How Kalvri thinks about HIPAA.

In v1, Kalvri Care is a coordination platform — not a covered entity under HIPAA. We do not dispense, prescribe, or render medical decisions. The pharmacy remains the dispenser; the prescriber remains the prescriber. Kalvri helps your family coordinate the errands and follow-through around the care plan they already have.

Even though Kalvri is not a covered entity, we build the system to a HIPAA-aligned standard from day one — because we hold information adjacent to your family’s health, and you deserve a platform that takes that seriously.

We hold a narrow slice of health-adjacent information: medication names you choose to surface on a task, pharmacy names and locations, refill dates, and a short message history between caregivers and helpers about specific pickups.

Diagnoses, clinical notes, insurance information, and lab results are out of scopefor the v1 product — we don’t ask for them, don’t store them by default, and don’t expose UI affordances that invite them.

When PHI-adjacent data is stored, it is protected with encryption at rest and in transit, with field-level encryption on the most sensitive identifiers and least-privilege access across every internal system.

Kalvri will sign Business Associate Agreements with every subprocessor that touches patient information before any real protected health information is collected. The preview build does not collect real PHI, so no BAA is yet in force.

Before any clinical partner (a discharge program, a pharmacy integration, a payer pilot) is connected to a real patient record, Kalvri will sign and maintain a BAA with that partner and update this page to list the categories of subprocessors under BAA.

Helpers are not staff; they are people your family invites by name. The platform enforces a minimum-necessary information standard for every helper interaction:

• Always exposed: patient first name, relationship to the caregiver, and the task fields the caregiver chose to surface.
• Conditionally exposed (caregiver decides per task): date of birth if the pharmacy might ask, partial address before Accept and full address only after, pharmacy details.
• Never exposed by default: the full medication vault, diagnoses, allergies, insurance details, payment information. A caregiver can grant any of these for a specific task with a clear consent prompt — never silently.

Scopes are enforced server-side, not just by hiding UI. A tampered or forwarded link cannot reveal information outside its scope.

Every read and write on patient data is logged with the actor (caregiver, family member, helper, admin, or system), the action, the target record, a timestamp, and — where applicable — the reason. Caregivers can view their own family’s audit log from Settings. Founder and admin actions on a family’s data appear in the family’s audit log, not just an internal one.

When you delete a record, the platform performs a soft-delete: the record is marked inactive immediately and hidden from everyone, including admins. A hard purge runs after 30 days. During the 30-day window, an account owner can recover the record by contacting support. After purge, the data is irretrievable.

Account-level deletion follows the same posture: account suspended immediately, hard-purged after 30 days, with the option to recover during the window.

If Kalvri determines that an incident has resulted in unauthorized access to identifiable patient information, we will notify affected account owners by email and in-app within the time frame required by applicable law — and, where required, notify regulators. The notice will include what we know about what happened, what information was involved, what steps we took, and what steps you can take.

This commitment will be reflected formally in the production Notice of Privacy Practices.

Reach the team at privacy@kalvri.care. For full data-handling details, see the Privacy notice.