Our Commitment

By default, CareSpend does not store or require any Protected Health Information (PHI). Most organizations use CareSpend simply to assign budgets, approve expenses, and track transactions — all without touching sensitive medical data.

However, we recognize that some organizations want to associate transactions with EHR or ERP systems, which may involve PHI. For these cases, CareSpend is built from the ground up with technical and administrative safeguards to support HIPAA compliance.

Key Protections in Place

• Minimal Data By Default: No PHI is required for CareSpend to function.
• Encryption Everywhere: All data is encrypted in transit (TLS 1.2+) and at rest.
• Access Controls: Role‑based permissions ensure users only see what they need.
• Audit Trails: Every transaction and approval is logged for accountability.
• Custom Integrations: For ERP/EHR integrations, we work directly with your compliance and IT teams to ensure HIPAA alignment.

Partnering on Compliance

We believe compliance is a shared responsibility. For organizations that require HIPAA coverage, CareSpend can be deployed in a HIPAA‑compatible mode and we will work with your compliance, security, and IT teams to ensure a fully compliant implementation.