LEMR Logo LEMR Systems

Lean EMR for Home Care Teams

Document care, manage schedules, track mileage, and keep patient data safe — on web, android and iOS. Built for speed in the field and simplicity in the office.

Request a demo Explore features

HIPAA-minded design • AES-256 at rest • TLS 1.2+ in transit

Clinician using a tablet
HIPAA FHIR Apple Firebase Google Maps SOC2

Everything your field team needs — nothing they don’t.

LEMR focuses on the core workflows that keep home health agencies moving.

Patient portal

Self-service access to appointments, documents, secure messages, and care updates.

Point-of-care forms

Vitals, cardiovascular, respiratory, musculoskeletal, CNA/PCA forms — fast and consistent.

Scheduling & time

Review schedules, clock in/out, and export billing that respects overlaps and rules.

Maps & mileage

Google Maps integration for routing, real-time staff and patient location views, and mileage tracking.

Role-based access

Granular roles for admins, managers, nurses, CNAs/PCAs, and office staff.

Reports & exports

Generate clean PDFs and spreadsheets for audits, payers, and internal QA.

Secure by default

TLS 1.2+ in transit, encrypted at rest, least-privilege access, and audit trails.

Staff GPS clock in/out

Geofenced, timestamped clock events with audit trails and location history for payroll and compliance.

LTC insurance reports

Prebuilt and customizable reports aligned to Long-Term Care Insurance criteria to speed claim submissions.

Policies & procedures

Centralized storage with role-based access, versioning, acknowledgements, and search for your P&P manuals.

CSV invoicing

One-click .csv exports of visits and billable items for streamlined invoice generation.

CSV payroll integration

Payroll-ready .csv outputs with earnings, mileage, and differentials mapped to your software.

Classroom & quiz designer

Assign courses, build quizzes, track scores, and log competencies for state compliance.

Form builder

Drag-and-drop clinical and operational forms with validation, required fields, and role routing.

Secure messaging

Point-to-point encrypted staff & patient messenger with read receipts, attachments, and broadcast alerts.

Security & Compliance

Designed with HIPAA considerations for covered entities and their business associates. We do not sell PHI, and we never use PHI for advertising or similar purposes.

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control and audit logging.
  • Optional SSO / 2FA for staff accounts.
  • Data residency and retention configured per-customer.

Note: Some customers may require a Business Associate Agreement (BAA). Contact us to discuss your compliance needs.

Locked Data

Simple, transparent pricing

Start small, scale as your agency grows.

Pilot

Up to 10 staff

$99/mo

Get started

Team

Up to 25 staff

$199/mo

Request a demo

Enterprise

26+ staff

Custom

Talk to sales

See LEMR in action

We’ll set up a short walkthrough tailored to your agency’s workflows.

  • • Live web demo
  • • iOS TestFlight access
  • • Technical Q&A

Your information is sent securely to our team at LEMR Systems.

Privacy Policy


This Privacy Policy explains how LEMR Systems ("LEMR Systems," "we," "us," or "our") collects, uses, discloses, and safeguards information in connection with our websites, applications, and related offerings (collectively, the "Services"). This draft is provided for convenience and does not constitute legal advice. You should consult legal counsel to tailor the policy to your specific operations and regulatory obligations (including HIPAA, HITECH, and applicable state privacy laws).

1) Scope & Roles

  • Scope. This Policy applies to information processed by or on behalf of LEMR Systems through the Services, including our EMR platform used by home health agencies and their workforce members.
  • HIPAA Roles. For customers that are Covered Entities or Business Associates (as those terms are defined by HIPAA and HITECH), LEMR Systems typically acts as a Business Associate when providing EMR and related services that involve Protected Health Information (PHI). We will execute a Business Associate Agreement (BAA) with such customers. Where we process information outside HIPAA’s scope (e.g., marketing site analytics, product feedback unrelated to PHI), we act as an independent controller/business of that non-PHI data.
  • Notice of Privacy Practices (NPP). LEMR Systems is not a health care provider and does not issue an NPP to patients. Covered Entities are responsible for their own NPPs. We support Covered Entities in meeting their HIPAA obligations under the BAA.

2) Definitions (Plain-English Summaries)

  • PHI: Individually identifiable health information relating to a person’s health, care, or payment for care, as defined by HIPAA (in any form—electronic, paper, oral) when handled by a Covered Entity or its Business Associate.
  • Personal Information / Personal Data (PI/PD): Information that identifies or can reasonably be linked with an individual (e.g., account contact data, device identifiers). Non-PHI personal information may be subject to state (e.g., CCPA/CPRA) or international (e.g., GDPR/UK GDPR) laws.
  • De-identified Data: Data that does not identify an individual and cannot reasonably be used to do so. For PHI, de-identification must comply with HIPAA (e.g., Safe Harbor or Expert Determination methods). De-identified data is not PHI.
  • Aggregated Data: Data combined to report trends or statistics without identifying individuals.

3) Information We Collect

We collect information in the following categories. The exact data elements depend on how the Services are configured by the customer and applicable law.

A) Account & Contact Data (Non-PHI)

  • Examples: name, business email, phone, agency/organization, role, billing and admin contacts, credentials (hashed), and preferences.
  • Sources: you, your employer/agency, or your administrator; limited third-party verification (e.g., domain whitelisting).

B) Customer Workforce & Configuration Data (Non-PHI)

  • Examples: user provisioning data, role-based access settings, audit configuration, SSO identifiers, roster information supplied by the customer.

C) PHI Processed in the EMR (PHI)

  • Examples: patient demographics, visit notes, assessments, vitals, medications, diagnoses, care plans, scheduling, ordering/referrals, payor/billing metadata, and other records entered into the EMR by or on behalf of the customer.
  • Note: PHI is processed only to provide the Services and as permitted by the applicable BAA and customer instructions. We do not use PHI for advertising, profiling, independent research, or sale.

D) Support & Communications Data

  • Examples: support tickets, emails, chat transcripts, attachments, call recordings. Please do not include PHI in support tickets unless necessary. If PHI is shared, we handle it as PHI under the BAA.

E) Usage, Telemetry & Device Data (Non-PHI)

  • Examples: IP address, device/OS/browser info, app version, pages/screens viewed, time stamps, feature interactions, performance metrics, crash logs. We configure telemetry to avoid ingesting PHI and apply controls (e.g., field redaction) to minimize accidental capture.

F) Cookies & Similar Technologies (Non-PHI)

  • Examples: strictly necessary cookies for session management, security, and load balancing. On marketing sites we may use analytics. We do not use PHI for advertising. You may manage non-essential cookies where applicable.

G) De-identified & Aggregated Data

  • We may de-identify PHI in accordance with HIPAA (Safe Harbor or Expert Determination) and use or disclose the resulting data for lawful purposes (e.g., service improvement, reliability insights), consistent with the BAA and applicable law.

4) How We Use Information

  • Provide & Maintain the Services. Account creation, authentication/SSO, role-based access, patient record management, scheduling, e-prescribing interfaces or exports, audit logging, data backups and recovery.
  • Operate on Customer Instructions. For PHI, we act under the customer’s direction and the BAA, including to host, transmit, or process PHI for treatment, payment, and health care operations.
  • Support & Communications. Responding to tickets, training, onboarding, and change management.
  • Security & Compliance. Monitoring for abuse or anomalies, detecting and preventing fraud, maintaining audit trails, complying with law enforcement requests (subject to legal process and limits).
  • Improve & Develop. Enhancing usability, performance, reliability, and features. We do not use PHI for product advertising or unrelated profiling. Where analytics are used, we strive to rely on de-identified or non-PHI data.

5) HIPAA & HITECH Commitments (When Acting as Business Associate)

  • Permitted Uses/Disclosures. We use and disclose PHI only as permitted by the BAA, HIPAA/HITECH, and customer instructions, including for treatment, payment, and health care operations; to manage and secure the Services; and as required by law.
  • Minimum Necessary. We access PHI only to the minimum extent necessary to perform our obligations.
  • Safeguards. We implement administrative, technical, and physical safeguards appropriate to the nature of PHI:
    • Administrative: policies, workforce training and confidentiality obligations; access approvals and reviews; vendor risk management; risk analysis and management; incident response.
    • Technical: encryption in transit and at rest; network segmentation; key management; strong authentication (e.g., MFA support); role-based access control (RBAC) and least privilege; audit logging and monitoring; vulnerability and patch management; secure software development practices.
    • Physical: facility access controls; environmental and hardware protections; secure media handling and destruction.
  • Subcontractors. We require any subcontractor that creates, receives, maintains, or transmits PHI on our behalf to agree in writing to substantially similar obligations (i.e., a downstream BAA) and to implement appropriate safeguards.
  • Access, Amendment & Accounting. We assist the customer, upon request, in responding to patient rights requests under HIPAA (access, amendment, accounting of disclosures) to the extent the PHI is maintained by us.
  • Breach & Security Incident Reporting. We will report to the customer without unreasonable delay and within timelines required by law and the BAA any breach of unsecured PHI or security incident of which we become aware, and will cooperate in investigation and notifications.
  • Government Access. We make our internal practices, books, and records relating to PHI available to the Secretary of HHS as required by law.
  • Return/Destruction. Upon termination/expiration of Services, we will return or securely destroy PHI in accordance with customer instructions, the BAA, and legal retention requirements (where return or destruction is feasible).

6) Legal Bases for Processing (EU/EEA/UK where applicable)

Where data protection laws (e.g., GDPR/UK GDPR) apply to non-PHI personal data, we rely on one or more of the following legal bases: contract performance, legitimate interests (e.g., to secure and improve the Services), consent (where required, e.g., non-essential cookies), and legal obligation. For PHI under HIPAA, our processing is governed by the BAA and HIPAA/HITECH, not by consent under GDPR.

7) Sharing & Disclosures

We do not sell PHI and do not use PHI for targeted advertising.

  • Service Providers / Subprocessors. Hosting, database, monitoring, email delivery, customer support, and similar vendors under contracts that require confidentiality, security safeguards, and (when handling PHI) BAAs. We maintain a current list of subprocessors upon request or on a public page.
  • Customer & Authorized Users. PHI and other records are available to the customer’s authorized users consistent with RBAC settings and audit controls.
  • Legal, Safety & Compliance. To comply with law, regulation, legal process, or governmental requests; to protect the rights, property, or safety of LEMR Systems, our customers, or the public; to enforce agreements; or to detect and prevent fraud, security, or technical issues.
  • Business Transfers. In the event of a merger, acquisition, reorganization, or asset sale, information may be transferred subject to continuing obligations consistent with this Policy and the BAA for PHI.

California (CCPA/CPRA) and similar state laws: we do not “sell” or “share” PHI. For non-PHI personal information, we do not sell or share your personal information for cross-context behavioral advertising in the EMR. Limited marketing-site analytics may constitute “sharing” under CPRA; where applicable, we provide controls to opt out.

8) Security Overview

  • Encryption in transit and at rest; key management.
  • Strong identity and access management; RBAC; support for SSO and MFA.
  • Network and application firewalls; intrusion detection and monitoring.
  • Secure SDLC, code review, dependency scanning, and vulnerability management.
  • Continuous logging, alerting, and audit trails for administrative and PHI-relevant actions.
  • Backups, redundancy, and disaster recovery/business continuity planning.
  • Workforce screening, training, and confidentiality obligations.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously improve our controls and practices.

9) Data Retention

  • PHI. We retain PHI only as directed by the customer and as required to provide the Services, comply with law, and meet the BAA. Retention schedules may vary by jurisdiction and customer policy. Upon request and subject to feasibility and law, we will return or delete PHI.
  • Account & Operational Data (non-PHI). We retain for as long as necessary to provide the Services, for legitimate business needs (e.g., security, fraud prevention), and to comply with legal obligations. We may retain de-identified/aggregated data for analytics and service improvement.

10) Your Rights & Choices

Your rights depend on your role and location:

  • Patients / Individuals (PHI). Requests regarding PHI (access, amendment, restrictions, accounting of disclosures) should be directed to the Covered Entity (your provider/agency). We assist the Covered Entity as required by HIPAA and the BAA.
  • Account Users & Site Visitors (Non-PHI). Depending on your jurisdiction, you may have rights to access, correct, delete, object to or restrict processing, and portability of your personal information. To exercise rights, contact us at privacy@lemrsystems.com. We may need to verify your identity or refer you to your organization.
  • California Residents. You may have rights to know, access, correct, and delete personal information, and to opt out of “sales”/“sharing” of personal information (not applicable to PHI). We honor opt-out signals where required.
  • EEA/UK Residents. Where GDPR/UK GDPR applies, you may have rights to access, rectification, erasure, restriction, portability, and objection. You may also withdraw consent where consent is relied upon for processing.

11) Children’s Privacy

The Services are not directed to children under 13 (or under 16 in the EEA/UK where applicable). We do not knowingly collect personal information directly from children. Agencies are responsible for ensuring lawful collection and entry of PHI for minors under their care.

12) International Data Transfers

We may transfer, store, and process information in countries other than where it was collected. Where required, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and additional measures. For PHI, transfers and hosting locations are governed by the BAA and customer agreements.

13) State-Specific Disclosures (U.S.)

Depending on your state, additional rights and disclosures may apply (e.g., CA, CO, CT, UT, VA). We will comply with applicable state health privacy and consumer privacy laws in addition to HIPAA/HITECH. In the event of conflict, we comply with the law that affords greater protection.

14) Changes to This Policy

We may update this Policy to reflect changes to our practices or legal requirements. If we make material changes, we will post the updated Policy and adjust the effective date above. Where required by law, we will provide additional notice or obtain consent.

15) Contact Us

Mailing address and additional contact options are available upon request or in your customer agreement.

16) Additional HIPAA Addendum (Summary of BAA-Aligned Commitments)

  1. Permitted Uses/Disclosures: as necessary to provide the Services; for proper management and administration; to fulfill legal obligations; and as otherwise authorized by the BAA.
  2. Minimum Necessary & Access Controls: least-privilege access, workforce training, periodic access reviews.
  3. Safeguards: administrative, technical, and physical controls appropriate to the size and nature of PHI processed.
  4. Subcontractors: written agreements requiring HIPAA-compliant safeguards and restrictions.
  5. Reporting: prompt notice of security incidents and breaches of unsecured PHI to the customer; cooperation with investigation and mitigation.
  6. Patient Rights Support: assistance with access, amendment, and accounting requests received via the customer.
  7. HHS Access: cooperation and access as required by HIPAA.
  8. Return/Destruction: upon termination, return or destroy PHI where feasible; if not feasible, extend protections.
  9. Records & Audit: maintain documentation necessary to demonstrate compliance as required by law.

17) Important Disclaimers

  • No Legal Advice. This Policy is informational and does not constitute legal advice. Your organization’s obligations under HIPAA/HITECH, 42 C.F.R. Part 2 (if applicable), state laws, and other regulations may require additional terms or notices.
  • Customer Responsibilities. Customers are responsible for obtaining necessary authorizations/consents, configuring RBAC and audit settings, training workforce members, avoiding unnecessary PHI in support tickets, and ensuring data entered into the EMR is accurate and lawfully collected.

© 2025 LEMR Systems. All rights reserved.