Families

Caregiver Portal

The Caregiver Portal is Coralia's separate login surface for parents and legal guardians of children in Applied Behavior Analysis (ABA) therapy. Caregivers electronically sign the agency's consent documents and see a plain-language attendance history for their own child — never clinical notes, billing codes, staff screens, or other families' data.

The problem in real agencies

An ABA agency runs on signed paper: consent to treat, the Notice of Privacy Practices under the Health Insurance Portability and Accountability Act (HIPAA), financial responsibility, releases of information. Those pages get signed in a lobby at intake, scanned, and filed. At payer-audit time, someone discovers a required consent was never signed, or the signed version no longer matches the current template — and nobody can prove what text the caregiver actually saw. Chasing a signature after the fact is slow; defending one without a record is worse.

Families also want visibility, and agencies face two bad options. Give parents nothing, and updates travel by phone calls and emails carrying protected health information (PHI) over channels the agency cannot audit. Give parents a login bolted onto the staff system, and the family view is one permissions bug away from exposing other children's records, clinical notes, or staff identities. Neither option survives contact with a payer audit or a privacy complaint.

Then there is the billing chase. A caregiver's attestation that a visit actually happened is part of what makes a session defensible to a payer, and collecting it on paper at the door — or days later by phone — leaves gaps an auditor will find. Agencies need caregiver signatures captured at the point of care, tied to the exact visit facts, and provable months later without digging through filing cabinets.

How it works in Coralia

  1. 1

    Staff invite; the caregiver accepts once

    A staff member with the client-edit permission opens the client profile and clicks 'Invite to portal' on the caregiver's card; the caregiver needs an email on file. The invitation is tokenized, expires in 7 days, and re-inviting while one is pending resends the same token instead of minting a duplicate. The email itself is deliberately PHI-free. Accepting provisions everything in one transaction: a parent account with a strong password, the agency membership, and the link to the child. Staff watch live status throughout — never invited, invite pending with a resend option, or active.

  2. 2

    A separate surface, isolated both ways

    The portal is its own application shell — it never renders staff dashboard chrome. A parent account is a distinct user type with no staff profile and no staff role-based access control (RBAC) permissions; its only authority is an explicit per-child link. Middleware isolates both directions: a parent token on any staff route redirects to the portal, a staff token on the portal redirects to the dashboard, and the same scope checks guard every application programming interface (API) call. Each parent request is double-gated — authenticated parent account, then an active link to that specific child — and fails closed.

  3. 3

    Consent signing that produces a legal record

    The portal home lists each child with an honest consent badge: consents still to sign, all signed, or nothing to sign right now. Each document shows required or optional, its status, and its signed-on date; 'Review & sign' opens the full legal text under a fixed attestation. Signatures can be typed or drawn. Every signature snapshots the exact title, version, and body signed, with a SHA-256 content hash, IP address, and user agent — an append-only record with the parent as signer. Draft templates are unsignable everywhere: the portal shows 'Not ready' and the server independently rejects the attempt.

  4. 4

    Attendance in plain language, nothing clinical

    Each child's page shows a read-only 'Recent visits' list: the 20 most recent approved sessions with date, duration in minutes, service type, and location. Current Procedural Terminology (CPT) codes are translated — nine procedure codes map to four plain labels (Assessment, Therapy session, Group therapy, Caregiver training), and five location types render as 'In clinic', 'At home', 'At school', 'In the community', or 'Telehealth'. Session notes, goal data, measurements, and staff identity never appear. Dates are formatted server-side by the visit's stored calendar day, so every caregiver sees the same calendar day regardless of their device clock.

  5. 5

    Caregiver visit verification at the point of care

    No portal login is needed for the caregiver visit verification: at the end of a session, the caregiver signs it on the staff member's device, attesting that the visit occurred. The verification mechanics — the content hash, date validation, and the claim gate — are documented on the Electronic Visit Verification (EVV) page.

  6. 6

    Agency-controlled templates, opt-in access, full audit trail

    Consent templates are per-agency data: title, legal body, required versus optional, signer role (caregiver or guardian), and sort order — the portal's signing queue and pending-count badges derive entirely from them. Six templates seed each new agency (three required, three optional) and start as drafts, unsignable until an admin finalizes the agency's official text. Nothing is exposed without an accepted invitation, and deactivating a caregiver's membership locks the portal immediately. Every action — invite, resend, acceptance, consent signature, visit verification — writes a dedicated event to an audit log built for HIPAA compliance, and caregiver signatures refresh the corresponding staff consent, session, and billing views.

The specifics

  • The entire parent-facing surface is two portal pages and four application programming interface (API) endpoints — small enough to review line by line.

  • Invitations are tokenized, expire in 7 days, and re-inviting resends the same pending token instead of minting a duplicate.

  • Nine Current Procedural Terminology (CPT) codes map to four plain labels: Assessment, Therapy session, Group therapy, and Caregiver training.

  • Five location types render in plain words: In clinic, At home, At school, In the community, and Telehealth.

  • Six consent templates seed every agency — three required, three optional — each editable per agency with its own version and draft flag.

  • Every consent signature stores a SHA-256 hash of the exact text signed, plus the attestation version, IP address, and user agent.

  • Signatures can be typed or drawn; a drawn signature must be a PNG under 1 MB, kept behind an authentication-gated proxy — the raw storage URL never leaves the server.

  • Parents see each child's 20 most recent approved sessions — date, duration, service, location — and never notes, goals, measurements, or staff identity.

  • Five parent auth failure codes and two middleware scope codes keep the parent and staff surfaces separated, failing closed on every request.

  • A treatment session note needs three signatures — rendering provider, supervising analyst, and caregiver — before it is billable (assessment observations follow a single-signature path); the caregiver's is captured at point of care.

Integrations

Transactional email for invitations — the message is deliberately PHI-free, so no protected health information transits the email vendor · Audit log built for HIPAA compliance — dedicated events for invite, resend, acceptance, consent signature, and visit verification · File storage for drawn signature images — the raw URL never leaves the server; images are served only through an authentication-gated proxy · Staff changefeed — a caregiver's portal consent signature refreshes staff consent views, and a point-of-care visit verification refreshes staff session and billing views

Access control

Parent accounts carry no staff role-based access control (RBAC) permissions; their access is structural — parent account type, active agency membership, and an active per-child link, all re-checked on every request and failing closed. On the staff side, sending or resending a portal invitation requires the client-edit permission, and capturing the point-of-care visit verification requires the session-edit permission.

Frequently asked questions

Can parents see session notes or clinical data in the portal?

No. Parents see a read-only attendance list — date, duration in minutes, plain-language service type and location — for each child's 20 most recent approved sessions. Session notes, goal data, measurements, CPT codes, and staff identity never appear in the portal's data contracts, and middleware blocks a parent account from every staff route and staff API.

How do caregivers sign consent documents electronically?

Staff send an invitation from the client profile; the caregiver accepts a tokenized link that expires in 7 days and sets a strong password. In the portal, they open each document's full legal text and sign — typed or drawn — under a fixed attestation statement. The record snapshots the exact text and version signed, with a SHA-256 content hash, IP address, and user agent.

Is the invitation email safe to send over regular email?

The invitation email is deliberately free of protected health information — no caregiver name, no agency name, no care-relationship wording — because transactional email can transit a vendor without a business associate agreement (BAA). Details render only behind the authenticated accept link. If the address already belongs to an existing account, the invitation is refused rather than silently linked.

What is the caregiver visit verification?

The caregiver visit verification is the point-of-care record that a visit occurred: at the end of a session, staff hand their device to the caregiver, who attests to the date, time, and duration — never the clinical note content. It is the third of three signatures — rendering provider, supervising analyst, caregiver — that a treatment session note needs before it can be billed (assessment observations follow a single-signature path). No portal login is required.

How does an agency control or shut off portal access?

Access is opt-in from the start: nothing is exposed until staff send an invitation and the caregiver accepts it. To shut it off, deactivate the caregiver's membership — every portal request re-verifies an active parent account, an active membership, and an active link to the specific child, and fails closed the moment any of those is missing.