Security & Compliance
Your patient data security is our highest priority. We maintain the most stringent security standards and compliance certifications in the healthcare industry.
10DLC Registration Status
A2P SMS Campaign Compliance Summary
Opt-in form screenshots and consent workflow are publicly accessible (no login required) at caremetric.ai/security#sms-opt-in-forms. Full SMS compliance documentation at caremetric.ai/sms-compliance.
Comprehensive Security Framework
Click each section to learn more about our security and compliance measures
Administrative Safeguards: Comprehensive security management processes, workforce training and management, information access management, security awareness training, and contingency planning.
Physical Safeguards: Facility access controls, workstation security policies, device and media controls with secure disposal procedures.
Technical Safeguards: Access controls with unique user identification, emergency access procedures, encryption and decryption mechanisms, audit controls, integrity controls, and transmission security.
Business Associate Agreements (BAA) provided to all customers at no additional cost.
Regular HIPAA compliance audits conducted by third-party security firms.
Breach notification procedures in place per HIPAA requirements (45 CFR 164.408).
10DLC SMS Campaign Registration
Complete A2P 10DLC campaign registration details for The Campaign Registry (TCR). Brand: CareMetric AI · TCR ID: C0ZURTX · Carrier: Twilio
TCR / Twilio Reviewer Notice — Campaign Re-Submission Reference
Opt-in form screenshots are publicly accessible (no login required) at https://caremetric.ai/security#sms-opt-in-forms. This URL is referenced in both the Campaign Description and the Opt-In Workflow fields submitted to Twilio. Full SMS compliance documentation is at https://caremetric.ai/sms-compliance.
Fields highlighted in amber have been updated to address the CTA and Opt-In rejection. Submit the exact text from those fields into the Twilio campaign edit form.
Matches the registered 10DLC brand and outbound message sender identity.
No marketing or promotional messages are sent.
This exact disclosure appears on every opt-in flow.
No public link shorteners or unrelated third-party destinations are used.
Below are the actual opt-in forms showing the phone number field and the full SMS opt-in language as displayed to patients. The forms meet all 10DLC requirements: standalone unchecked checkbox, full disclosure language, brand name, use cases, frequency, data rates, STOP/HELP keywords, consent-not-required statement, and no-third-party-sharing clause with privacy policy link.
Opt-In Form — Digital Consent (Patient Registration)
The following shows the exact SMS consent form presented to patients during registration in the CareMetric AI EHR system. The form is accessible during staff-assisted patient registration and through the patient self-registration portal.
SMS Consent for Practice Notifications
I agree to receive transactional healthcare text messages from CareMetric AI, including appointment reminders, confirmations, assessment requests, and care follow-ups. Message frequency varies. Message and data rates may apply. Reply HELP for help or STOP to opt out. Consent is not a condition of receiving care. We do not share mobile opt-in data with third parties for marketing or promotional purposes.
Labeled "Mobile Phone Number (for SMS notifications)" — clearly identifies purpose
Brand name, use cases, frequency, data rates, STOP/HELP, privacy/sharing clause, privacy policy link
Checkbox is unchecked by default, standalone, and not required for registration
Opt-In Form — Patient Self-Registration Portal
When patients register through the self-service patient portal, the same SMS consent form is presented during the intake process. The consent checkbox and full disclosure language are identical to the staff-assisted registration form.
I agree to receive SMS text message notifications (optional)
I agree to receive transactional healthcare text messages from CareMetric AI, including appointment reminders, confirmations, assessment requests, and care follow-ups. Message frequency varies. Message and data rates may apply. Reply HELP for help or STOP to opt out. Consent is not a condition of receiving care. We do not share mobile opt-in data with third parties for marketing or promotional purposes.
This checkbox is optional. You may complete registration without enabling SMS notifications. You can update this preference at any time in your patient portal settings.
Note: The patient portal registration is a multi-step form. The SMS consent appears on its own dedicated step (Communication Preferences) and is never combined with medical consent, privacy acknowledgments, or terms of service checkboxes.
The following is the exact, literal script that staff reads verbatim to patients during in-office verbal consent collection. It includes all required disclosures per 10DLC and TCPA requirements. After the patient verbally agrees, a confirmation SMS is sent reiterating the key terms.
Exact Script Read to Patients:
Script includes all required disclosures:
TCPA & HIPAA Compliance Summary
Express written consent is captured before any non-exempt SMS communication is sent.
Patients can opt in through digital registration, patient portal self-service, verbal in-office consent, or keyword opt-in.
Every opt-in path discloses message purpose, variable frequency, data rates, HELP/STOP instructions, and that consent is not a condition of care.
STOP-family keywords are processed immediately and suppress future messaging automatically.
HELP responses include support contact information and opt-out instructions.
No protected health information is included in SMS body content.
Mobile opt-in data is never sold, rented, or shared with third parties for marketing or promotional use.
Consent events are logged with method, timestamp, staff or patient identity, and disclosure text presented.
Download Our Security White Paper
Get detailed technical documentation of our security architecture and compliance framework.
Security & Compliance FAQ
Do you sign Business Associate Agreements (BAA)?
Yes, we provide HIPAA-compliant Business Associate Agreements to all customers at no additional cost. The BAA is available immediately upon account creation and can be electronically signed through your admin dashboard.
Where is my data stored?
All data is stored in HIPAA-compliant AWS data centers in the United States. We offer data residency options for customers with specific regional requirements. Your data is encrypted both at rest and in transit, with automatic backups stored in geographically distributed locations.
How long do you retain audit logs?
We retain comprehensive audit logs for a minimum of 7 years to exceed HIPAA requirements and support legal discovery if needed. All audit logs are tamper-proof and can be exported by authorized administrators at any time.
Can we conduct our own security assessment?
Yes, enterprise customers can conduct security assessments through our customer security portal. We provide comprehensive security documentation, SOC 2 reports, penetration test results, and can facilitate customer-initiated penetration testing with prior coordination.
What happens in case of a data breach?
We have a comprehensive incident response plan that includes immediate containment, forensic investigation, customer notification within 24 hours, and compliance with all federal and state breach notification requirements. Our incident response team conducts regular drills and is available 24/7/365.
How do you handle SMS messaging compliance?
All SMS messaging is fully compliant with TCPA regulations and A2P 10DLC requirements. Our campaign is registered with The Campaign Registry (TCR) — Brand ID: C0ZURTX — through our carrier (Twilio) under the Healthcare and Life Sciences vertical. We only send messages to patients who have provided explicit consent through one of four documented methods: digital opt-in via staff-assisted EHR registration, digital opt-in via the patient self-service portal, verbal in-office consent using a standardized script, or keyword opt-in (texting START or YES).
All consent forms include complete required disclosures: brand name, message use cases, frequency, data rates, STOP/HELP keywords, no-third-party-sharing clause, and a statement that consent is not required for care. Patients can opt out instantly by replying STOP. All consent events are logged with full audit trails. No protected health information is included in SMS message content. Complete documentation including opt-in form screenshots and the verbal consent script is publicly accessible at caremetric.ai/sms-compliance.
Have Security Questions?
Our security team is available to answer any questions about our compliance, certifications, or security practices.
Contact Security Team