Mira
Español

Call us directly

801-341-9304

Platform · Compliance

Mira™ Compliance.

42 CFR 418.58 QAPI reports, PHI audit trails, breach notification workflows, BAA-gated AI. Compliance built in, not bolted on.

Compliance infrastructure that surveyors and auditors can verify.

Hospice compliance is not a checkbox exercise. 42 CFR 418.58 requires a functioning Quality Assessment and Performance Improvement program with six distinct elements — not a report that checks a box. HIPAA requires that each covered entity can produce a complete access log for any PHI record on demand. The 60-day breach notification clock under 45 CFR 164.412 starts from the date the organization discovers the incident, not when it is fully investigated.

Mira™ is built to satisfy these requirements with evidence, not assurances. The PHI audit trail records every access event: user identity, patient record accessed, timestamp, and IP address. The QAPI module tracks all six required elements and produces a quarterly export formatted for the survey binder. The breach workflow starts the 60-day notification countdown the moment an incident is logged. These are not features to configure — they are on and producing records from the first patient admission.

AI features carry additional compliance weight in a healthcare context. Every AI call in Mira™ is gated by a signed Business Associate Agreement with the provider. Each organization's AI features are off by default; an administrator enables them per organization. Every AI call is logged with the feature invoked, the prompt length, the latency, and the opt-in status at the time of the call. The prompt body and the model response are never stored in the audit log.

Compliance areas covered

  • PHI access audit trail — every chart access logged with user, timestamp, IP
  • 42 CFR 418.58 QAPI — 6-element tracking with quarterly survey-binder export
  • Breach notification — 60-day countdown starts on incident logging (45 CFR 164.412)
  • BAA + per-org AI opt-in — BAA in place with every AI provider; default off per org
  • SOC2 Type II — audit in progress; target completion 2026 Q4

What compliance officers ask for

  • "Show me every access to this patient's record in the last 90 days" — queryable in seconds
  • "We need our QAPI report for the survey binder" — quarterly export available on demand
  • "When was this breach discovered and when was the clock started?" — logged at incident creation
  • "Which AI features are active for which organizations?" — admin dashboard with per-org status
  • "Are your AI providers covered under BAAs?" — yes; executed agreements available under NDA
  • "What is your SOC2 status?" — Type II audit in progress; Type I completed; report available under NDA
01 — PHI access audit trail

Every chart access logged. Queryable by patient, user, date range, or IP.

HIPAA's Access Report requirement under 45 CFR 164.528 allows patients to request an accounting of disclosures. The Mira™ audit trail goes further: it logs every access to a patient record by any authenticated user — not only disclosures to third parties, but every internal chart view, documentation entry, and record export. Each event captures the user identity (name and system ID), the patient record accessed, the action taken, the timestamp (UTC), and the originating IP address.

The audit log is immutable. Records cannot be modified or deleted through the application interface. Queries are available to compliance officers through the admin panel — filter by patient, by user, by date range, or by any combination. Exports are available in CSV format for use in investigation reports, surveyor requests, or legal discovery.

The AI audit log is a separate, co-located stream. Every AI feature invocation is logged alongside the standard PHI access events: feature name, prompt length, latency, opt-in status, and the patient and org IDs involved. The prompt body and model response are never logged — only the metadata needed for compliance verification.

  • Logs every chart access — not only third-party disclosures — with user, timestamp, IP
  • Immutable records: no modification or deletion through the application interface
  • Queryable by patient, user, date range, IP, or any combination; CSV export available
  • AI audit events co-located: feature, prompt length, latency — never prompt body or response
PHI audit trail — filtered query view
compliance screenshot: phi-audit-trail Mira product screenshot with numbered annotations. 1 2
  1. 1 Every chart access logged with user, timestamp, IP.
  2. 2 Filter by patient, user, or date range.
QAPI dashboard — 6-element tracking and quarterly export
compliance screenshot: qapi-six-element Mira product screenshot with numbered annotations. 1 2
  1. 1 All 6 QAPI elements tracked: structure, process, outcomes, performance, indicators, projects.
  2. 2 Quarterly export ready for the survey binder.
02 — 42 CFR 418.58 QAPI reporting

All six required QAPI elements tracked. Quarterly export ready for the survey binder.

42 CFR 418.58 requires hospice programs to maintain a QAPI program that addresses six specific elements: organizational structure, process, patient outcomes, performance indicators, performance improvement projects, and governing body oversight. Surveyors review these elements against documentation evidence — a narrative description of the program is not sufficient.

The Mira™ QAPI module tracks each of the six elements with discrete data: structure is recorded through the program charter and team composition; process is documented through the workflow tracking built into the clinical module; outcomes are drawn from the patient data already in the system; performance indicators are configured by the compliance team and tracked over rolling 90-day windows; performance improvement projects have defined start dates, goals, measurement criteria, and closure status; governing body oversight is documented through meeting records and sign-off events.

The quarterly export compiles all six elements into a structured report formatted for the survey binder. The same data is available for CMS Conditions of Participation self-assessment. The report is generated on demand — no manual compilation required.

  • 6 elements per 42 CFR 418.58: structure, process, outcomes, performance indicators, PI projects, governing body
  • Performance indicators tracked over rolling 90-day windows with configurable thresholds
  • PI projects tracked with start date, goal, measurement criteria, and closure status
  • Quarterly export formatted for survey binder; available on demand; no manual compilation
03 — Breach notification workflow

60-day notification countdown starts on incident logging. Not on investigation close.

Under 45 CFR 164.412, a covered entity must provide breach notification to affected individuals no later than 60 calendar days after the date of discovery of the breach — not 60 days after the investigation is complete, not 60 days after legal review, not 60 days after the breach is confirmed. The clock starts at discovery. Organizations that treat the 60-day window as beginning at the end of their investigation process are misreading the regulation and accepting avoidable enforcement risk.

The Mira™ breach workflow starts the clock when an incident is created in the system. The discovery date is recorded at creation and cannot be backdated. The 60-day deadline appears on the incident record, on the breach queue, and in the daily compliance digest for any open incident approaching the 30-, 45-, and 60-day marks. The workflow tracks the required notification elements: affected individuals, affected PHI categories, the nature of the incident, steps taken, and the date individual notification was sent.

  • Discovery date recorded at incident creation — cannot be backdated
  • 60-day deadline calculated per 45 CFR 164.412 and surfaced on the incident record and queue
  • Escalation alerts at 30, 45, and 60 days for all open incidents
  • Tracks required notification elements: affected individuals, PHI categories, incident nature, steps taken, send date
Breach notification — incident creation with 60-day countdown
compliance screenshot: breach-workflow Mira product screenshot with numbered annotations. 1
  1. 1 60-day notification countdown starts on incident logging.
BAA + AI opt-in — per-provider BAA status and per-org feature toggles
compliance screenshot: baa-opt-in Mira product screenshot with numbered annotations. 1
  1. 1 BAAs signed with every AI provider. Status per provider visible to admins.
04 — BAA + per-org AI opt-in

BAA executed with every AI provider before any data flows. All AI features off by default.

A Business Associate Agreement must be in place with any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity or business associate — including AI providers when their models process patient data as part of the service. Mira™ has executed BAAs with each AI provider in use before any PHI-adjacent data was processed through those providers. Copies of executed agreements are available to customers under NDA.

The per-org opt-in is not a compliance gesture — it is the architecture. Every Mira™ organization starts with all AI features disabled at the infrastructure level. An administrator must affirmatively enable each feature for their organization. The default-off state means a new organization does not accidentally begin processing data through AI providers before their compliance team has reviewed the feature and the associated BAA.

The admin dashboard shows BAA status per provider — executed, pending review, or expired — and the opt-in status of each AI feature per organization. Both are visible to compliance officers without requiring a support ticket or a call with Mira™'s team.

  • BAA executed with each AI provider before any PHI-adjacent data was processed; copies available under NDA
  • All AI features disabled by default at the infrastructure level — not just in the UI
  • Admin enables each AI feature per organization; the decision and the enablement date are audit-logged
  • Admin dashboard: BAA status per provider (executed/pending/expired) and opt-in status per org
05 — SOC2 status + roadmap

SOC2 Type II audit in progress. Target completion 2026 Q4.

SOC2 Type I evaluates whether controls exist and are designed appropriately at a point in time. SOC2 Type II evaluates whether those controls operated effectively over a defined period — typically six to twelve months. Mira™'s Type I audit is complete. The Type II observation period is running. The Type II report is targeted for completion in 2026 Q4.

The controls under audit span the five Trust Service Criteria relevant to a healthcare SaaS platform: Security (CC6, CC7, CC8, CC9), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P1–P8). The audit is conducted by an accredited CPA firm under AICPA attestation standards. Mira™ does not self-certify SOC2 compliance.

Current control documentation — including the security policy, access control procedures, incident response procedures, and vendor management framework — is available to prospective customers under a mutual NDA. The SOC2 status page in the admin panel shows the current audit phase and the projected Type II completion date so compliance teams can track progress without a support request.

  • SOC2 Type I complete; Type II observation period running; Type II report targeted 2026 Q4
  • Five Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy
  • Conducted by accredited CPA firm under AICPA attestation standards — not self-certified
  • Current control documentation available under mutual NDA; admin panel shows live audit phase
SOC2 status — current audit phase and projected completion
compliance screenshot: soc2-status Mira product screenshot with numbered annotations. 1
  1. 1 SOC2 Type II audit in progress. Target completion 2026 Q4.

Walk through the compliance workflow in 60 seconds.

Admin dashboard → PHI audit query → QAPI export → BAA + AI opt-in → breach notification → AI audit log. Six steps.

Step 1 of 6: Admin dashboard
Step 1: Admin dashboard
Mira product screenshot with numbered hotspots explaining features.
Step 1 of 6~8s

Admin dashboard

Compliance hub: audit log, QAPI, breach queue, BAA status.

    Ready to review Mira™'s compliance evidence with your compliance officer?

    We support NDA-gated reviews of our SOC2 controls, BAA agreements, and audit log architecture. Bring your compliance officer or your external auditor. 30 minutes, no sales pitch.