Minnesota DHS & MHCP Compliance Platform

Built for the complexity of Minnesota DHS compliance.

A purpose-built platform for 245D HCBS and Home Care providers. Automate document generation, electronic signatures, staff records, and expiration tracking — with HIPAA security and a full audit trail built into every layer.

Request a Demo See How It Works

app.kloudcompliance.com/dashboard

Kloud Compliance

Dashboard

Staff

Clients

Documents

Templates

Audit Log

Active Staff

127

Active Clients

Expiring in 30d

Review required

Pending Signature

Recent DocumentsView all

J. Anderson — Background Study ConsentStaffCompletedApr 17

M. Rivera — Service AgreementClientPending SignatureApr 17

T. Williams — Annual ReviewStaffGeneratingApr 16

K. Thompson — Rights NotificationClientCompletedApr 15

Minnesota DHS compliance is complex.
Most providers are managing it in spreadsheets.

245D HCBS and Home Care providers face overlapping documentation requirements, strict PHI handling rules, and renewal deadlines that don't wait. Manual tracking creates gaps — and in a regulated environment, gaps become citations.

Certifications lapse without warning

Automated scanning alerts your team before every deadline, not after.

Clients face friction getting documents signed

A link is all they need. No account, no app, no delays.

PHI is scattered across email and unencrypted files

Every PHI field double-encrypted, every access audit-logged.

Who It's For

Built specifically for two provider types regulated by the Minnesota Department of Human Services.

Minnesota Statute 245D

245D HCBS Providers

Home and Community Based Services providers delivering waiver services. Kloud Compliance manages the full documentation lifecycle for staff, clients, and supervisors operating under 245D requirements.

Staff background study ID tracking (NETStudy 2.0)
Client rights and maltreatment documentation
Individual service plan and support documents
Incident documentation and annual review tracking

MN Rules Chapter 4668

Home Care Agencies

Licensed Home Care and Temporary Home Care agencies providing services in client residences. Tracks aide competency, supervision compliance, and license renewal across the full agency roster.

Aide competency and orientation documentation
Supervised hour verification records
Service agreement and disclosure management
License renewal timeline and alert tracking

Capabilities

Purpose-built for Minnesota DHS requirements — not a generic document tool adapted for healthcare.

Every capability the compliance lifecycle requires.

Document Generation

Generate compliance PDFs from configurable Handlebars templates. Variable schemas, conditional sections, and multi-party signature blocks are all handled automatically — no manual document assembly.

Electronic Signatures

Clients sign via a token-gated link — no account required. Every signing event captures the full E-SIGN Act evidence record: explicit consent, timestamp, IP address, user-agent, and a SHA-256 document hash locked at the moment of signing.

Staff Record Management

Centralize employee onboarding documents, NETStudy 2.0 background study IDs, and certification expiration dates. All PHI fields are encrypted with AES-256-GCM at the application layer before being written to the database.

Client & Representative Management

Maintain service recipient records alongside guardians and POA contacts. Track Medicaid IDs, electronic consent status, and PHI-encrypted personal information across multiple service locations.

Expiration Scanning

An automated background process continuously monitors staff certifications and document expiration dates. Email alerts are sent proactively before deadlines — not after a lapse has already occurred.

Immutable Audit Log

Every data mutation produces an append-only audit entry with field-level diffs. The log is written via an INSERT-only database role the application cannot circumvent, and is retained for the HIPAA-minimum 6-year period.

Security

HIPAA compliance is not a feature checklist. Every architectural decision was made with regulatory requirements as a constraint.

HIPAA-grade security, structural by design.

PHI Encryption

AES-256-GCM at the application layer + KMS-encrypted RDS at rest. Two independent encryption layers on every PHI field.

E-SIGN Act & MN UETA

Explicit consent capture, document hash at time of signing, IP and user-agent logging, tamper detection post-signature.

Role-Based Access

9 roles across platform and company levels. Tenant isolation enforced at every database query — data cannot leak between organizations.

Audit Retention

INSERT-only database role. Field-level diffs on every write. Automatic S3 GLACIER transition after 7 years.

TLS on Every Path

CloudFront → ACM termination. Encrypted transit between ALB, ECS, RDS, and ElastiCache. No plaintext data paths.

Document Access

PHI documents served only via 10-minute pre-signed S3 URLs. Block public access enforced. Zero direct bucket exposure.

Secrets Management

All credentials stored in AWS Secrets Manager and injected at runtime. No secrets in environment files or container images.

CI/CD Security

GitHub OIDC federation — no static AWS credentials. Prisma migrations run as isolated ECS tasks inside the VPC before each deploy.

HIPAA CompliantE-SIGN ActMinnesota UETAAES-256-GCMAWS KMSSOC 2 Ready6-Year Audit RetentionNETStudy 2.0

How It Works

No lengthy implementation. No professional services engagement. Most organizations are operational within a week.

From onboarding to fully compliant operations.

Configure your organization

Select your provider type, add service locations, and set your compliance profile. The requirements engine uses this configuration to determine which documents apply to each staff member and client — automatically.

Generate and distribute documents

Add staff and clients to the platform. Applicable documents are identified, generated as PDFs, and distributed for signature in one workflow. Clients receive a signing link — nothing else required on their end.

Track, sign, and stay ahead of deadlines

Monitor completion status in real time. The expiration scanner runs continuously in the background, alerting your compliance team before any certification or document deadline is reached.

FAQ

Common questions from compliance administrators and agency operators.

Does this cover both 245D HCBS and Home Care agencies?

Yes. The platform supports both provider types under Minnesota DHS regulation. During onboarding you select your provider type — 245D HCBS under Minnesota Statute 245D, or Home Care under MN Rules Chapter 4668 — and the requirements engine applies the correct document obligations automatically. Organizations operating under both license types can configure a combined compliance profile.

Do clients need to create an account to sign documents?

No. Signing links are token-gated with a 72-hour expiry. The client clicks the link and signs directly from any device — no login, no download, no friction. The platform captures the full E-SIGN Act evidence record in the background: explicit consent acknowledgment, consent timestamp, IP address, user-agent string, and a SHA-256 hash of the document at the exact moment of signing.

How is PHI protected?

PHI fields are encrypted with AES-256-GCM at the application layer before being written to the database. The database itself is encrypted at rest using AWS KMS with customer-managed keys. This creates two independent encryption layers. PHI never appears in application logs, email notifications, or audit entries — only encrypted ciphertext is ever stored or transmitted. Document access is restricted to 10-minute pre-signed S3 URLs with no direct bucket exposure.

How long does implementation take?

Most organizations are fully operational within a week. There is no professional services engagement required. The onboarding wizard guides you through provider configuration, service location setup, template selection, and team invitations. The platform runs on AWS infrastructure defined in Terraform — if you are deploying to your own account, your engineering team can be up and running in a day.

Can the platform be deployed to our own AWS account?

Yes. The full infrastructure is defined in Terraform modules covering VPC, ECS Fargate services, RDS PostgreSQL, ElastiCache Redis, S3 buckets, and CloudFront. Deploying to your own account gives you complete data sovereignty, direct control over KMS keys, and the ability to execute a Business Associate Agreement with AWS independently.

What happens when a certification is about to expire?

The expiration scanner is an automated background job that runs continuously and checks for upcoming staff certification and document expiration dates. It sends proactive email alerts to the configured compliance contacts before any deadline — not reactively after a lapse. Alert timing and recipients are configurable per document type.

Get in Touch

Schedule a demo for your organization.

We'll walk through the platform with your specific provider type, document types, and compliance requirements in mind. A Business Associate Agreement is available upon request.

Covers both 245D HCBS and Home Care

HIPAA BAA available

Can deploy to your own AWS account

No commitment required

Request a Demo

Email us directly to schedule a personalized walkthrough. We typically respond within one business day.

hello@kloudcompliance.com

Opens your email client

Prefer a call? Mention it in your email and we'll send a calendar link.

Get Started

Your compliance operations deserve infrastructure, not spreadsheets.

Built for the regulatory environment Minnesota providers operate in. HIPAA-compliant from the ground up, operational within a week.

Request a Demo View Capabilities