Acceptable Use Policy

1. Account Security and Credential Management

You are responsible for maintaining the security of your account. You agree to:

• Keep credentials confidential. Never share your username, password, or session token with anyone — including colleagues, supervisors, or IT staff. Shared logins are prohibited and constitute a HIPAA Security Rule violation. If emergency delegation is needed, contact hi@carelytic.ai to establish proper role-based access.
• Use a strong, unique password. Passwords must be at least 10 characters and must not be reused from other services. Use a password manager if needed.
• Lock your device whenever you step away from a workstation with an active Carelytics session. Leaving PHI visible on an unattended screen is a reportable HIPAA incident.
• Log out completely at the end of every session on shared or public devices. Do not rely on automatic session timeout alone.
• Report compromised credentials immediately to your agency administrator and to hi@carelytic.ai. Delay in reporting a compromised credential that leads to unauthorized PHI access may trigger mandatory breach notification obligations for your agency.
• Use only authorized devices. Access Carelytics only from devices that are password-protected, running up-to-date security patches, and approved by your agency. Avoid public computers, unmanaged personal devices, or kiosks.

2. Permitted Uses of the Platform

Carelytics may be used exclusively for:

• Clinical documentation, care planning, and OASIS assessments for patients under your agency's care
• Scheduling and Electronic Visit Verification (EVV) for authorized visits
• Billing, claims submission, and payment reconciliation for services actually rendered
• Payroll processing and HR management for agency staff
• Authorized administrative and compliance functions within your role's permissions

Access to PHI is governed by the minimum necessary standard (45 CFR §164.514(d)). You may only access patient records that are directly relevant to your assigned role and job responsibilities. Curiosity, convenience, or personal interest are not valid reasons to access a patient record.

3. Prohibited Activities

The following are strictly prohibited and may result in immediate termination of access, civil liability, and referral to law enforcement or federal regulators:

3.1 PHI and Privacy Violations

• Accessing, viewing, copying, or disclosing PHI for any purpose outside your job responsibilities
• Sharing PHI with unauthorized parties, including family members, friends, or other agencies
• Downloading or exporting PHI to personal devices, personal email, or unauthorized cloud storage
• Taking photographs or screenshots of PHI-containing screens with personal devices
• Accessing records of patients who are not assigned to you without a documented care reason
• Accessing your own health records or those of family members through the platform (unless you are an enrolled patient of the agency)

3.2 Billing and Fraud Prohibitions

• Submitting false or fraudulent claims to Medicare, Medicaid, or any payer for services not rendered, upcoded services, or services that do not meet coverage requirements. This constitutes healthcare fraud under 18 U.S.C. §1347 and the False Claims Act (31 U.S.C. §3729), carrying penalties of up to $25,000 per claim plus treble damages and criminal prosecution.
• Fabricating, altering, or backdating clinical documentation to support claims for services not performed
• Using the EVV system to record false check-in/check-out times or GPS locations
• Creating visit records for patients not seen or for time periods not worked
• Splitting or bundling claims in a manner that misrepresents the services provided
• Documenting patient conditions, diagnoses, or functional status inaccurately to qualify for higher reimbursement levels

3.3 System and Security Violations

• Attempting to access systems, data, or features beyond those authorized for your role
• Attempting to access another tenant's data or any patient outside your agency
• Reverse engineering, decompiling, or attempting to extract the platform's source code or algorithms
• Introducing viruses, malware, ransomware, or any malicious code into the platform
• Conducting vulnerability scanning, penetration testing, or automated crawling without prior written authorization from Carelytics
• Circumventing or disabling any security control, audit log, or access restriction
• Using automated tools, bots, or scripts to interact with the platform in a manner not provided by the official interface
• Accessing the platform via credentials belonging to another user, even with that user's permission

3.4 General Prohibitions

• Using the platform to harass, threaten, or harm any person
• Using the platform for personal commercial purposes or competitive intelligence gathering
• Sublicensing, reselling, or providing access to the platform to unauthorized third parties
• Misrepresenting your identity, credentials, or role when using the platform

4. AI Features — Responsible Use

Carelytics includes AI-assisted features including SOAP note drafting, care plan generation, and clinical assessment assistance. When using AI features, you agree to:

• Review all AI-generated content before saving or signing. AI outputs are drafts and starting points — never final clinical documentation. You, as the licensed clinician, are solely responsible for the accuracy, completeness, and clinical appropriateness of all documentation you sign or submit.
• Never submit AI-generated content unreviewed as a clinical record, claim justification, or OASIS assessment. Signing documentation you have not reviewed may constitute fraud if it inaccurately represents patient status or services rendered.
• Do not input PHI into any external AI tool (ChatGPT, Google Gemini, etc.) in connection with patient care delivered through Carelytics. Only use the AI features built into the Carelytics platform, which are HIPAA-compliant and covered by your agency's BAA.
• Report inaccurate AI outputs that could affect patient safety or clinical decisions to hi@carelytic.ai.

5. Incident Reporting Obligations

Users must report suspected security incidents or PHI breaches immediately — not after investigation, not at the end of the day. Delay in reporting can convert an otherwise manageable security event into a notifiable HIPAA breach with OCR reporting obligations.

You must report immediately if you:

• Lose a device that had an active Carelytics session or stored any patient data
• Suspect your account credentials have been compromised
• Discover that PHI was sent to an unauthorized recipient (wrong fax, wrong email, etc.)
• Notice unusual account activity, unfamiliar logins, or data you did not access or enter
• Receive a phishing email that appears to target your Carelytics credentials
• Observe any colleague accessing records without a legitimate care reason

Report incidents to your agency's Privacy Officer AND to Carelytics at hi@carelytic.ai. Under the HIPAA Breach Notification Rule (45 CFR §164.410), Business Associates must notify Covered Entities without unreasonable delay. Your prompt report enables Carelytics to meet this obligation.

6. Network and Device Security

• Avoid public Wi-Fi when accessing PHI. If you must use a public network, use a VPN provided or approved by your agency. Unencrypted public networks expose session tokens and PHI in transit.
• Keep software up to date. Use devices with current operating system patches and active antivirus protection. Unpatched devices are a leading cause of healthcare data breaches.
• Enable full-disk encryption on any device used to access Carelytics, especially laptops and mobile devices. This is a HIPAA Security Rule requirement for ePHI on portable devices (45 CFR §164.312(a)(2)(iv)).
• Do not install unauthorized software on agency-managed devices. Unknown software may contain keyloggers or credential-harvesting tools.

7. Monitoring and Enforcement

Carelytics maintains comprehensive audit logs of all platform activity, including every login, record access, data modification, export, and administrative action. These logs are retained and available to your agency's administrators and, where required by law, to regulators.

By using the platform, you consent to this monitoring. You have no expectation of privacy with respect to your platform activity. Audit logs may be reviewed in connection with suspected policy violations, HIPAA investigations, fraud audits, or legal proceedings.

Violations of this AUP may result in:

• Immediate suspension or permanent termination of platform access
• Referral to your agency's Privacy Officer and HR department
• Mandatory breach reporting to the HHS Office for Civil Rights if PHI was accessed or disclosed inappropriately
• Civil liability to affected patients under applicable state privacy laws
• Federal criminal prosecution for healthcare fraud (18 U.S.C. §1347), identity theft (18 U.S.C. §1028), or computer fraud (18 U.S.C. §1030)

8. Agency Administrator Responsibilities

Agency administrators have elevated responsibilities under this AUP:

• Assign each user the minimum permissions necessary for their role — do not grant blanket access
• Deactivate user accounts within 24 hours of an employee's termination or role change
• Conduct periodic access reviews to ensure current staff have appropriate permissions
• Ensure all users under your account have read and agreed to this AUP before granting access
• Maintain your own list of authorized users and immediately report any unauthorized accounts
• Ensure your agency has a signed BAA with Carelytics on file before any PHI is stored in the platform

9. Updates to This Policy

Carelytics may update this AUP at any time to reflect changes in law, security practices, or platform features. Material changes will be communicated to agency administrators via email at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

10. Questions and Reporting