HIPAA Compliance & Privacy

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets national standards for protecting sensitive patient health information. It requires organizations that handle Protected Health Information (PHI) to implement physical, technical, and administrative safeguards.

Because WeCare handles healthcare-related delivery data, we follow HIPAA guidelines to ensure every piece of information is handled responsibly.

• Encryption in transit — all connections use HTTPS/TLS
• Encryption at rest — files stored in AWS S3 are encrypted server-side
• Session timeouts — sessions expire after 15 minutes of inactivity
• Role-based access control — users only see what their role permits
• Activity logging — all data changes are tracked for accountability
• Secure authentication — Google OAuth with JWT-based sessions

WeCare Driver Portal is built with industry-standard tools chosen for security and reliability:

• Next.js — server-rendered React framework with built-in security headers
• PostgreSQL — enterprise-grade database with row-level access controls
• AWS S3 — encrypted cloud storage for attachments and files
• Google OAuth — secure sign-in without storing passwords
• HTTPS / TLS — all data encrypted in transit between your browser and our servers

As an individual whose information may be handled by WeCare, you have the right to:

• Access — request a copy of your data we hold
• Amendment — ask us to correct inaccurate information
• Restriction — request limits on how your data is used or shared
• Accounting — obtain a record of certain disclosures of your information
• Complaint — file a complaint with us or the U.S. Department of Health & Human Services if you believe your rights have been violated

We only collect information necessary to operate the delivery management system. This includes:

• User profiles — name, email, role, and profile photo
• Delivery records — addresses, dates, statuses, and notes
• Expense logs — amounts, categories, and receipt attachments
• Activity logs — who changed what and when, for audit purposes

We do not store direct Protected Health Information (PHI) beyond what is strictly necessary for delivery coordination.

Access is strictly controlled by role:

Our production infrastructure includes multiple layers of protection to ensure data safety and uptime:

• Health Monitoring — automated checks every 2 minutes with auto-restart on failure
• Auto-Recovery — PM2 process manager automatically restarts the app on crashes or memory issues
• Database Backups — automated daily backups to encrypted S3 storage with 30-day retention
• Connection Retry — database queries automatically retry with backoff on transient connection failures