Compliance posture

HIPAA at every layer. With receipts.

Every cloud vendor in careib.io's stack carries an active BAA. Every configuration is documented. The Security Advisor in Supabase, the Workspace admin console, the Vercel project security settings, and our internal monitoring all align — drift is detected, not ignored. Below is the full stack with vendor-by-vendor specifics.

The BAA chain

careib.io operates as a Business Associate to your agency (the Covered Entity, or upstream Business Associate). We sign a BAA with you, and we maintain BAAs with each downstream vendor that touches PHI. If any link fails, we don't claim compliance.

Plaud.ai
SOC 2 Type 2 + HIPAA certified — independently audited as of April 2025. Third-party verification covers the audio capture, upload, and parsing chain. BAA executed by careib.io with Plaud directly.
Reference: Plaud's certification announcement.
Certified
Supabase
Team plan + HIPAA add-on + BAA. Each careib.io patient gets a dedicated Supabase project (no shared multi-tenant database). Required configurations: Row Level Security on every PHI table, SSL enforcement, MFA on admin accounts, Point-in-Time Recovery enabled, IP-restricted database access. Supabase Security Advisor monitors continuously.
Reference: Supabase HIPAA compliance documentation.
BAA active
Google Workspace
Business Plus + BAA for transcript ingestion. BAA accepted in the Workspace Admin console by a super-admin. Mandatory 2-Step Verification, no POP/IMAP, Gmail Confidential Mode for PHI in transit. Workspace Vault retains messages per the agency's clinical-record retention policy.
Patient-side note: consumer @gmail.com accounts are NOT HIPAA-eligible. careib.io provisions Workspace accounts as part of agency onboarding.
BAA active
Vercel
Pro plan + BAA for hosting the marketing site, the agency dashboard, and the ingestion service endpoints. PHI is never written to the application server — only proxied to the patient's Supabase via signed JWT.
BAA active
Email provider
HIPAA-eligible transactional email with BAA, used to deliver the 7 PM clinical report. Encryption in transit (TLS), encryption at rest, retention aligned to clinical-record requirements.
BAA active
Video storage
HIPAA-eligible object storage with BAA for DOT archive. Retention follows clinical-record retention rules (typically 7+ years; configurable per agency policy). Access restricted to authorized clinical reviewers; every access logged.
BAA active
Customer organization
BAA between careib.io and your agency, executed before the first patient is onboarded. Your agency is the Covered Entity (or upstream Business Associate). careib.io is the downstream Business Associate. We don't deliver healthcare; we provide the technology stack your licensed agency uses.
Per-customer
Patient consent

Two-party consent, informed and re-affirmed.

Audio recording and DOT video capture create real consent obligations. careib.io's onboarding workflow handles them explicitly.

  • Audio recording consent at activation, signed by the patient (and any caregiver who may appear in conversation).
  • Two-party consent state coverage — California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, Washington, etc. Onboarding identifies the state and applies the correct consent flow.
  • DOT video consent separately, with mount-position guidance to ensure only the patient and explicitly consenting caregivers can be in frame.
  • Annual re-affirmation required to continue.
  • One-tap opt-out at any time, without losing access to non-recording features.
Licensure posture

Your agency holds the license. We provide the stack.

careib.io does not deliver home health services. It provides the technology that licensed home health agencies, hospice organizations, and provider practices use to document their care. This distinction matters legally and operationally.

  • The agency holds state home-health licensure (or hospice / palliative / SNF licensure as applicable).
  • The agency's clinicians make clinical decisions; careib.io surfaces evidence.
  • careib.io is a vendor, not a provider, and its terms reflect that posture.
  • If you're not yet a licensed provider organization, we can refer you to partners who can host the license while you build.

Founder credentials

careib.io is built by Nick Mackenzie, MD — a physician who founded Monterey Medical Solutions Inc and ran it for 43 years (1982–2025) serving hospital clients and signing dozens of BAAs across the entire HIPAA era. The compliance posture above is informed by direct, extended experience with hospital purchasing, audit response, and the operational realities of running a healthcare-IT vendor that hospitals trust.

Compliance theater — claims that don't survive contact with an auditor — does not pass our internal sniff test. If a claim is on this page, we can produce the contract, the configuration, or the audit document that supports it.

Want to see the BAAs and configurations directly?

Agency customers can request a deployment review covering each vendor's BAA, our internal configuration baseline, and our audit-response procedures — before onboarding the first patient.

Request a review