Security & HIPAA at LEMR

HIPAA-Aligned by Design

LEMR is built to support agencies' obligations under the HIPAA Privacy, Security, and Breach Notification Rules. Administrative, physical, and technical safeguards are reflected throughout the platform — role-based access, audit logging, automatic session controls, encryption, and a documented breach-notification procedure available to every agency.

Access Control & Authentication

Access to patient data is governed by role. Clinical roles — RN, LPN, PT, PTA, OT, COTA, SLP, SLPA, MSW, CNA, and HHA — along with Manager and Administrator roles, each receive only the permissions their job requires. Scope of practice is enforced in software: a clinician cannot sign documentation outside their discipline.

• Individual named accounts — no shared logins — so every action is attributable.
• Automatic logout after a period of inactivity on every device.
• On mobile, the app locks and requires re-authentication after a short period in the background.
• Optional Face ID / Touch ID sign-in, backed by the device's secure hardware.

Tenant Isolation

LEMR is multi-tenant, and isolation between agencies is enforced at three independent layers: server-side security rules that run on the infrastructure provider and cannot be bypassed by a client; server-side writers that stamp every record with its owning agency; and client queries scoped to the signed-in user's agency. No layer is trusted alone.

Infrastructure

LEMR runs on Google Cloud Platform, including managed application hosting, the Firestore database, and Firebase authentication and storage. These services provide physical data-center security, redundancy, and encryption, and are covered by Google Cloud's Business Associate Agreement for HIPAA-eligible services.

Artificial Intelligence & PHI

LEMR's AI-assisted features — patient summaries, schedule drafting, and diagnosis-based patient education — run on Google Cloud's Vertex AI, which is HIPAA-eligible under Google Cloud's Business Associate Agreement. Patient data processed by these features is not used to train third-party foundation models.

Availability & Continuity

Agency data is stored on managed, redundant cloud infrastructure. For planned or unplanned downtime, LEMR can generate an offline downtime package — PDF copies of patient charts, schedules, staff records, and blank forms — so care and documentation continue even when systems are unavailable. The mobile apps also support offline use in homes with poor connectivity.

Breach Notification

LEMR maintains a documented breach-notification procedure consistent with the HIPAA Breach Notification Rule. In the event of a security incident affecting protected health information, affected agencies are notified without unreasonable delay so that they can meet their own notification obligations.

Your Responsibilities as a Covered Entity

Security is shared. LEMR secures the platform; your agency is responsible for managing user accounts, assigning appropriate roles, deactivating departed staff promptly, securing the devices your team uses, and training your workforce on privacy practices. Our onboarding team will help you configure these controls correctly.

Data Handling Transparency

LEMR collects only the information needed to deliver the service: patient clinical and demographic records entered by your staff, agency and staff account information, visit location data captured for visit verification, and standard technical and usage logs. LEMR does not sell personal information and does not use third-party advertising trackers. A full description is in our Privacy Policy, and account and data deletion is described on our Account & Data Deletion page.