Our Commitment to Privacy & Compliance

KR App is a clinical workflow platform operated by Kindful Restoration Inc. to support care coordination for Medi-Cal members enrolled in CalAIM programs including Enhanced Care Management (ECM) and Community Supports. The platform is used exclusively by authorized Kindful Restoration staff. Members do not log in directly; staff access records on members’ behalf during care planning, enrollment, and service delivery.

Application Modules

The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations at 45 CFR Parts 160 and 164 require covered entities and their business associates to implement administrative, physical, and technical safeguards to protect Protected Health Information (PHI). The following describes how KR App implements the HIPAA Security Rule Technical Safeguards.

Access Controls §164.312(a)

• Unique user identification — All access is through Microsoft Entra ID (Azure AD) single sign-on. Each user has a unique organizational identity; shared accounts are not permitted.
• Automatic logoff — Sessions expire after 15 minutes of inactivity, with a 5-minute on-screen warning before expiry.
• Emergency access (break-glass) — An administrator break-glass mechanism provides emergency access when SSO is unavailable. All break-glass events are logged to the audit trail with timestamp, email, and IP address. Token comparison uses constant-time verification to prevent timing attacks.
• Session security — Session cookies are Secure (HTTPS-only), HttpOnly (inaccessible to JavaScript), and SameSite=Lax to mitigate cross-site request forgery at the cookie layer.

Audit Controls §164.312(b)

• Comprehensive audit logging — All PHI-touching events are written to a dedicated audit database. Log entries include timestamp, user identity, IP address, event type, and the affected record ID.
• Authentication events — Login, logout, and break-glass events are individually logged with full context.
• Communication events — Every SMS sent or received and every voice session start and end is logged and linked to the relevant member record.
• Audit log viewer — Authorized administrators can search, filter, and export the complete audit trail at any time through the platform’s built-in audit log viewer.

Integrity & Transmission Security §164.312(c)(d)(e)

• Encryption in transit — All traffic is served over HTTPS only. HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age and includeSubDomains in production, preventing protocol downgrade attacks.
• No PHI caching — Every response is served with Cache-Control: no-store, preventing PHI from being stored in browser caches or intermediate proxies.
• No PHI in error messages — Application errors return generic, user-friendly messages only. Technical details are logged server-side and never returned to the browser.
• CSRF protection — All state-changing requests (POST, PUT, PATCH, DELETE) require a cryptographically random CSRF token (Flask-WTF). Tokens are scoped per-session and validated server-side on every request.

Security Headers

Every response from the platform includes the following HTTP security headers:

• X-Frame-Options: DENY — prevents clickjacking via iframe embedding
• X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks
• Referrer-Policy: no-referrer — prevents URL leakage across navigation
• Permissions-Policy — disables geolocation, microphone, and camera browser APIs
• Strict-Transport-Security — enforces HTTPS for one year in production
• Cache-Control: no-store — prevents PHI caching on all responses

Infrastructure

• Hosted in the United States — Application servers and databases are hosted on DigitalOcean infrastructure in US data centers. No PHI is transferred outside the United States.
• Database encryption at rest — PostgreSQL databases are encrypted at rest by DigitalOcean. Database credentials are unique per application module and are never exposed to end-users.
• Least-privilege database access — Each application module connects to its own dedicated database with credentials scoped to only the tables it requires.
• Secret management — All secrets (API keys, database passwords, OAuth client secrets) are stored as environment variables. No credentials exist in source code or version control history.

Application Security

• SQL injection prevention — All database queries use SQLAlchemy’s parameterized query interface. Direct string interpolation into SQL statements is not used anywhere in the codebase.
• Input validation — User-supplied data is validated and sanitized server-side before processing or storage.
• Dependency pinning — Python dependencies are pinned to specific versions and reviewed for known vulnerabilities prior to every deployment.
• Automated security scanning — An automated security agent runs on every code change, reviewing for OWASP Top 10 vulnerabilities, HIPAA-relevant patterns, SQL injection, XSS, insecure session handling, and hardcoded credentials.

Monitoring & Incident Response

• Error tracking — Application errors are captured automatically with full context, reviewed by the engineering team, and tracked to resolution in the platform’s internal error log.
• Anomaly monitoring — PHI access events in the audit log are monitored for unusual patterns by authorized administrators.
• Breach notification capability — In the event of a suspected breach of unsecured PHI, affected individuals and the U.S. Department of Health and Human Services will be notified within the timeframes required under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Categories of Protected Health Information (PHI)

KR App processes the following categories of PHI in connection with Medi-Cal care coordination:

• Demographics: full name, date of birth, mailing address, phone number
• Insurance identifiers: Medi-Cal ID / CIN (Client Identification Number)
• Clinical information: ICD-10 diagnosis codes, care plan narratives, housing needs assessments, social determinants of health data
• Communications: SMS message content and voice call records when conducted through the Comms module
• Signatures: electronic signatures on clinical documents and forms

Purpose and Minimum Necessary Standard

PHI is used solely for treatment, care coordination, and healthcare operations on behalf of Kindful Restoration’s Medi-Cal program participants. We apply the HIPAA minimum necessary standard: staff members access only the PHI required for their specific role and the specific task at hand.

AI-Assisted Processing

The IHSP and CHW modules use a large language model (OpenAI GPT-4o) to assist clinical staff in drafting care plan narratives. Member PHI submitted to the AI model is used solely to generate the requested clinical content. A Business Associate Agreement (BAA) governing this processing is maintained with OpenAI, and OpenAI does not use submitted data to train its public models. All AI-generated content is reviewed and approved by a clinical staff member before being saved or acted upon.

Data Retention

Member records and associated clinical documents are retained for a minimum of seven (7) years from the date of creation, consistent with California Health & Safety Code requirements and HIPAA standards. Audit log records are retained for the same period. Records are securely deleted after the applicable retention period expires using methods that render the data unrecoverable.

No Sale or Marketing Use

Kindful Restoration does not sell, rent, share, or monetize member PHI in any form. PHI is never used for advertising, data brokerage, or any purpose unrelated to the direct care and operational support of the individuals to whom it belongs.

California Confidentiality of Medical Information Act (CMIA)

In addition to HIPAA, Kindful Restoration complies with the California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56–56.37). The CMIA provides additional protections for California residents, including heightened confidentiality requirements for mental health, substance use disorder, reproductive health, and certain other categories of sensitive health information that go beyond HIPAA’s baseline protections.

California Consumer Privacy Act (CCPA / CPRA)

To the extent the CCPA applies to our operations, Kindful Restoration honors its requirements. Information collected and maintained in connection with HIPAA-covered healthcare operations is generally exempt from CCPA under the medical information exemption (Cal. Civ. Code § 1798.145(c)). Individuals who believe they have CCPA rights not covered by the HIPAA exemption may contact our Privacy Officer.

State Breach Notification

In the event of a breach involving California residents’ personal or medical information, Kindful Restoration will provide notification as required by the California data breach notification statute (Cal. Civ. Code § 1798.82) and the CMIA (§ 56.36), in addition to the federal HIPAA Breach Notification Rule requirements.

CalAIM Program Requirements

As a provider participating in California’s CalAIM initiative, Kindful Restoration adheres to the data-sharing and care coordination requirements established by the California Department of Health Care Services (DHCS) for Enhanced Care Management (ECM) and Community Supports programs. These requirements govern how member data is shared with managed care plans and other authorized parties in the member’s care team.

Under HIPAA, vendors that access, process, or transmit PHI on behalf of a covered entity must execute a Business Associate Agreement (BAA). The following third-party services are used by KR App in connection with PHI:

Current Technology Partners

• DigitalOcean — Managed PostgreSQL database hosting for all member and clinical data. All infrastructure is US-based.
• Microsoft (Azure AD / Entra ID) — Identity provider for staff single sign-on. Employee identity data is processed through Microsoft’s systems for authentication.
• OpenAI — Large language model API used for AI-assisted care plan narrative generation in the IHSP and CHW modules. Member PHI is submitted only for care plan drafting; a BAA is maintained with OpenAI.
• Twilio — SMS and voice communications platform. Message content and phone numbers are processed through Twilio’s infrastructure when staff communicate with members. A BAA is maintained with Twilio.
• Amazon SES — Transactional email delivery for document envelopes and member notifications. Covered under the AWS BAA.

BAA Maintenance

All Business Associate Agreements are reviewed and renewed at least annually. If a BAA cannot be executed or maintained with a vendor that processes PHI, that vendor’s service is discontinued for any use involving member health information.

As a HIPAA-covered entity, Kindful Restoration recognizes and upholds the following individual rights regarding Protected Health Information:

Right of Access §164.524

You have the right to inspect and obtain a copy of your PHI held by Kindful Restoration, including records created and maintained in KR App. Requests must be submitted in writing to the Privacy Officer. We will respond within 30 days (or 60 days with notice of extension if additional time is needed).

Right to Amend §164.526

You have the right to request amendment of your PHI if you believe it is inaccurate or incomplete. Kindful Restoration may deny a request if the information is already accurate and complete, or was not created by this organization.

Right to an Accounting of Disclosures §164.528

You have the right to receive an accounting of disclosures of your PHI made by Kindful Restoration, except for disclosures made for treatment, payment, or healthcare operations. Requests cover disclosures made within the past six years.

Right to Request Restrictions §164.522

You have the right to request restrictions on certain uses and disclosures of your PHI. Kindful Restoration is not required to agree to all restriction requests, except where you have paid out-of-pocket in full for a specific service and request that information not be disclosed to your health plan.

Right to Confidential Communications §164.522(b)

You have the right to request that we communicate with you about health matters in a specific way or at a specific location (for example, contacting you only at a particular phone number). We will accommodate all reasonable requests.

How to Exercise Your Rights

To exercise any of the rights above, contact the Privacy Officer in writing using the contact information in the section below. All requests are acknowledged within five (5) business days.

KR App is designed and operated with reference to the following frameworks and regulations:

• HIPAA Security Rule (45 CFR Part 164, Subpart C) — Technical safeguards: access control, audit controls, integrity, and transmission security.
• HIPAA Privacy Rule (45 CFR Part 164, Subpart E) — Minimum necessary standard, individual rights, uses and disclosures of PHI.
• HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) — Notification requirements in the event of a breach of unsecured PHI.
• California CMIA (Cal. Civ. Code §§ 56–56.37) — California medical information confidentiality requirements, stricter than HIPAA in several areas.
• CalAIM / Medi-Cal — California Department of Health Care Services requirements for ECM and CHW program data handling and care coordination.
• OWASP Top 10 — Web application security best practices applied during development and reviewed via automated scanning on every code change.
• NIST SP 800-66 — Implementing the HIPAA Security Rule: used as a reference guide for our security program design.

For compliance inquiries, privacy rights requests, or to report a suspected privacy violation, contact Kindful Restoration’s designated Privacy Officer:

Mailing address:
Kindful Restoration Inc.
7344 Magnolia Ave., Suite 110
Riverside, CA 92504

Phone: (951) 404-0856

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/privacy or by calling 1-800-368-1019. Filing a complaint will not result in any retaliation by Kindful Restoration.