. We provide a standard BAA as part of our onboarding process. It is reviewed, signed, and countersigned before your first client record is entered into the platform. You keep a copy. We keep a copy. Done.
Shared responsibilities
✓ Colabr8's responsibilities
Maintain HIPAA-eligible AWS infrastructure
Encrypt all PHI in transit and at rest
Maintain audit logs of all PHI access
Sign BAA with every agency
Train all staff with PHI access
Notify you of any breach within required timeframes
Maintain written security and privacy policies
✓ Your agency's responsibilities
Use strong unique passwords for all accounts
Enable multi-factor authentication
Only grant access to staff who need it
Remove access immediately when staff leave
Do not share login credentials
Train your staff on HIPAA requirements
Report any suspected breach to Colabr8 promptly
Common Questions
HIPAA questions we hear from agencies
Is Colabr8 HIPAA certified?
There is no official HIPAA certification body — HIPAA certification does not exist as a formal credential. What matters is having the right technical and administrative controls in place, documented policies, and a signed BAA. Colabr8 has all of these. If a vendor is selling you a "HIPAA certification badge" they are selling you marketing, not compliance.
Can I get a signed BAA before signing up?
Yes. We provide a BAA as part of our onboarding process. If you need to review it before committing, contact us and we will send it to you. We will not put real client data in your account until the BAA is signed by both parties.
Where is our data stored?
All data is stored on AWS infrastructure in the United States. We do not transfer PHI outside of the US. The specific AWS services used — RDS, S3, EC2 — are all HIPAA-eligible services covered by the AWS Business Associate Addendum.
What happens if there is a data breach?
We have a documented breach notification procedure. If we discover a breach involving your clients' PHI, we will notify you within 60 days of discovery as required by the HIPAA Breach Notification Rule. We will provide a full incident report including what happened, what data was affected, and what steps we have taken to contain it.
Does the mobile app store client data on the device?
No. The Colabr8 mobile app does not cache or store PHI locally on care workers' devices. All data is transmitted securely to our encrypted servers in real time. If a device is lost or stolen, no client health information is at risk.
Can we see who has accessed our clients' records?
Yes. Colabr8 maintains full audit logs of all PHI access. Coordinators can request an audit report showing every user who accessed a client record, what they viewed or changed, and when. This is available for compliance reviews and any internal investigations.
Do you share our data with third parties?
No. We do not sell, share, or disclose your clients' health information to any third party for any purpose other than providing the Colabr8 service. The only exception is if required by law or as part of a documented breach notification. Our sub-processors (such as AWS) are all covered by their own BAAs with us.
Ready to get started?
Book a demo and we'll walk you through Colabr8, answer your compliance questions, and send you a BAA to review — no commitment required.
Book a demo →Questions about HIPAA compliance? Email us at hello@colabr8.io
All Rights Reserved © Colabr8.io