HIPAA and Security
Security and compliance notes for Qarelog beta evaluation.
No Unsupported Claim
Qarelog is built with security-minded workflows, but this page is not a certification or legal determination of HIPAA compliance.
Controlled Launch Guidance
Use real client data only after the organization has approved the launch, configured required safeguards, and completed its own compliance review.
HIPAA and BAA
US clinics should not use Qarelog for protected health information unless a HIPAA business associate agreement and required safeguards are in place.
Access Controls
The platform separates therapist, caregiver, manager, and super-admin access. Caregiver sharing requires caregiver assignment, therapist approval, and caregiver-facing report content.
AI Reports
AI output is assistive and remains draft or internal until a therapist reviews and approves caregiver-facing content. Unreviewed AI output should not be shared with caregivers.
Security Practices
Current controls include Firebase authentication, App Check support, revocation checking, audit logging, report sharing policy checks, guarded session drafts, caregiver-safe summaries, and role-specific access.
Ghana Data Protection
Organizations operating in Ghana should review controller/processor roles, lawful basis, retention, access requests, breach handling, and cross-border transfer obligations.
Incident Process
Suspected security or privacy incidents should be escalated immediately to the organization administrator and Qarelog support.