Compliance & Security
Built for the compliance you actually have to meet.
Compliance is not an add-on. It's the workflow. Scope of Appointment, Permission to Contact, disclaimers, and audit-ready records are captured in line with the work you're already doing.
Scope of Appointment (SOA)
CMS-aligned template, e-signed by the client at intake, valid for 12 months, and stored as an immutable record you can produce on demand.
Permission to Contact (PTC)
Captured with timestamp and signature before any contact, and tied to the client's verified identity.
Privacy-policy acknowledgment
Versioned. When the policy changes, the version the client agreed to is preserved with the original timestamp.
Required marketing disclaimers
Included by default on client-facing communications — without you having to remember to add them.
HIPAA compliant handling
Encryption in transit and at rest, role-based access, and agency isolation (one agency can never see another agency's clients).
Immutable audit log
Key actions are logged immutably — who did what, when, on which client — for the windows compliance reviews typically care about.
CMS-sourced data
Verified database of doctors, hospitals, pharmacies, medications, and plans built from official datasets and refreshed on schedule.
Compliance FAQ
Common compliance questions.
Yes. SOA is captured with the elements CMS requires, e-signed at intake, valid for 12 months, and stored as an immutable record.
ClientKeep is HIPAA compliant: encryption in transit and at rest, role-based access, and agency isolation. Compliance is a shared responsibility — your agency's HIPAA program covers how your team uses it.
Yes. The audit log captures key actions immutably and is queryable per client and date range.
From official CMS-published datasets, refreshed on schedule.
Your data remains accessible during the grace period after cancellation; you can export records before it's removed.