Care moments, privately shared
KinLoop is a secure family engagement app for tech-light assisted living caregivers and administrators. It turns everyday care into private, one-tap photo and voice-to-text updates, with automatic digests to approved families, ending phone tag and cutting inbound calls 60% while saving 45 minutes per shift. Auto-blur hides non-consenting faces, speeding handoffs and protecting dignity and compliance.
Subscribe to get amazing product ideas like this one delivered daily to your inbox!
Explore this AI-generated product idea in detail. Each aspect has been thoughtfully created to inspire your next venture.
Detailed profiles of the target users who would benefit most from this product.
Key capabilities that make this product valuable to its target users.
Auto-assigns the correct role and unit on tap by combining badge identity with the day’s schedule and device location. Prevents permission mistakes for floaters, eliminates manual selection, and ensures the right access every shift without extra taps.
Integrate NFC/badge tap and camera barcode scan to capture a staff badge ID and securely map it to a KinLoop staff profile, with encrypted storage, tokenized identifiers, offline caching, and MDM-compatible configuration, ensuring reliable identification on shared, tech-light devices with minimal user effort.
Synchronize the day’s schedule and assignments from facility scheduling systems (e.g., Kronos/UKG, PointClickCare) on a near–real-time cadence, normalize data to KinLoop roles and units, resolve conflicts for floaters and split shifts, and cache results for resiliency, ensuring correct role/unit mapping even during vendor outages.
Determine the current unit/wing using privacy-preserving location signals (Bluetooth beacons, Wi‑Fi SSID mapping, and optional QR/NFC room beacons) with graceful degradation and offline fallback, avoiding continuous tracking while enabling precise, low-power, on-premise unit detection.
Implement a deterministic rules engine that fuses badge identity, schedule data, and current location to auto-assign a time-bounded role and unit, re-evaluates on state changes (location shift, schedule update, session timeout), and applies precedence policies to prevent permission mistakes without requiring extra taps.
Provide a frictionless, accessible screen that displays detected role and unit immediately after badge read, with a single-tap confirm, a guarded optional override flow requiring a reason, clear timers for session duration, and haptic/visual feedback optimized for tech-light use and shared devices.
Capture an append-only audit trail of every assignment decision and override, including inputs (badge ID token, schedule version, location signal), rule outcomes, timestamps, device ID, and user attribution, with secure retention, export (CSV/JSON), and admin search to meet HIPAA and facility compliance requirements.
Offer an admin console to configure rule precedence, unit/role catalogs, allowed override conditions, after-hours access windows, and temporary break-glass permissions with approval workflows and notifications, enabling governance while accommodating real-world staffing changes.
Instantly swaps the active user on a shared device with a new badge tap, parking any drafts and restoring the next user’s context. Stops stray logins during shift handoffs and keeps rounds moving with zero password friction.
Enable instant user switching on shared devices via NFC badge tap. The app listens for a badge-present event, validates the badge against a secure directory, and swaps the active session with no password entry. On recognition, it gracefully terminates the prior session (revoking tokens, clearing in-memory data, and sanitizing UI state) and activates the next user’s profile. Supports common NFC badge standards and provides configurable fallbacks (QR scan or PIN) when NFC is unavailable. Integrates with MDM for provisioning badge mappings and keys. Benefits include eliminating password friction at handoffs, reducing stray logins, and accelerating rounds while maintaining security and compliance.
Automatically park any in-progress notes, photos, or voice-to-text transcriptions under the outgoing user’s drafts when a switch occurs, ensuring no work is lost and no data leaks between users. Drafts are time-stamped, resident-linked, and visible only to their author. The handoff process is atomic and resilient to app closures or low connectivity, with clear UI cues indicating that the prior user’s drafts were saved. This preserves continuity, reduces rework, and prevents cross-user exposure of sensitive content.
On successful tap-in, restore the incoming user’s last working context, including resident filters, unit assignments, camera mode, and open task lists. Provide a prominent Resume Last Task action that jumps directly to the next assigned resident or the user’s last draft. Integrates with assignments and scheduling services to preload context and reduce navigation. This shortens time-to-first-action and keeps rounds moving efficiently.
Apply a configurable idle timeout that auto-locks the app and requires a badge tap to re-enter. Optionally use device sensors (e.g., accelerometer/proximity) to trigger immediate lock when the device is put down or pocketed. Admins can set policy by facility or unit. This prevents unattended access and stray logins during shift handoffs, maintaining privacy and compliance without adding password friction.
Allow TapSwitch to function without network connectivity by using a cached, time-bounded allowlist for badge verification and encrypting minimal session metadata with device keys. Queue audit logs and state changes for reliable, ordered sync when the network returns. Draft parking and context restore must work offline with conflict detection on reconnection. This ensures uninterrupted rounds in low-connectivity environments while preserving security and data integrity.
Capture immutable logs for every switch event, including anonymized user identifiers, device ID, timestamps, location (if permitted), trigger source (tap, timeout, manual), prior session duration, and count of drafts parked. Provide an admin console with filters, exports, retention policies, and anomaly alerts (e.g., rapid repeated switches). Logs exclude PHI and support compliance reviews and operational insights without compromising privacy.
Set measurable performance targets for TapSwitch: 95th percentile time from badge tap to ready state ≤ 800 ms and 99th percentile ≤ 1.2 s. Implement lightweight session teardown, preloading of user context, and lazy-loading of non-critical components. Instrument telemetry and alerting for SLA breaches, and surface in admin reports. This ensures the experience remains instant under real-world load, preserving adoption and operational gains.
One-tap “lost badge” lockdown from admin console with immediate revoke, alerts on attempted use, and a time-limited PIN/QR fallback. Reduces downtime and risk when badges go missing while preserving compliance for urgent access.
Provide a single-action control in the KinLoop admin console to mark a staff badge as "Lost" and instantly revoke its access across KinLoop sessions and connected access systems. The control should capture reason codes, the reporting source, timestamp, and affected staff member, then display a confirmation with the expected revocation window. The lockdown action must be resilient (idempotent), create a visible banner on the staff profile, and notify designated stakeholders (e.g., shift lead, security) within the app. This capability minimizes risk and downtime in assisted living environments by reducing the steps required to secure accounts and physical access when badges go missing.
Ensure badge revocation propagates within seconds to all relevant surfaces: KinLoop mobile/web sessions (force logout, token invalidation), API clients, and configured access control integrations. Support webhook- and polling-based connectors with retry/backoff, dead-letter queues, and out-of-order handling to guarantee eventual consistency. Display propagation status per integration (e.g., "Revoked at Door A: 12s") and alert if SLA is exceeded. Provide a fallback manual "Resend Revoke" action. This requirement guarantees that a lockdown effectively removes access everywhere, aligning with compliance and safety expectations.
Generate immediate alerts when a revoked badge is presented at a door, terminal, or within KinLoop authentication. Alerts should include time, location/device, staff identity, and outcome, and support push, SMS, and email with role-based routing and quiet hours. Implement intelligent throttling and aggregation to prevent alert storms (e.g., summarize multiple attempts within a time window). Provide acknowledgement and escalation workflows with audit of who responded and when. This equips teams to respond quickly to misuse while keeping noise manageable for on-call staff.
Offer a secure fallback that generates a time-bound, scope-limited PIN and QR code tied to the affected staff member for emergency access when a badge is lost. Admins can configure duration, access scope (areas/features), and optional 2FA. Deliver credentials via secure in-app message or out-of-band channels with verification. Clearly display countdown timers and automatic expiry, and log every issuance and use. This preserves urgent access for care continuity while maintaining compliance and traceability.
Restrict the ability to initiate lockdowns and issue emergency credentials to specific roles (e.g., Facility Admin, Security Officer) with site-level policy controls. Support optional dual-approval for permanent deactivation or extended emergency access, capture justification notes, and enforce minimum/maximum fallback durations. Provide an audit-visible approver trail and deny reasons. This ensures BadgeGuard actions are controlled, transparent, and aligned with organizational governance.
Record a tamper-evident audit trail for all BadgeGuard events: lockdown initiation, propagation results, attempted uses, fallback issuance/usage, approvals, and reversals. Provide searchable filters (staff, time range, site, action), export to CSV/PDF, and scheduled reports for regulators and internal reviews. Support retention policies and integrity checks with hashed log chains. This delivers the evidence needed for incident reviews and regulatory compliance in assisted living settings.
Offer a guided workflow to transition a badge through states (Lost → Found → Re-activated or Replaced → Destroyed), ensuring only one active credential per staff member. Automate notifications to HR/operations, schedule replacement issuance, and require confirmation of physical destruction or return. Prevent reactivation if risk conditions persist (e.g., repeated misuse attempts). This closes the loop after a lockdown, reducing administrative overhead and preventing credential sprawl.
Lets staff tap to sign in even when Wi‑Fi drops by securely caching recent badge credentials and role/unit mappings for a short window. Work continues uninterrupted in dead zones; all activity syncs and audits automatically once online.
Securely cache a minimal set of recently validated staff badge credentials and associated role/unit mappings for a short, configurable window (e.g., 15–60 minutes). Store only non-PII identifiers and permission scopes using hardware-backed encryption and OS keystore, with per-device keys and periodic key rotation. Enforce strict TTL expiry, immediate purge on logout/policy change/device compromise signals, and eviction when cache limits are reached. Ensure offline validation uses hashed tokens and does not allow privilege elevation beyond the last known scope. Provide safeguards against replay and stale cache use while preserving rapid, one-tap performance.
Implement a seamless offline sign-in pathway that automatically activates when connectivity is unavailable, allowing staff to authenticate with a single badge tap against the secure cache. Present clear offline state indicators, validate against cached tokens and role/unit scope, and unlock only capabilities permitted in offline mode. Support optional device biometric/PIN as a second factor per policy. Ensure sub-300ms tap-to-auth performance on supported devices and graceful fallback messaging if cache is missing or expired.
Maintain a last-known-good snapshot of each user’s role(s) and unit assignments tied to their cached credentials, restricting offline access strictly to those scopes. Handle multiple roles with a clear default selection and visible scope indicator. Invalidate or narrow the snapshot on reconnection if roles change or are revoked, and prevent cross-unit access while offline. Update snapshots opportunistically whenever online authentication succeeds to keep caches fresh.
Queue all offline sign-ins and subsequent care activities (e.g., photo/note metadata, voice-to-text entries, audit events) in an ordered, durable local event store with UUIDs, monotonic timestamps, and idempotency keys. On reconnection, perform automatic batched synchronization with exponential backoff, checksums, and resume support. Validate server-side permissions at sync time, resolve conflicts (e.g., revoked users) with clear error reporting, preserve per-resident event ordering, and mark items as synced with secure, policy-based local retention and purge.
Provide console-level controls to configure offline cache TTL, maximum cached users, allowed offline features, and requirements for second-factor prompts. Support policy scoping per facility/unit and versioned distribution to devices. Enable remote wipe of offline caches for lost/stolen devices, temporary emergency offline overrides with auto-expiry, alerting on offline sign-ins, and reporting on cache usage and sync health. The app enforces the last-known policy and records the policy version used for each offline session.
Implement device integrity checks (root/jailbreak/debug detection), hardware-backed key storage, anti-tamper defenses, and auto-purge after repeated failed attempts. Use hash-chained, append-only local audit logs with secure timestamps (monotonic clock with NTP reconciliation) to mitigate clock drift. Cache a recent revocation list and apply replay protections to prevent reuse of expired or revoked credentials. Minimize stored data to least necessary, and ensure controls align with privacy and regulatory needs.
Provide clear offline/online banners, a visible countdown to cache expiry, and scoped access chips showing the active role/unit. Offer friendly guidance when caches are stale or policies prohibit offline use. Include a diagnostics panel for support showing policy version, cache status, pending queue size, last sync attempt, and exportable redacted logs. Ensure accessibility, localization, and haptic feedback. Target responsive interactions and low battery impact while offline.
Creates a tamper-evident log of every tap event—who, when, where, and which device—with anomaly flags for suspicious patterns (e.g., one badge on two devices). Speeds HIPAA-style audits and gives Privacy Stewards clear, exportable evidence.
Implement an append-only, cryptographically chained ledger that records every caregiver tap with immutable metadata (caregiver badge ID, user role, device ID, app version, timestamp, geofence location, event type, consent snapshot ID, network state). Each event includes a previous-hash reference and a digital signature to detect edits or deletions. Support offline capture to an encrypted local queue with sequence numbers and verify integrity on sync. Store only PHI-minimized references (tokenized resident IDs) and provide server-side verification endpoints for chain validation across devices and facilities.
Create a rules engine that continuously evaluates the event stream to detect suspicious patterns such as one badge used on two devices concurrently, impossible travel between distant geofences, abnormal tap velocity, activity by deactivated users, after-hours access, device clock drift, and hash-chain gaps. Generate risk-ranked alerts with clear rationales, link to impacted events, and support routing to Privacy Stewards via in-app notifications and email. Allow rule tuning per facility and suppression/whitelisting with expiry for known exceptions.
Provide a role-gated web/mobile console to search, filter, and visualize tap events by time range, caregiver, device, facility, location geofence, event type, and anomaly status. Display hash-chain integrity indicators, event detail drill-down, and related media/consent references without exposing PHI. Enable annotations, assignment, and resolution workflow for anomalies with full history. Include saved views, export shortcuts, and performance-optimized pagination to handle large datasets.
Enable secure export of selected events and anomaly investigations as a tamper-evident bundle containing machine-readable JSON, optional CSV, and a human-readable PDF summary. Sign the package with a tenant-scoped private key and include chain hashes, checksums, export metadata (time, requester, scope), and verification instructions with a public-key signature. Deliver via expiring, access-logged links and record export actions in the ledger to preserve chain of custody.
Enhance trust in timestamps and locations by enforcing periodic NTP sync with monotonic clock fallback, drift detection, and capture of timezone/offset. Validate presence within facility geofences using multi-signal checks (GPS, Wi‑Fi/BLE) and detect spoofing or low-confidence readings. Attach integrity and confidence scores to events and auto-flag out-of-policy captures for review.
Implement per-tenant retention policies (e.g., 7-year WORM) with encryption in transit and at rest, least-privilege RBAC for audit features, granular scoping by facility and role, and comprehensive audit-of-audit logs for views, searches, and exports. Support legal holds to suspend deletions, and enforce data minimization by storing tokenized resident identifiers and consent snapshot references rather than PHI content.
Requires two distinct badge taps for sensitive actions like consent overrides or role escalation. Builds in a simple, compliant co‑sign process that prevents errors and protects resident dignity without adding passwords.
Require two distinct NFC badge taps from separate authenticated users to authorize sensitive actions such as consent overrides, role escalation, and PHI-related updates. Enforce uniqueness (the same badge cannot fulfill both taps) and a configurable time window (e.g., 90 seconds) between taps. Lock the pending action until the second tap is received and both users’ roles are validated against KinLoop’s directory. Operate tap-only without introducing passwords or PINs. Ensure the flow works on caregiver Android devices with built-in NFC, validates device trust status, and gracefully handles cancellations or timeouts without committing the action.
Provide a configurable policy engine that defines when DuoTap is required based on action type, resident consent state, user role, shift, location, and time-of-day. Allow administrators to manage rules per facility and program with versioning and staged rollout. Support defaults that require DuoTap for consent overrides and role escalations while allowing exceptions for routine updates. For emergencies, permit the action to proceed as “pending co-sign” with constrained distribution until a second tap is captured within a policy-defined SLA. Surface rule rationale in-app to improve transparency and training.
Enable DuoTap to function without network connectivity by capturing both badge tap events locally, signing them with a device key, and queuing them for server validation. Execute the local action as pending and block any outbound family distribution or record changes that depend on the approval until the backend confirms both identities and policy compliance. Provide clear offline and sync states, automatic retry, and conflict resolution if user status or policy changed while offline.
Record every DuoTap event in an append-only audit trail including action type, resident identifier (pseudonymized where required), initiator and co-signer IDs and roles, timestamps, device ID, location (if enabled), policy version, and outcome. Chain log entries with tamper-evident hashing, enforce retention policies, and support redaction rules for privacy. Provide filtered search, on-screen review, and export to CSV/PDF and webhook/SIEM destinations. Generate alerts for anomalies such as repeated timeouts, attempted self co-sign, or high-frequency overrides on a resident.
Deliver a clear, low-friction UI that guides users through first and second taps with large touch targets, progress states, haptic and audio cues, and concise microcopy. Indicate required co-signer role, remaining time, and cancel options. Ensure WCAG-compliant color contrast, screen reader labels, and multilingual strings. Minimize cognitive load so the flow completes in under 20 seconds in typical conditions and operates reliably with gloves and common device cases.
Support common healthcare badge technologies (ISO 14443 Type A/B, MIFARE DESFire EV1/EV2, and compatible mobile credentials where available) via device NFC. Map badge tokens to KinLoop users through directory sync with the facility’s IAM/HR system, including role and status changes, and enforce local caching with short TTL and revocation checks. Encrypt badge identifiers at rest and in transit, avoid storing raw card secrets, and attest device integrity via MDM where available. Provide admin tools for test reads, enrollment, and lost/stolen badge workflows.
Define deterministic outcomes for missing second taps, invalid badges, or expired windows: cancel and roll back the action, log the attempt, and notify the initiator. For pending co-sign scenarios (offline or emergency), create actionable tasks for qualified supervisors, escalate based on SLA, and pause any dependent content distribution until co-sign completes. Offer configurable time windows, SLAs, and notification channels (in-app, SMS, email) while maintaining passwordless operation; allow supervisor master-badge resolution where permitted by policy.
Proactively tracks consent expirations and grace windows, surfacing color‑coded status right on the resident list and at capture. Sends smart reminders to families for renewal via SMS/email before lapses, and offers one‑tap outreach from the app. If a consent nears or reaches expiry, KinLoop warns or auto‑pauses posting for that resident until renewed, preventing last‑minute blocks, audit risk, and awkward follow‑ups.
Implement a resident-centric consent object with fields for consent type, effective date, expiry date, grace window, status (Active, Expiring Soon, Grace, Expired, Paused), authorized contacts, communication channels (SMS/email), facility policy references, and audit metadata (who/when/how consent was captured). Provide APIs and background jobs to synchronize with external EHR/roster sources and CSV import, resolve duplicates, and handle timezone-aware dates. The model must support multi-facility configurations, per-facility policy overrides, and historical versioning so changes are non-destructive and auditable. Encrypt sensitive data at rest and in transit, restrict access by role, and expose a read-optimized cache for fast UI lookups.
Display real-time, color-coded consent status for each resident on the resident list and at the media capture screen. Use distinct labels and icons for Active, Expiring Soon, Grace, Expired, and Paused with WCAG AA-compliant contrast and text alternatives. Provide quick tooltips that show expiry date, grace end, and renewal path. Ensure badges update instantly from the cache, work offline with last-known state, and reconcile on reconnect. Respect role permissions so caregivers see actionable warnings while admins see configuration links.
Create a scheduling service that sends renewal reminders to authorized contacts via SMS and email at configurable intervals (e.g., 30/14/7/3/1 days before expiry) with escalation into grace and post-expiry follow-ups. Support quiet hours, time zone alignment, throttling, and per-contact opt-out. Use message templates with facility branding and localized content, including secure renewal links and status context. Track delivery, opens, and clicks; retry on transient failures; and log all events to the consent audit trail. Allow admins to configure cadence and channels per facility and per consent type.
Provide a mobile-first web flow launched from reminder links where the recipient verifies identity via one-time code (SMS/email), reviews facility-specific consent text, selects resident relationship, and completes an e-signature with timestamp and IP capture. Generate a tamper-evident PDF of the consent, store it securely, and update the consent record atomically on success. Support accessibility, localization, and device-agnostic rendering. Handle partial completions with resumable sessions, and fail-safe to keep posting paused if verification is not completed. Include consent text versioning and legal hold retention settings.
Enforce posting rules based on consent state: warn at capture when consent is Expiring Soon or in Grace, and automatically block posting to families when Expired or Paused. Provide clear reasons, next steps, and a one-tap path to initiate outreach or view status details. Allow admins to define narrowly scoped overrides with justification and automatic expiry. Queue drafts locally when blocked and auto-release after renewal. Ensure behavior is consistent across photo, voice-to-text updates, and digests, while still applying auto-blur to non-consenting faces for unrelated residents.
Enable caregivers and admins to initiate pre-filled SMS, email, or phone outreach to the correct authorized contact directly from the resident’s status panel. Validate contact channels (deliverability checks, number format, and opt-in status) and suggest alternatives if a channel is invalid. Log outreach attempts, outcomes, and notes to the consent audit trail. Provide templates for quick messages and integrate with the reminder engine to avoid duplicate pings. Respect privacy permissions and show only the minimum necessary contact details.
Deliver a dashboard summarizing consent coverage, upcoming expirations, items in grace, and expired consents by facility and wing. Include filters, search, and CSV export. Provide detailed resident views with full consent history, reminder events, outreach logs, and signed document access. Offer configurable policies (expiry period, grace length, reminder cadence, templates) with change tracking and role-based access. Expose audit logs for regulator-ready reports, including who changed what and when. Include SLAs and health checks for reminder delivery and link uptime.
Prebuilt, customizable consent templates define what’s allowed (photo, audio, group events), where (room, dining, outings), and for whom (approved family vs. broader sharing), with effective dates and exceptions. Onboarding Guides can apply templates in one tap for new admissions, while Privacy Stewards fine‑tune per resident. Consistent scopes reduce set‑up time, eliminate ambiguity at capture, and standardize compliance across shifts.
Provide a centralized library of prebuilt, customizable consent scope templates that define permitted media types (photo, audio, video), locations (room, dining, outings), audiences (approved family vs. broader sharing), and group scenarios (one-on-one vs. group events). Support CRUD operations, template tagging, facility-level defaults, and ownership with a lightweight approval workflow to publish/unpublish templates. Include safeguards to prevent deletion of in-use templates and display dependency counts. Ship with KinLoop-recommended starter templates while allowing organizations to clone and adapt them, ensuring standardization across shifts and sites. This forms the foundation for consistent, rapid setup and reduces ambiguity at content capture.
Enable Onboarding Guides to apply a selected consent scope template to a new resident in a single action during admission setup. Auto-map template rules into the resident’s consent record, prefill effective dates from admission, and present a confirmation summary before saving. Provide inline validation for missing prerequisites (e.g., lack of family contacts) and post-apply prompts to invite or confirm approved family recipients. This reduces onboarding time, minimizes errors, and ensures residents begin with a compliant, consistent scope from day one.
Allow Privacy Stewards to fine-tune template-derived consents at the resident level with clear visibility of what differs from the base template. Provide a diff view that highlights overrides, a reversible toggle to revert to template defaults, and field-level exception notes (e.g., permit photos in room but not in dining). Maintain a link to the originating template so future template updates can be previewed for impact and selectively merged. This balances standardization with individualized dignity and preference needs without losing traceability.
Support time-bound consent with effective start/end dates, temporary blackout periods (e.g., during a clinical event), and scheduled changes (e.g., broaden sharing at 30 days post-admission). Provide proactive alerts to stewards and admins before expirations, along with quick actions to renew, adjust, or sunset scopes. At runtime, enforce the active ruleset based on the current timestamp and any overlapping exceptions, ensuring capture decisions remain accurate without manual checks.
Integrate scope rules directly into the caregiver capture flow to validate media type, location, and audience before posting. Provide real-time indicators of allowed actions, soft warnings for review-required scenarios, and hard blocks for prohibited captures, with contextual guidance and suggested alternatives. Automatically invoke KinLoop’s auto-blur for non-consenting faces in group photos, and restrict distribution to only approved recipients. This eliminates ambiguity at the point of capture, reduces compliance risk, and maintains caregiver speed with one-tap clarity.
Record an immutable audit trail for template creation, edits, approvals, applications to residents, overrides, and runtime enforcement decisions. Capture who, what, when, and why (including exception notes) and provide version history with the ability to view past states and regenerate compliance reports. Offer export options (CSV/PDF) and filters by resident, unit, user, template, and time window to streamline compliance reviews and incident investigations. This establishes defensible compliance documentation and speeds responses to regulatory or family inquiries.
Provide tools to apply or update templates across cohorts based on filters such as unit, care level, admission date, or existing scope attributes. Include an impact preview with conflict detection (e.g., residents with critical overrides) and safe rollout options: staged deployment, rollback, and change summaries to stakeholders. This reduces manual work when policies change, enables rapid standardization after audits, and keeps resident-level customizations intact where designated.
Securely links resident faces to their consent records so auto‑recognition at capture can cross‑check who appears. If a non‑consenting resident is detected, KinLoop auto‑blurs or blocks the post based on policy; if all are cleared, it speeds posting with a green light. Snapshot Aides stay compliant without manual lookups, and Privacy Stewards gain confidence that every image respects the right scopes.
Create an admin workflow to enroll residents’ faces and link them to authoritative consent records. Support multi-angle image capture/import, generation of face embeddings, duplicate detection, and versioned linkage to consent scopes (media types, audience groups, purpose, locations, time windows, expiration). Provide change history, validation, and bulk import from EHR/roster systems. Handle updates for appearance changes (e.g., hair, glasses) and record approvals, ensuring the registry stays accurate and audit-ready.
Deliver low-latency, on-device detection and identification of faces during camera preview and capture, matching against the FaceLink registry without requiring network connectivity. Support multiple faces per frame, tunable confidence thresholds per facility, and graceful fallback to server validation when available. Optimize for entry-level Android/iOS hardware, robust to masks/hats/angles, and expose structured results (ids, confidence, bounding boxes) to downstream policy evaluation.
Implement a policy engine that cross-checks detected identities against consent scopes and context (content type, location, unit, caregiver role, time constraints) to output a decision per capture: allow (green), allow with redaction (yellow), or block (red). Ensure deterministic rule precedence, explainable outcomes with human-readable reasons, and configuration at facility and resident levels. Provide APIs for the capture UI and logging to consume decision details in real time.
Automatically apply irreversible redaction (blur or mosaic) to non-consenting or unknown faces prior to storage or distribution. Maintain accurate face boundary tracking, support multiple faces, preserve primary subject clarity, and generate instant previews. Process entirely on-device when possible; if server-side is used, send only necessary pixels over TLS and discard originals post-processing per policy. Provide manual review queue and override controls for stewards when policy permits.
Provide a simple capture UI with color-coded status (green=all cleared, yellow=redaction applied, red=blocked) and face counts. Offer tap-through details showing which residents were recognized and why, with guidance to reframe or step aside. Include haptics and accessible cues, work offline, and disable the shutter on hard blocks. Ensure minimal cognitive load to keep Snapshot Aides fast and compliant.
Capture immutable logs of detections, policy inputs, decisions, redactions, and user actions with timestamps and device identifiers. Provide a steward dashboard to search/filter by resident, date, unit, decision type, and export reports for audits. Surface alerts for repeated blocks or recognition failures, and support role-based access controls to protect sensitive data.
On consent updates or revocations, propagate new scopes to the policy engine and scan existing media to identify impacted items. Perform automated remediation (blur, unshare, or remove) per policy, notify affected recipient groups, and provide stewards with a review/approve workflow. Run as resilient background jobs with progress tracking, error retries, and SLA targets for completion.
Collects and stores legally binding, multi‑language e‑signatures from authorized contacts in seconds—on device, via SMS/email, or lobby kiosk. Captures signer role (e.g., POA/guardian), ID photo, and timestamp; supports scanning/uploading paper forms for instant digitization. Consents activate immediately once signed, shrinking paper chases, expediting move‑ins, and keeping all proof centralized in the Vault.
Enable staff to request, collect, and track legally binding signatures via in‑app capture, SMS/email links, or lobby kiosk. Provide a frictionless one‑tap flow with typed/drawn signatures, initials, checkboxes, and date fields optimized for touch. Generate secure, expiring links with OTP/magic‑code verification, handle resend/revoke, and show real‑time status in the resident’s record. Support offline capture on staff devices with encrypted local storage and automatic sync when online. Capture technical metadata (timestamp, IP, user agent, optional geolocation/device ID) and enforce session timeouts and rate limits. Integrate with KinLoop Contacts and the resident profile to prefill signer details and ensure channel selection fits the contact’s preferences. Provide robust error handling and fallback to the paper digitization workflow when needed.
Add optional identity verification to the signing flow by capturing a signer selfie (with liveness check) and scanning a government ID (driver’s license/passport). Automatically extract and compare name/DOB from the ID to the invited signer, flag mismatches, and allow documented manual override with reason codes. Store verification artifacts and a redacted preview in the Vault with clear retention rules. Display a confidence score and verification status to staff while minimizing friction for known/previously verified signers. Ensure consent is obtained for capturing biometric/ID data, and make the flow usable on personal devices and the lobby kiosk. Fail securely with clear guidance for in‑person verification steps when checks cannot be completed.
Capture the signer’s legal role (e.g., POA, guardian, health care proxy) during the invite and signing process, validate it against the resident’s authorized contacts, and require proof documents where applicable. Configure which roles are permitted to execute each consent/form type, and block signing until required role evidence is on file. Support multi‑signer workflows (e.g., co‑guardians), delegated authority, and countersignature by facility representative. Persist role metadata with the signature and expose it in the audit trail. Automatically map signed consents to the resident’s consent matrix and update role assignments when documentation is approved.
Allow staff to scan or upload paper forms and convert them into clean, e‑signable documents. Perform image enhancement (de‑skew, crop, glare/contrast correction) and OCR to detect common fields (signature, initials, date, checkboxes, text). Provide a human‑in‑the‑loop editor to confirm or draw fields, set required/optional rules, and save as reusable templates with merge fields tied to KinLoop resident data. Support multi‑page documents, template versioning, and a QR/barcode stamp to route returned paper to the correct resident/form. Generate accessible, fillable PDF/A outputs and retain the original scan alongside the templated version in the Vault.
On successful signature, immediately update resident consent flags and trigger KinLoop policy hooks (e.g., enable/disable sharing types, adjust auto‑blur behavior, restrict media categories). Support granular consent scopes (photo, video, audio, messaging, release of information), effective and expiration dates, and scheduled re‑consent. Emit events/webhooks for downstream systems (EHR/CRM) and move‑in checklists. Block posting/sharing actions if required consents are not active and surface clear guidance to staff. Notify relevant caregivers and display consent status prominently in the resident header and activity composer.
Store all signed documents, templates, verification artifacts, and proofs in the KinLoop Vault with encryption at rest and in transit, tenant‑scoped keys, and tamper‑evident hashing. Generate a certificate of completion including signer identity data, role, timestamps, IP/user agent, document checksum, and any verification outcomes. Provide role‑based access controls, legal hold/retention policies, exportable audit bundles, and full‑text search. Implement backups and disaster recovery objectives, and expose immutable event logs to support ESIGN/UETA/eIDAS‑aligned evidence requirements and healthcare privacy obligations. Allow administrators to configure data residency and retention per region/policy.
Offer a fully localized signing experience and document output across supported languages, selectable per recipient and available on kiosk. Manage translations for UI, email/SMS invites, legal boilerplate, and template content with version control and reviewer workflows. Support RTL scripts, appropriate fonts, date/number formats, and accessibility features (read‑aloud prompts, large touch targets). Generate language‑specific PDFs with correct hyphenation and reading order. Allow jurisdiction‑specific clauses and language variants to be tied to facility location and resident jurisdiction, with sensible fallbacks when a language or clause is unavailable.
One‑tap legal hold suspends media sharing for a resident, unit, or whole community after an incident or family request. Requires DuoTap to initiate or lift, logs reason and timeframe, and notifies staff at capture with clear guidance. Prevents accidental posts during sensitive periods while preserving a clean audit trail and protecting resident dignity and organizational risk.
Require two distinct authorized staff to initiate or lift an Incident Freeze, capturing both identities, roles, timestamps, and authentication method. Enforce role-based permissions and optional step-up verification for high-risk scopes. Mandate structured reason selection and a timeframe before activation; block activation if inputs are incomplete. Support offline initiation via signed, time-bounded tokens with deferred server validation. Log every attempt (success/failure) with tamper-evident event chaining to preserve audit integrity. Provide clear success/failure states with retry and escalation paths, and ensure the hold immediately propagates to all capture and sharing workflows without impacting normal capture performance.
Enable holds to be targeted at the resident, unit, or community scope with immediate propagation to all related entities and media pipelines. Apply additive enforcement: if any applicable scope is frozen, sharing is blocked. Resolve scope changes dynamically (e.g., room transfers, admissions/discharges) and ensure the correct enforcement follows the resident and unit membership in real time. Block inclusion of frozen subjects in digests, feeds, or outbound shares while allowing secure local capture/storage. Provide admins with a preview of impacted users and content before activation and a summary of coverage after activation.
Present clear, persistent in-app banners and interstitials at capture and upload time indicating an active hold, with disabled share/post actions and contextual guidance on permitted actions. Allow capture to proceed safely (e.g., photos, voice-to-text) while routing outputs to drafts or private storage until the hold is lifted. Provide consistent UX across camera, gallery upload, and voice update flows; support multilingual copy and WCAG AA accessibility. Preserve existing auto-blur behavior for non-consenting faces while ensuring no external sharing pathways are available under a hold.
Require a structured reason code, optional free-text notes, and a start/end timeframe when placing a hold. Default to server-sourced timestamps to prevent device clock manipulation. Support indefinite holds and scheduled auto-expiry, with pre-expiry review prompts. Maintain an immutable, exportable audit trail recording reason, timeframe, placements, lifts, modifications, and all user identities involved, with cryptographic chaining for tamper evidence. Provide filtered audit views and CSV/JSON export for compliance reviews.
Deliver targeted notifications to impacted staff and managers when a hold is placed, updated, nearing expiry, or lifted. Support in-app, push, and email channels with deduplication, quiet-hour rules, and read receipts. Provide escalation paths to on-call roles if acknowledgements are not received within defined SLAs. Include a concise summary of scope, reason, and do/don’t guidance with links to policy and the incident record. Do not notify families by default; allow admin-configurable external communications policies where required.
Enforce holds even when devices are offline by distributing signed policy snapshots with short TTLs and grace windows. Block all share/post operations locally under an active or recently-expired-but-unvalidated hold and queue permissible actions for later sync. Reconcile conflicts on reconnect using server authority and capture all attempted violations in telemetry and audit logs. Mitigate clock drift and attempted time tampering by relying on monotonic counters and server times for policy decisions.
Provide an admin dashboard to create, view, search, filter, and bulk-manage holds by scope, status, reason, and timeframe. Include detail pages with full audit history, affected entities, and quick actions (extend, narrow scope, lift via DuoTap). Expose secure RBAC-protected APIs and webhooks for integration with incident management systems, including events for placed, updated, and lifted holds. Support SSO groups for authorization, rate limiting, and export of hold and audit data for external archival.
Every post carries a verifiable consent snapshot—hash, timestamp, signer, and scope—so auditors can see exactly which authorization was active at capture. Tap through to an exportable, tamper‑evident PDF for external review. This eliminates back‑and‑forth during audits, reduces legal exposure, and reassures families and administrators that updates are consistently authorized.
Capture a consent snapshot at the moment of media creation, packaging the active consent doc ID/version, signer identity, resident ID, scope (distribution, media types, purposes), caregiver ID, device ID, and capture context into a canonical JSON object. Compute a SHA-256 hash of this payload and assign a unique Proof Seal ID. Persist the snapshot and hash server-side with transport over TLS 1.2+ and at-rest encryption. Integrate seamlessly into the existing one-tap post flow with <150ms added latency and transparent UX. Expose the Proof Seal ID and short hash in the post header and store a reference on the post record to guarantee later verification and traceability.
Apply an authoritative, tamper-resistant timestamp to each Proof Seal using a server-controlled time source with NTP synchronization and drift monitoring. Optionally obtain an RFC 3161-compliant TSA token when connectivity permits; otherwise record a server-signed timestamp and reconcile TSA tokens asynchronously. Embed timezone and UTC offset, and store evidence of time source health. Surface drift alerts to ops if variance exceeds a configurable threshold (e.g., >2s). The timestamp becomes part of the signed payload and is immutable after sealing.
Validate and bind the signer’s identity to the resident’s active consent record prior to sealing. Enforce scope rules (media type allowed, distribution channels, purposes, expiration, and facility-specific restrictions). Support multiple signers with precedence and quorum rules (e.g., any-of, all-of). Block sealing when consent is expired or out-of-scope and present actionable guidance to caregivers. Provide APIs and admin UI to manage signers, scope templates, and consent document versions, ensuring the correct authorization is always applied at capture.
Require every post to reference a single immutable Proof Seal ID before it can be published. Store seals and linkage in an append-only ledger with versioned updates; edits to a post create a new version referencing the original seal or a new seal if new media is captured. Prevent deletion or alteration of sealed data; instead, permit redactions via additive records with reason codes. Provide a verification endpoint that recalculates the hash from stored payloads to confirm integrity and surfaces discrepancies for investigation.
Generate an exportable, tamper-evident PDF containing the consent snapshot (signer, scope, doc/version), post metadata, SHA-256 hash, and trusted timestamp. Digitally sign the PDF (e.g., ECDSA P-256) and embed a QR code/URL that points to a verification endpoint returning the snapshot and signature for independent validation. Include a visual seal, checksum, and watermark to discourage alteration. Support batch export by date range/resident and store export events in an access log for auditability.
Provide role-based access (admin/auditor) to view Proof Seal details from any post, including signer, scope, timestamp evidence, and hash verification results. Enable filters and bulk export across residents and time ranges. Log all access and exports with user, time, and scope for compliance. Integrate with existing admin web console and SSO, honoring least-privilege and PII minimization (e.g., mask non-essential identifiers). Offer a guided audit mode that assembles the required documents and seals for common audit requests.
Preserve historical integrity by locking each post to the consent snapshot that was active at capture while clearly indicating any subsequent revocations or scope changes. Display visual flags on affected posts, prevent further distribution if newly out-of-scope, and generate admin notifications. Provide reports summarizing posts captured near consent changes and tools to annotate remediation actions. Do not mutate past seals; record revocations as new append-only events linked to the original seal.
Auto-calls out what changed since the last period—new vitals tags, mood or activity shifts, incident notes, and family acknowledgments—right at the top of each card. Color-coded arrows and “New Since Last Shift” badges reduce scan time so Shift Relay Leads can brief faster with fewer misses.
Compute per-resident deltas across vitals tags, mood/activity changes, incident notes, and family acknowledgments relative to the last defined period. Ingests structured data from photo posts and voice-to-text notes, supports late/backdated entries, and re-computes deltas on new events or configuration changes. Anchors comparisons to a stored baseline snapshot for each resident and period, with a fallback to the last 24 hours if no baseline exists. Provides idempotent APIs for the mobile app to fetch current deltas, includes reason codes for each highlight (what changed and why), and handles multi-tenant facilities with distinct shift schedules. Meets performance targets of under 200 ms per resident (p95) for delta generation, with retries and eventual consistency guarantees. Emits metrics and logs for observability and auditability.
Allow administrators to define the "last period" via configurable shift templates (start/end times, overlaps, and grace windows), including holiday overrides and timezone handling. Persist a baseline snapshot at shift start or end (configurable) for each resident, and use it to anchor delta calculations. Support retroactive period corrections and backfills if shifts were missed or edited. Provide a settings UI and secure APIs, with audited changes and versioned configurations. Default to safe presets for facilities that do not configure shifts. Ensure all downstream delta computations reflow when period definitions or baselines change.
Render at the top of each resident card a compact, color-coded summary of changes with arrows, counts, and a "New Since Last Shift" badge. Group highlights by category (Vitals, Mood, Activity, Incidents, Family) with tappable chips to expand details and navigate to the source update. Use an accessible, color-blind–safe palette and WCAG AA contrast, support large text and RTL locales, and minimize motion with subtle animations (<200 ms) and haptics (optional). Optimize for low-end Android devices: first meaningful paint under 500 ms with cached highlights and skeleton loading. Localize all labels, show timestamps relative to the period, and degrade gracefully when data is stale or offline. Integrate with existing card layout without breaking current interactions.
Introduce configurable thresholds and rules to reduce alert fatigue: suppress minor variations within clinically normal ranges, deduplicate repeated tags, and consolidate multiple small updates into a single highlight. Provide facility-level defaults with the option to override per resident or tag. Include a whitelist of critical events/tags that are never suppressed. Allow supervisors to mark highlights as "not significant" to improve heuristics and generate feedback metrics. Expose suppressed-count indicators and maintain an audit trail of suppression decisions. Validate rules with test cases and monitor precision/recall of surfaced highlights.
Ensure Delta Highlights respect role-based access controls, resident consents, and privacy constraints. Hide or redact sensitive details based on user role (e.g., caregiver vs. admin) and consent status, and never reveal information about non-consenting co-residents. Align with existing auto-blur and redaction subsystems, displaying placeholders like "Hidden due to permissions" when necessary. Enforce data minimization in highlight payloads, encrypt data in transit and at rest, and log access for HIPAA-grade auditing. Recompute highlights when consent or role mappings change to prevent stale exposures.
Capture and display new family acknowledgments since the last period, including reads, reactions, and replies across email digests and the family app. De-duplicate events across channels, attribute acknowledgments to specific family members, and show timestamps with tap-through to the original update. Implement idempotent event ingestion with offline queueing on device and reliable webhook processing from the digest service. Maintain a searchable audit trail for compliance and follow-up, and handle late acknowledgments by updating current deltas without double-counting.
Provide a guided "Briefing Mode" that sequences through residents’ Delta Highlights in a carousel, supports gesture/keyboard navigation, and allows marking residents as briefed. Show progress indicators, estimated time to complete, and quick actions to add a handoff note or flag items for follow-up. Resume from the last position if interrupted, handle new incoming deltas mid-briefing, and sync completion metrics to the shift checklist. Work offline with queued state sync and maintain consistent ordering across devices when possible.
Ranks Snapshot Cards by urgency using signals like missed routine tags, unacknowledged family updates, incident holds, and upcoming appointments. Provides a suggested handoff order and ETA per resident, helping supervisors focus high-impact reviews first and trimming minutes off every briefing.
Compute an urgency score for each resident’s Snapshot Card by ingesting signals such as missed routine tags, unacknowledged family updates beyond a configurable time window, open incident holds, and upcoming appointments within set lead times. Normalize and weight signals to produce a single ranked score with deterministic tie-breaking, and expose the contributing factors for transparency. The engine runs event-driven recalculations on new signals and on schedule-based checks, persists scores with timestamps, and degrades gracefully if certain inputs are unavailable. Integrates with KinLoop’s Snapshot data model and audit logs to surface "why this is prioritized" badges. Benefits include directing supervisors to the highest-impact reviews first, reducing briefing time, and cutting inbound calls by ensuring timely follow-ups.
Keep the Priority Queue current by pushing score and order updates to clients within a target of ≤5 seconds after relevant signal changes. Implement lightweight push via WebSockets (with HTTP long-poll fallback) and client-side throttling/debouncing to avoid jitter. Display "Last updated" and optimistic UI when actions (acknowledge/snooze/escalate) occur. Provide offline resilience with cached last-known order and conflict resolution upon reconnect. Integrates with KinLoop’s notification and data layers to ensure supervisors on web and mobile see the same queue state. Benefits include preventing action on stale priorities and accelerating briefings in fast-changing shifts.
Present a ranked, scannable queue that lists residents with their urgency score, top contributing signals (as badges), suggested ETA per card, and an aggregate handoff time. Provide filters by unit, shift, and role; quick search; accessibility-compliant contrast and touch targets; and one-tap navigation into the Snapshot Card. Include a sticky header summarizing counts by urgency band and allow collapsing non-urgent items. Integrates with existing KinLoop briefing views to replace manual sorting and supports brief, high-signal readouts for tech-light caregivers. Benefits include trimmed briefing minutes and clearer, justification-backed prioritization.
Provide an admin console to tune signal weights, thresholds, and time windows per facility or unit, with preset templates (e.g., Memory Care, Skilled Nursing) and safe defaults. Include a preview mode that shows how proposed changes would re-rank current residents, effective-dating, rollback, and a full audit trail of configuration changes. Enforce role-based access and validation (e.g., caps on extreme weights) to prevent misconfiguration. Integrates with the scoring engine via a versioned policy service. Benefits include alignment with local policies, clinical priorities, and regulatory requirements without code changes.
Estimate the time to review each Snapshot Card based on heuristic features (e.g., number of media items, voice-to-text length, presence of incident holds, upcoming appointment proximity, historical review durations by role). Show per-card ETAs and a total estimated handoff time, with caps, floors, and clear confidence indicators. Learn from actual completion times to improve estimates over time while preserving privacy (aggregate, de-identified telemetry). Provide sensible fallbacks if insufficient history exists. Integrates with the UI to guide scheduling and pacing during briefings. Benefits include more predictable handoffs and reduced overrun risk.
Enable supervisors to mark items as Acknowledged (removes from active queue and logs reviewer), Snooze (temporarily lowers priority for a set duration with required reason), or Escalate (routes to designated clinical/admin roles and triggers notifications). Actions immediately re-score affected residents, update the UI, and write to the audit log and digest pipeline when appropriate. Support undo within a short window and concurrency-safe handling for multiple reviewers. Integrates with KinLoop’s activity stream and family digest schedules to keep stakeholders aligned. Benefits include visible progress, fewer follow-up calls, and faster resolution of critical items.
Ensure the Priority Queue respects consent, privacy, and dignity requirements: honor auto-blur on media, suppress non-consenting faces from badges and previews, exclude PHI from visible signal text, and enforce role-based visibility for sensitive signals (e.g., incident holds). Provide an auditable trail of score changes with their contributing factors and configuration versions. Support data retention policies and export for compliance reviews. Integrates with KinLoop’s existing consent model and security controls (RBAC, encrypted storage). Benefits include regulatory alignment and trust with residents and families while maintaining operational effectiveness.
Adapts each card to who’s viewing it: Snapshot Aides get quick-tag buttons and capture prompts, Shift Relay Leads see approvals and team notes, and Privacy Stewards see consent scope badges and audit flags. Cuts noise, surfaces the right actions, and keeps sensitive details limited to the right roles.
Implements a configuration-driven rendering engine that adapts each card’s layout, components, and actions to the viewer’s role (Snapshot Aide, Shift Relay Lead, Privacy Steward, Administrator) and permissions. Uses JSON/YAML templates with server-provided policies to determine visible fields, action buttons, and badges. Supports cross-platform delivery (iOS/Android) with a shared schema, fallbacks when a role template is missing, and feature flag gating for gradual rollout. Enforces policy evaluation on-device and server-side for integrity, and gracefully degrades offline. Integrates with existing card data model, media capture, and auto-blur pipeline to ensure consistent behavior across roles.
Provides one-tap contextual tags (e.g., Hydration, Mobility Assist, Mood) and voice-to-text capture prompts optimized for rapid documentation during care tasks. Includes configurable tag sets by facility, smart defaults per resident care plan, haptic feedback on save, offline queuing with conflict resolution, and instant linkage to photos with auto-blur applied. Ensures entries map to digest categories and are time-stamped with minimal input. Adds lightweight error states and retry logic to maintain speed while preserving data integrity.
Surfaces an approvals queue and inline team notes directly on cards for Shift Relay Leads. Allows batch approve/return for edit, quick edits to captions/tags, @mentions with notifications, and escalation flags for RN review. Displays provenance (author, timestamp, device) and pre-send visibility summary (which families will receive). Enforces role-based edit rights and records an audit trail of changes. Integrates with digest scheduling to prioritize items blocking outbound summaries.
Displays consent scope badges (e.g., Photo: Allowed; Voice: Restricted; Family A only) and real-time audit flags (missing consent, conflicting tags, unblurred by exception) for Privacy Stewards and authorized roles. Provides in-card links to resident consent profiles, resolution actions (request consent update, mask additional faces), and rationale capture for overrides with justification. Ensures badges reflect the current policy cache and update on sync. Integrates with compliance export and logs all privacy-relevant actions for review.
Enforces fine-grained RBAC/ABAC so that sensitive fields, media, and actions are visible only to authorized roles. Implements server-validated policy checks with signed tokens, field-level redaction in API responses, and on-device guards to prevent UI exposure. Includes secure fallbacks (e.g., blurred media thumbnails, redacted captions) and denies actions gracefully with clear messaging. Provides comprehensive audit logging of access decisions, unit/contract tests for policy rules, and performance-conscious caching with automatic invalidation on role or consent changes.
Delivers an admin console to manage per-role card templates, action ordering, labels, and prompts with versioning and staged rollout by facility. Supports remote config updates, safe rollback, and feature flags for A/B testing card variants. Collects privacy-preserving telemetry on card interaction rates, time-to-complete, approval turnaround, and error trends to guide optimization. Exposes dashboards and exports, and integrates with alerting when regressions or compliance anomalies appear.
One-tap toggle produces a family-safe version of a card that automatically omits staff-only sections (internal notes, room numbers) and respects consent scopes and incident freezes. Enables confident print/share without manual redaction, protecting dignity while keeping families informed.
Adds a prominent, accessible toggle on each care card to instantly generate a family-safe version that hides staff-only sections and sensitive details. The toggle state is persisted per card and obeys site-level defaults and unit policies. When activated, ShareSafe produces a derived view optimized for quick sharing or printing without manual redaction, ensuring consistent compliance while minimizing caregiver effort. The control is available in compose, review, and history views, supports offline use with on-device processing, and clearly labels the card as ShareSafe in the UI.
Implements a rules-driven engine that applies resident consent scopes, incident holds, and privacy policies to automatically omit or transform sensitive content. The engine removes staff-only notes, room numbers, internal tags, and non-consenting faces via auto-blur, and suppresses mentions of other residents lacking consent. It handles text, images, and attachments, performs on-device where possible, and falls back to secure server processing when needed. Outputs include a sanitized payload plus a machine-readable map of redactions to drive UI previews and audits.
Extends the data model and composer to explicitly tag fields as staff-only or family-visible, enabling deterministic filtering during ShareSafe generation. Introduces schema flags for room number, internal notes, staff comments, and operational metadata, with migrations and backward compatibility for existing cards. The composer enforces correct field placement with clear labels and guardrails, reducing the risk of accidental disclosure and simplifying the redaction logic.
Integrates incident and investigation states into the ShareSafe pipeline to automatically block sharing or exporting of cards and media under a freeze. Displays non-revealing explanations and guidance to staff, logs attempted shares, and provides admin-only override paths with justification. The enforcement applies uniformly across in-app sharing, print/export, and digests, preventing premature disclosure while preserving evidence and compliance.
Generates printable and shareable outputs (PDF/JPEG) from the ShareSafe view with all sensitive content removed, non-consenting faces blurred, and metadata scrubbed. Adds optional watermarking, ShareSafe badge, timestamp, and resident initials while excluding PHI like room numbers. Integrates with AirPrint and native share sheets, ensures no EXIF geolocation or hidden layers persist, and maintains consistent layout for quick handoffs to families.
Captures immutable audit events for ShareSafe actions, including toggle activations, redaction outcomes, exports, and blocked attempts due to freezes or consent. Provides admin controls to set unit-level defaults (e.g., ShareSafe on by default), enforce mandatory ShareSafe for specified content types, and review usage analytics. Exposes secure log export for compliance review with retention and access controls aligned to organizational policies.
Adds a side-by-side preview that highlights exactly what will be hidden or transformed in ShareSafe mode, with inline reason tags (e.g., consent, staff-only, incident). Caregivers can quickly verify and, when permitted, adjust content placement before sharing. The preview uses the redaction map from the engine, improves caregiver confidence, reduces errors, and shortens handoff time.
Generates a concise, natural voice recap of the card for huddles or quick reviews, so teams can keep eyes up while listening. Also attaches to family digests when appropriate, improving accessibility for tech-light relatives and reducing after-hours clarification calls.
Service that converts each care card into a concise spoken recap using domain-tuned summarization followed by natural text-to-speech. Inputs include card title, voice-to-text note, tags (mood, vitals), and follow-ups; excludes fields marked internal-only. Target duration 15–45 seconds with a consistent structure (resident, shift highlights, next steps). Real-time for short cards; background for longer ones. Outputs encrypted audio file, waveform data for scrubber, and a transcript. Provides graceful fallback to reading the raw note if summarization fails, ensuring reliability and hands-free reviews.
In-app audio player optimized for care huddles with play/pause, skip, and speed controls (0.75x, 1x, 1.25x, 1.5x), waveform scrubber, and a queue to play multiple cards by resident or shift. Supports Bluetooth headset buttons and large tap targets for gloved use. Works offline by caching the latest briefs per unit and syncs when connectivity returns. Provides captions via transcript toggle for noisy environments. Integrates with the existing card list and huddle view for seamless workflows.
Rule engine to attach audio briefs to family digests when consent and preferences permit. Evaluates resident consent flags, sensitivity labels, and per-family settings; enforces duration limits (≤60s) and adds transcript/alt text for screen readers. Converts audio to a lightweight format and delivers via secure links with expiry and download limits. Integrates with existing digest scheduling and channels (email, SMS link, app inbox) while respecting quiet hours and local time zones.
Automatic and manual selection of language and voice based on listener preferences, device locale, and facility defaults. Launch support for US English and US Spanish with warm, natural voices; includes a pronunciation dictionary for resident names and medications, and SSML prosody for vitals, dates, and times. Allows per-facility default voice and per-brief override, with consistent application across huddles and digests. Falls back gracefully to English if a target language is unavailable.
Automated content filtering and redaction to remove non-consenting names, staff identifiers, room numbers, and other PHI per facility policy before synthesis. Mirrors photo auto-blur consent logic to avoid mentioning non-consenting residents; replaces with neutral phrasing when needed. Ensures internal-only sections are never voiced. All processing uses encrypted transport and no data retention by third-party TTS providers. Generates a verifiable hash linking source text to produced audio and logs redaction decisions for audit.
Asynchronous job queue triggers audio generation on card save/edit with debouncing to prevent churn. Exposes generation states (Processing, Ready, Failed) on cards, retries with exponential backoff, and caches the latest audio per card with invalidation on edits. Edge-caches audio for low-latency playback and sets SLOs (P95 generation <10s, start playback <1s on Wi‑Fi). Provides on-device TTS fallback when network is unavailable to maintain continuity in huddles.
Facility-level controls to enable/disable Audio Brief, set default voices/languages, configure digest attachment policy, and define audio retention. Metrics dashboard tracks generation success rates, latency, listen-through for huddles and digests, opt-in/opt-out counts, and common error types. Exportable audit logs record who generated/listened, redactions applied, and delivery outcomes with timestamps and card IDs. Threshold-based alerts notify admins when error rates or latency exceed targets. Integrates with existing roles and reporting.
Every printed or shared card includes a time-limited, permission-aware QR/link that opens the resident’s timeline for approved viewers. Speeds drill-down during rounds, logs access for audits, and removes the need to hunt through menus on shared devices.
Issue signed, time-limited deeplink tokens scoped to a specific resident and viewer role that open directly to the resident’s timeline. Server-side validation enforces expiration, revocation, and role-based permissions, including read-only for families and write-enabled for authenticated staff. Tokens are bound to organization policies (TTL, single-use vs reusable, geofence) and honor existing consent/auto-blur settings to prevent PHI leakage. Includes key rotation, error states for expired/denied access, and deterministic redirect to app or web based on platform.
Generate high-contrast, error-corrected QR codes that embed the secure deeplink and are printed on resident cards and shareable materials. Codes are uniquely bound to a resident (and optionally location or unit) with support for re-issuance, revocation, and short-link fallbacks. The generator provides branded templates, printer-friendly layouts, and versioning so administrators can batch print, reprint, and invalidate cards without manual steps. All codes resolve through the KinLoop routing service to ensure policy enforcement and auditability.
Record every QR/link access attempt with timestamp, resident ID, viewer identity or device fingerprint, outcome (success/denied/expired), and source metadata (app version, IP, location if permitted). Provide an admin console to search, filter, and export logs by resident, unit, user, or time range, with retention aligned to compliance policies. Include anomaly detection signals (e.g., repeated failed scans, unusual geolocation) and alert hooks to downstream incident workflows. All events are immutable and mapped to existing KinLoop audit schemas for unified reporting.
Expose organization-level and unit-level controls for link behavior, including default and maximum TTL, allowed roles, single-use vs reusable tokens, rate limits, optional geofencing, and whether family access is permitted. Provide per-resident override and a one-click "Revoke all active links" action. Policies are enforced at token issuance and validation, surfaced in the admin UI and via API, and logged for change history. Sensible defaults are applied to new facilities to minimize setup while meeting security baselines.
Resolve each deeplink into the correct experience based on platform, session state, and role: on shared facility devices, open the resident timeline in the signed-in staff app with write permissions; for families, route to a read-only web or app view after lightweight authentication. Present clear states for expired/denied links with a renewal or help path, and never display PHI until authorization completes. Defer to installed app via universal/app links with responsive fallback to web, and preserve the resident context through login flows to avoid re-navigation.
Optimize QR scanning and link resolution for low-connectivity environments by minimizing payload size, retrying with exponential backoff, and queuing unresolved scans for background completion when connectivity returns. Provide clear, non-PHI placeholders while awaiting validation and prevent cached data from being displayed without authorization. Cache the resident directory index for faster resolution on authenticated staff devices, while ensuring tokens are always validated server-side before revealing content.
Secure, friction-light caller verification that binds each resident’s line to an authorized contact via PIN, with optional caller‑ID recognition and one‑time codes delivered by SMS or voice for landlines. Attempts and resets are logged for audits, giving families easy access without an app while protecting privacy and reducing staff time spent on identity checks.
Provide staff-initiated or self-service enrollment that binds an authorized contact to a resident’s phone line with a unique numeric PIN. Admins trigger enrollment from the KinLoop console; contacts validate identity via SMS link or automated call before creating a 4–8 digit PIN. Store only salted, memory-hard hashes with KMS-managed salts; associate one or more phone numbers to the contact and resident; capture consent and terms. Support multiple authorized contacts per resident, revocation and re-binding, and real-time enrollment status via API. All steps must be recorded in the audit log.
Implement an automated IVR that answers resident-associated lines, detects caller ID, and routes the caller to verification. If the caller ID matches a known number and policy allows, prompt for PIN; otherwise offer one-time code delivery or staff transfer. Support DTMF input, configurable retries, timeouts, and lockouts. Provide clear, concise prompts and low-latency routing. Surface verification outcomes to the KinLoop console and resident directory, and log reason-coded results. Multilingual prompts and graceful degradation on noisy or low-quality lines are required.
Generate single-use 6-digit verification codes with short expiry, rate-limited issuance, and replay protection. Deliver via SMS to mobile or text-to-speech voice calls for landlines, auto-detecting channel capabilities and falling back when delivery fails. Integrate through a provider-agnostic gateway with delivery receipts, regional formatting, and opt-in messaging compliance. Expose verify endpoints, mask numbers in logs, and record send/verify events with timestamps and outcomes.
Maintain a mapping of authorized callers’ phone numbers to residents and contacts. On inbound calls, match ANI to known numbers and apply configurable trust policies, such as reduced friction within a recent successful verification window; otherwise require PIN or OTP. Allow contacts to add or remove numbers with secondary verification, support multiple numbers per contact, international formats, and number normalization. Notify admins on new number linking attempts and provide self-link flows with safeguards.
Create centralized, tamper-evident logging for all VoicePIN events: timestamps, resident/contact references, masked phone numbers, method (PIN/OTP), attempt counts, outcomes, and admin actions (enrollment, reset, revocation). Build an admin console to search, filter, and export logs; view per-resident and per-contact histories; and configure retention policies. Enforce role-based access controls and least-privilege permissions, with alerts on anomalous activity patterns.
Provide secure flows for contacts to reset forgotten PINs via SMS/voice identity checks, with cooldowns, rate limits, and notifications to resident admins upon changes. Support staff-initiated resets with dual-approval for high-risk cases. Invalidate previous credentials immediately, require re-verification on next call, and maintain full audit trails. Include accessible prompts and simple guidance throughout the process.
Implement layered defenses: per-number and per-resident rate limits, exponential backoff, temporary lockouts after consecutive failures, and anomaly detection on verification attempts. Encrypt data in transit and at rest; manage secrets and keys via KMS; and make PIN length, retry, and expiry policies configurable. Provide monitoring dashboards, health checks, and alerting for failures and abuse signals. Document data minimization and retention to support privacy requirements.
Natural‑sounding, TTS summaries of the latest approved updates organized by time period and topic (e.g., meals, activities, mood). Callers can skip, replay, or drill into items with simple keypad presses, getting the gist in under a minute. Tech‑light relatives stay informed quickly, cutting routine after‑hours questions.
Automatically generates concise spoken digests from the latest approved resident updates, grouped by configurable time windows (e.g., last 24 hours, today, this week) and topics such as meals, activities, health/mood, and notes. Uses templated natural-language generation to ensure consistent structure, brevity (gist under 60 seconds), and clarity over the phone. Integrates with KinLoop’s updates datastore and approval pipeline, pre-computes and caches per-resident digests on a schedule and on-demand, and exposes an API for IVR playback. Handles empty states (no new updates) gracefully with helpful prompts and optional fallback to the most recent prior window.
Ensures only updates explicitly approved for family sharing are included in digests, enforcing resident- and contact-level permissions. Redacts protected health information and references to non-consenting residents, converts staff jargon to family-friendly language, and strips internal-only notes. Applies rules-based and ML-assisted redaction for names, room numbers, medications (if restricted), and incidental identifiers, with audit logs for each digest output. Provides configuration for facilities to define sensitive terms and topics to exclude.
Provides an accessible phone interface that plays the digest and supports DTMF keypad controls to replay the last item, skip to the next topic, repeat the current topic from the start, or drill into details for a specific item (e.g., today’s meals). Announces simple, consistent prompts and minimizes cognitive load for tech-light callers. Supports timeouts, barge-in, and resume-on-reconnect. Integrates with the digest API for indexed items, maintains call session state, and records interaction analytics (e.g., most-skipped topics) for optimization.
Delivers clear, natural-sounding speech optimized for telephone audio, using SSML to control pronunciation, pacing, emphasis, and pauses. Offers selectable voices and speaking rates per facility or caller preference, and supports multiple languages/accents. Pre-renders and caches audio for common digests to reduce latency and costs, with intelligent cache invalidation on new approvals. Includes graceful degradation and vendor fallback if the primary TTS provider is unavailable.
Authenticates callers via resident selection plus PIN/OTP and maps them to approved contact records before allowing digest playback. Enforces per-caller access to specific residents and topics, rate-limits attempts, and blocks suspicious activity. Logs access events for auditing and provides configurable session timeouts. Integrates with KinLoop’s contact management, consent records, and notification preferences.
Allows administrators to configure default time windows, topic ordering, maximum digest length, voice and language settings, sensitive-topic exclusions, and IVR prompt wording. Supports per-resident overrides (e.g., exclude mood), facility-wide templates for phrasing, and A/B testing of prompt variations. Provides a preview tool to review the generated script and audio before enabling changes.
Captures metrics on digest generation latency, call connection rate, time-to-gist, topic completion rates, skips, and drop-offs. Surfaces dashboards and alerts to ensure the core promise (gist in under 60 seconds) is consistently met. Provides per-resident and aggregate insights to refine topic order and script length, and flags content issues that trigger excessive skips. Exposes exportable reports for operations and compliance review.
One‑press acknowledgments from the phone (“Press 1 to confirm you received today’s update; Press 2 to send thanks”). Acks post back to the resident timeline for staff visibility and feed Delta Highlights, reducing follow‑up calls and giving caregivers instant signal that families are up to speed.
Implement an interactive voice response flow that allows approved family members to acknowledge a specific resident’s update via touch‑tone (Press 1 to confirm receipt, Press 2 to send thanks). The IVR plays a concise, privacy‑safe prompt that identifies the resident and update date/time, captures DTMF input, confirms the selection, and associates the action with the correct resident and update. The system posts the result in near‑real time to the caregiver dashboard and resident timeline, providing immediate visibility and reducing follow‑up calls. Supports per‑contact language preference, replay, and graceful hang‑up handling; logs call metadata for audits and troubleshooting.
Ensure only approved family contacts can submit acknowledgments by verifying identity before accepting touch‑tone input. Map calls to contacts via signed, per‑recipient callback links/numbers and recognized caller ID, with fallback to a short one‑time PIN. Block or discard inputs from unrecognized numbers, expired tokens, or revoked contacts. Tie every acknowledgment to a verified user, resident, and update, and record the verification method for auditing. Respect per‑resident access lists and role permissions to prevent cross‑resident visibility.
On successful acknowledgment, create a structured event on the resident timeline (actor, action, timestamp, channel, optional note for ‘thanks’) and update Delta Highlights metrics (e.g., first‑ack of the day, response time, outstanding families). De‑duplicate repeat inputs for the same update, maintain idempotency across retries, and surface status in caregiver views and shift digests. Provide webhook/event hooks so downstream components can react (e.g., suppress follow‑up reminders once acknowledged).
Provide facility‑level controls to customize IVR prompts (wording for options 1 and 2, optional ‘connect to staff’ transfer), select TTS voice and language, and manage quiet hours and call windows. Allow enabling/disabling phone acknowledgments per resident or contact, selecting which update types trigger phone calls, and setting contact‑level preferences (language, preferred channel). Honor quiet hours by queueing or deferring calls, and expose overrides for urgent notifications. Store versions of prompt configurations for traceability.
Capture and enforce communication consent for each contact and channel, including TCPA‑compliant disclosures for automated calling. Provide easy opt‑out mechanisms (e.g., Press 9 to stop calls) and maintain a do‑not‑call list that the dialer respects. Log consent state changes with timestamps, actor, and source for auditability. Ensure prompts avoid protected health details and use minimal necessary information. Retain call recordings or transcripts of prompts and results per policy to support compliance reviews.
Implement reliable call delivery with retry policies for busy/no‑answer, voicemail detection to avoid false inputs, and exponential backoff up to a configurable limit. Provide automatic fallback to an SMS acknowledgment link when calls fail or a contact prefers text, and surface final delivery status to staff. Monitor provider health, support multi‑carrier failover, and expose operational metrics and alerts (failure rate, connection time, DTMF capture errors) to ensure high availability and fast remediation.
Deliver dashboards and exports showing acknowledgment rates, time‑to‑ack by resident and contact, engagement by channel (phone vs SMS/email), and cohorts with persistent non‑acknowledgment. Highlight residents or families requiring outreach and trend reductions in inbound calls post‑launch. Provide filters by community, unit, shift, and timeframe, with drill‑downs to raw events for QA. Feed summary metrics into Delta Highlights and admin reports to quantify time saved and engagement gains.
If a caller flags something as urgent or requests a person, the system creates a context‑rich callback ticket (who called, what was played, timestamp) and routes it to the Shift Relay Lead’s Priority Queue. Quiet‑hour rules prevent unnecessary ring‑throughs while ensuring true escalations get a timely, well‑informed response.
Automatically identify the caller and map them to approved family contacts and associated residents using caller ID, secure PIN/DTMF verification, or account linking. Enforce role-based access so only authorized contacts can create callback tickets and view resident-related details. Handle edge cases (blocked numbers, shared phones, multiple residents per caller) with graceful fallbacks and clear prompts. Persist identity confidence and permission scope on the ticket to ensure privacy-compliant routing and response. Integrates with KinLoop’s resident directories and contact approvals to maintain a single source of truth.
Provide a simple IVR that lets callers flag an issue as urgent or request a specific person via DTMF (e.g., press 1 for urgent) and speech recognition (e.g., say "urgent" or a staff member’s name). Confirm selections, handle misrecognitions with quick reprompts, and support multilingual prompts. Persist urgency level, requested person, and any short voicemail message to enrich the callback ticket. Minimize friction so tech-light callers can act with one or two taps while keeping interaction latency low.
Capture and attach precise context about what the caller just heard: update/digest IDs, resident(s) referenced, staff author, timestamps, and playback offsets. If multiple updates were played, list them in order with timecodes. Store references to content instead of duplicating media, and include a short transcript snippet when available. This context-rich trace is bundled into the ticket to eliminate guesswork, speed responses, and reduce back-and-forth.
On confirmed urgency/person-request, create a structured callback ticket containing caller identity, contact info, resident linkage, urgency level, requested person, playback context, and call metadata (start/end time, ANI). De-duplicate tickets created within a short window for the same caller/resident and merge related context. Route tickets to the current Shift Relay Lead’s Priority Queue based on facility, shift schedule, and on-call rules, with fallback routing to a backup lead if unacknowledged.
Enforce configurable quiet-hour rules per facility and per role to suppress non-urgent ring-throughs while allowing true escalations. Support rule exceptions for designated emergency categories, and apply DND for individuals with override options. Integrate with shift calendars to determine who is eligible to be alerted. Log all suppressions and overrides on the ticket for transparency. Provide admin controls to set policies and test scenarios before deployment.
Attach SLA targets to each ticket by urgency (e.g., acknowledge within 5 minutes for urgent, callback within 15 minutes) and start timers on creation. Notify the assigned Shift Relay Lead via push and in-app alerts; escalate to backup leads or admins if SLAs breach or acknowledgments are missed. Provide one-tap callback and templated response notes within the ticket. Suppress redundant alerts after acknowledgment and record all notifications and outcomes on the ticket.
Maintain a complete audit trail for Smart Callback: call arrival, identity checks, IVR selections, context captured, ticket creation, routing decisions, quiet-hour suppressions, notifications, acknowledgments, and resolution notes. Protect data with encryption in transit and at rest, apply least-privilege access, and redact sensitive content from notifications. Support retention policies and export for compliance reviews. Integrate with KinLoop’s existing logging and admin console for monitoring and incident investigation.
Automatically matches the call experience to each contact’s preferred language, with easy keypad switching mid‑call. Names and common care terms are pronounced correctly, improving accessibility and reducing misunderstandings for multilingual families without adding staff translation work.
Store and manage each contact’s preferred language, regional variant, and fallback order to drive call experience selection. Include admin UI and bulk import to set language preferences at the resident-contact level, with defaults at community/facility level. Persist ISO language/locale codes, preferred TTS voice, and optional reading speed. Provide API endpoints for CRUD operations and audit changes. Enforce role-based permissions, multi-tenant isolation, and data residency. Synchronize preferences across mobile and web apps so outbound calls, IVR prompts, and digests use the same setting. Validate entries and provide sensible fallbacks when a language is not supported.
On call initiation, automatically select IVR prompts, TTS voice, ASR grammars, and captioning language based on the callee’s saved language profile. Preload localized assets to minimize connect latency and ensure continuity across transfer, hold, and voicemail. If the preferred language is unavailable, follow the contact’s fallback order, then the community default. Handle mixed-language households by offering a short language confirmation prompt when confidence is low. Ensure consistency across outbound updates, inbound callback menus, and voicemail drop content. Instrument KPIs for language-match rate and first-prompt comprehension signals to guide improvements.
Allow callers to switch languages at any time using DTMF (e.g., a dedicated key or short menu). Detect the keypress, confirm the new language briefly, and seamlessly reload current prompt, grammars, and TTS voice without losing call state or context. Support multiple switches per call with throttling to prevent loops. Provide a discoverable help key to list available languages when the preference is unknown. Log each switch with timestamp and previous/new language for analytics and compliance. Ensure behavior parity for PSTN and VoIP endpoints and across carrier networks.
Deliver correct pronunciations of resident and staff names and common care terms via a multilingual, domain-specific dictionary. Support SSML with phoneme tags and custom lexicons per language/locale. Auto-generate initial pronunciations from locale-aware models, allow caregivers/admins to override with simple phonetic input, and propagate updates across all call flows. Integrate with resident profiles to ingest name fields, nicknames, and preferred pronunciations, and with clinical vocabularies for common care phrases. Validate pronunciations via preview playback in the app before going live.
Translate dynamic update content from caregiver input language to the contact’s preferred language using a secure NMT pipeline with a protected glossary for clinical and brand terms. Feed translated text into locale-matched TTS voices with SSML for clarity, pauses, and emphasis. Cache translations for identical messages to reduce cost and latency. Provide confidence scoring and fall back to the original language with a clear notice if quality is below threshold or target language unsupported. Ensure processing within approved data boundaries and redact PHI per policy before sending to third-party engines when required.
Record language used at call start, each mid-call switch, and the rationale (auto-match, fallback, or user-selected), with timestamps and contact/resident associations. Store minimal DTMF metadata (key class, not exact digit when sensitive) and outcome of language confirmation prompts. Retain logs per compliance policy with export to CSV and admin dashboard filters by facility, resident, language, and date range. Exclude raw audio and transcripts unless explicitly enabled by policy. Surface alerts for frequent fallbacks or switch churn to flag missing preferences or asset gaps.
Maintain a versioned library of localized, pre-rendered audio for common prompts across supported languages to keep IVR interactions under target latency. Cache assets at the edge/CDN and on-device where applicable, with cache-busting on content or voice updates. Fall back gracefully to real-time TTS for uncommon prompts. Monitor cache hit rates and per-language latency, and set SLOs (e.g., sub-500 ms for first prompt). Ensure consistent volume, prosody, and audio format across languages for a natural, uniform experience.
Voice readouts automatically omit staff‑only notes, room numbers, and any content restricted by consent scope or Incident Freeze. Every call is logged with a Proof Seal reference, so Privacy Stewards can demonstrate compliant, need‑to‑know sharing even over the phone.
Provide secure verification and authorization for phone-based updates to ensure only approved family members can hear readouts for the correct resident. Support inbound (family-initiated) and outbound (caregiver-initiated) flows with PIN/OTP verification, caller ID heuristics as a secondary signal, and mapping to KinLoop’s access control lists and consent scopes. Minimize PHI exposure during prompts, prevent voicemail disclosure of sensitive content, and block access after configurable failed attempts. Log all auth outcomes and decision reasons for audit and monitoring. Integrate with existing contact records, resident linkages, and consent management, requiring no extra steps for tech-light caregivers.
Automatically transform update content into a phone-safe script by removing staff-only notes, room numbers, and any details restricted by consent scope or Incident Freeze before text-to-speech playback. Combine rule-based pattern scrubbing (e.g., room/bed identifiers, staff names, internal tags) with metadata flags on note fields to ensure deterministic omission. Preserve clarity by substituting neutral phrasing where needed (e.g., “location omitted”) and smoothing grammar. Enforce latency targets to keep readouts responsive, and fail safely by halting playback with a neutral message if residual risk is detected. Provide configuration hooks for policy updates, comprehensive unit tests, and regression suites to validate redaction coverage across edge cases and languages.
Resolve and enforce per-recipient consent scopes and active Incident Freeze states at readout time, ensuring only need-to-know information is shared. Evaluate content categories (e.g., health status, schedules, media references) against the recipient’s allowed scope and any freezes applied to the resident or topic. When a restriction applies, block or redact the affected portions and play a neutral explanation. Version policy evaluations, record the rule decisions used, and handle time-bounded or conditional consents. Support offline tolerance with short-lived cached policies and immediate invalidation when a freeze is invoked by Privacy Stewards.
Generate a tamper-evident Proof Seal for every readout, binding the redacted transcript, policy/version identifiers, timestamps, caller/callee identifiers, decision logs, and outcome codes. Store the seal and metadata in an immutable audit log with a human-readable reference code included in the call record. Provide verification and retrieval APIs/UI for Privacy Stewards to demonstrate compliance, along with retention and export policies aligned to regulatory requirements. Optionally associate a low-risk audio recording of the redacted readout where permitted; otherwise store transcript-only artifacts.
Enable caregivers to initiate compliant phone updates with a single tap from the resident’s profile. The system assembles the latest eligible updates, runs redaction and policy checks, then dials the authorized recipient via IVR, delivering the text-to-speech readout with clear, natural voices. Provide DTMF controls for repeat/slow/next, multi-language voice selection based on recipient preference, retries on no-answer, and safe voicemail behavior that omits PHI. Ensure seamless handoff from the caregiver app, minimal on-screen complexity, and automatic logging with the associated Proof Seal reference.
Continuously monitor access patterns and enforce rate limits to reduce misuse and over-disclosure risk. Apply per-resident and per-recipient thresholds, lockouts after repeated failed verifications, and geo/time-based heuristics. Generate real-time alerts to Privacy Stewards for unusual activity (e.g., spikes in calls, cross-resident access attempts), with dashboards and exports for investigation. Integrate with Proof Seal logs for end-to-end traceability and provide admin controls for whitelisting legitimate high-volume scenarios.
Live metrics show deflected calls, minutes saved, peak calling windows, listen‑through rates, and acknowledgment trends by resident and family. Exportable reports help administrators quantify impact, fine‑tune digest timing, and coach teams where additional clarity reduces callbacks further.
Compute and surface accurate deflected call counts and minutes saved by correlating inbound call logs with KinLoop update and digest events. Support ingestion of call volume baselines and ongoing logs via CSV/API, define configurable attribution windows (e.g., N hours after an update), and apply facility-specific baselines to estimate avoided calls post‑adoption. Provide resident- and family-level rollups, handle time zone differences, and expose methodology/tooltips for transparency. Include data quality checks, anomaly detection, and confidence intervals to ensure credibility of reported savings. Integrate with the analytics warehouse and power downstream dashboards and exports.
Deliver a responsive, role-aware dashboard that displays live metrics for deflected calls, minutes saved, listen‑through rates, and acknowledgment trends with filters for date range, facility, unit, resident, and family. Provide trend lines, heatmaps, and drill-downs to individual residents/families while preserving privacy constraints. Refresh data within a 5‑minute SLA, include hover definitions for each KPI, and support cohort comparisons (e.g., units using templates vs. not). Optimize for web and tablet, ensure accessibility compliance, and cache queries for performance.
Identify and visualize peak inbound calling windows by hour and day-of-week using historical call logs and correlate them with digest send times. Produce a time‑of‑day heatmap and recommended digest timing adjustments per facility/unit to minimize inbound calls. Handle time zone and daylight saving shifts, allow simulation of alternative send times with predicted impact, and log accepted recommendations for later ROI analysis.
Instrument and calculate engagement metrics across media types, including percent listened, completion rate, average listen duration, photo view rate, and time‑to‑acknowledgment. Break down results by resident, family, unit, and update type, and track trends over time. Surface low‑engagement segments and content patterns to inform coaching. Ensure event schemas are standardized, privacy-preserving, and stored in the analytics warehouse for reuse.
Provide configurable export options (CSV, XLSX, PDF) for KPI summaries, resident/family breakdowns, and unit scorecards, with data dictionaries embedded for clarity. Enable one‑time downloads and scheduled email deliveries (weekly/monthly) to authorized recipients with secure, expiring links and watermarking. Support multi-tenant branding, time zone selection, and audit logs of generation and access. Apply redaction rules and aggregation thresholds on exports to protect privacy.
Correlate callbacks with engagement signals to flag updates likely to trigger follow-up calls and generate actionable guidance. Provide a clarity score based on heuristics (e.g., presence of key details, length, use of templates), recommend phrasing/templates, and show before/after impact when guidance is applied. Present unit and individual coaching opportunities, track adoption of recommendations, and protect PHI by running models on redacted text and excluding sensitive fields from storage.
Enforce strict RBAC and consent-aware filtering for all insights, limiting visibility by role, facility, and resident assignment. Apply minimum aggregation thresholds to prevent re‑identification, mask PII in dashboards and exports, and require explicit permissions for detailed drill‑downs. Maintain comprehensive audit trails, configurable data retention policies, and HIPAA/SOC 2‑aligned controls. Integrate with existing KinLoop user/tenant models to ensure consistent access across web and exports.
Create single-use or limited-view links that auto-expire after a set duration or first open. Snapshot Aides can share quickly without worry that a link lingers or spreads, while families get just-in-time access that disappears when no longer needed.
Enable Snapshot Aides to select one or more photos, short text/voice-to-text updates, and optional resident context, then generate a shareable package encapsulated behind a one-time link. The composer should support auto-blur of non-consenting faces, strip EXIF/PII, and bundle assets into a lightweight, CDN-backed payload. It integrates with existing Snapshot workflows, allowing one-tap creation from a captured update and storing only server-side references so nothing sensitive appears in the URL.
Provide configurable expiration controls at creation time, including time-based TTL (e.g., 15 minutes to 7 days), first-open expiry, and limited-view counts (e.g., single-use or up to N opens). Defaults inherit from site-wide policy while allowing per-link overrides within policy bounds. Expiry metadata is stored server-side and evaluated on access to ensure links self-terminate as configured across devices and channels.
Generate non-guessable, signed tokens for each link with sufficient entropy and short path lengths, avoiding resident names or identifiers in URLs. Enforce HTTPS-only transport, HSTS, and cache-control headers to prevent persistence on intermediaries. Tokens map to server-side access intents, not raw objects, ensuring the content can be revoked independently of the URL. Include optional watermarking of media and on-screen disclosure to deter screenshots.
Offer optional gates to reduce unauthorized forwarding: one-time SMS/email verification, sender-defined passcode, CAPTCHA, and device fingerprint binding on first open. Allow locking a link to a specific recipient contact when known, while maintaining a friction-light path for just-in-time shares. Failed or suspicious attempts trigger throttling and alerting without revealing whether content exists.
Provide real-time server-side enforcement that tracks opens, view counts, and TTL, returning clear expired states when limits are reached. Allow creators and admins to manually revoke links, view access history, and see delivery/open events. All actions write to an audit log with timestamp, actor, device hints, and outcome to support compliance reviews and incident response.
Render a responsive, accessible web view that loads without the KinLoop app, optimized for low-friction first open and WCAG AA accessibility. The view displays media, captions, and consent-safe details, supports pinch-to-zoom, disables right-click saving where feasible, and provides clear messaging on expiry status. Localizes timestamps and messages to the recipient’s locale and timezone.
Expose org-level controls for maximum TTL, default expiry settings, allowed verification methods, watermarking, and permitted share channels (SMS, email, QR). Policies propagate to mobile and web clients, enforcing guardrails while allowing limited per-link overrides. Include analytics dashboards summarizing link creation volumes, open rates, expirations, and revocations.
Add an optional one-time SMS or email code on top of the PIN, delivered only to the approved contact on file. If a link is forwarded, the extra check ensures the right person is viewing—boosting security without adding complexity for trusted recipients.
Enable administrators to define when OTP step-up is required on top of the existing PIN, with policies configurable at organization, community, and resident levels. Triggers include first-time access from a device, access via a shared/digest link, access to sensitive content types (e.g., photos with residents, care notes), login from a new IP/geo, and manual override for high-risk cases. Provide an admin UI to toggle policies, set default behavior, and stage rollout to specific facilities or groups. The policy engine must integrate cleanly with KinLoop’s existing PIN gate and digest email/link flows so that step-up is invoked before any protected content or metadata is revealed. The system must degrade gracefully when policies are disabled and respect resident consent settings and compliance requirements.
Deliver one-time codes only to the approved contact on file via verified SMS or email, honoring the recipient’s preferred channel with automatic fallback to the alternate channel if delivery fails. Implement secure message templates, localization, and rate limiting for sends and resends, with visible countdown for “Resend code.” Integrate with existing messaging providers (e.g., SMS and email) and support provider failover. Store delivery status via webhooks while masking PII and never persisting the full OTP in logs. Provide safeguards for stale or unverified contact info (prompt to update through approved admin workflows) and maintain audit-safe records of where codes were sent without exposing contact details.
Generate cryptographically strong OTPs (e.g., 6-digit numeric) with a short time-to-live (e.g., 10 minutes), single use, and replay protection. Bind each OTP to the recipient, device session, and requested resource when applicable, invalidating upon successful verification or expiry. Enforce attempt limits with exponential backoff and temporary lockouts after repeated failures. Store only hashed OTPs server-side and include clock-skew tolerance. Provide secure error messaging that does not disclose account existence or contact details. Ensure codes are compatible with both SMS auto-fill and email clients while preventing exposure in logs, notifications, or link previews.
After a successful OTP verification, allow recipients to opt in to “Trust this device” to reduce future prompts. Issue a signed, expiring device token (e.g., httpOnly cookie or secure storage) bound to the account, browser/app instance, and risk signals. Respect policy-configured trust duration (e.g., 30 days) and re-prompt on elevated risk (IP/geo change, device fingerprint change, policy update). Provide a simple UI to manage and revoke trusted devices from the recipient profile or via admin support. Enforce a maximum number of trusted devices per account and automatically expire trust on inactivity or when contact details change.
Issue digest and update links that are context-bound to the intended recipient and content, preventing unauthorized access if a link is forwarded. Embed a short-lived, non-guessable token that references the content and recipient; require OTP when the link is opened from an untrusted device or mismatched session. Do not expose resident names, photos, or sensitive metadata in the pre-verification screen or in link previews (suppress Open Graph previews). Provide clear messaging and a request-access path if a forwarded link is opened by the wrong person. Ensure compatibility with existing KinLoop email digests and in-app notifications without changing caregiver workflows.
Record privacy-preserving audit events for OTP activities, including sends, channel used, delivery outcomes, verification successes/failures, lockouts, device trust adds/removals, and policy trigger reasons. Expose an admin dashboard with filters by facility, resident, date range, and channel, plus export to CSV and API access for compliance reporting. Surface alerts for anomalous patterns (e.g., repeated failures, high resend rates) and provide actionable guidance to support staff to resolve recipient issues. Ensure all logs redact PII and OTP values and are retained according to compliance and organizational retention policies.
Overlay each link view with a subtle, personalized watermark (contact name and timestamp) to discourage screenshots and unauthorized forwarding. Any captured image still traces back to the viewer, protecting resident dignity and supporting compliance.
Display a personalized watermark on every secure link view derived from the viewer’s unique access token, showing the viewer’s display name and the precise view timestamp. The watermark text is generated at render time and never baked into the source media, ensuring content files remain unchanged. The system must map link tokens to an approved contact, fall back gracefully if the token lacks a resolved identity (e.g., show token suffix), and log each render event with UTC timestamp and timezone offset used in the overlay. This integrates with KinLoop’s existing link delivery and permission model, reinforcing accountability while maintaining privacy and compliance expectations.
Render a subtle but persistent diagonal, repeated text watermark across the visible media/container that adapts to underlying content for legibility without obstructing faces or key details. The engine must support images and videos by using an overlay layer (CSS/SVG/canvas for images, player overlay for video) with dynamic contrast, stroke, and opacity adjustments based on local luminance. It should scale responsively across devices and orientations, maintain performance under low-end hardware constraints typical in care settings, and avoid altering original files. The pattern density and placement must ensure any reasonable crop or screenshot still includes identifiable text.
Add client-side deterrents alongside the watermark to reduce casual misuse: hide native download controls, disable right-click save, block drag-and-drop of media, prevent easy long-press saves where possible, set no-store cache headers for link views, and apply referrer and content security policies to minimize unintentional leakage. While acknowledging screenshots cannot be fully prevented, these measures increase friction and reinforce the Watermark Shield’s purpose without degrading legitimate viewing.
Provide tenant- and facility-level settings to configure Watermark Shield behavior, including on/off toggle, text components (contact name, facility name, timestamp format), pattern density, angle, and opacity presets. Include a real-time preview in the admin console and capture an audit trail of configuration changes. Default to a recommended compliant preset and allow policy locks to enforce settings across all communities within a group.
Ensure the watermark does not impede accessibility or degrade performance. Meet WCAG 2.1 AA for contrast and readability of surrounding UI, preserve screen-reader semantics, and avoid obscuring critical UI controls. Maintain smooth playback at target frame rates for video overlays and keep image render times within acceptable thresholds on low-end devices. Provide graceful degradation paths (e.g., simplified overlay) when resources are constrained, and include monitoring hooks for overlay render time and errors.
Store view events and watermark parameters for each link open to support traceability. Provide an internal report that shows which contacts viewed a specific update (with timestamps) and the exact watermark text shown, enabling administrators to match a leaked screenshot to a viewer without needing to alter media. Include exportable logs, filtering by resident, contact, and date range, and ensure data retention aligns with organizational policies.
Re-validates consent and Incident Freeze status at the moment of link open. If scopes have changed, the page auto-redacts or blocks access and logs the event, giving Privacy Stewards confidence that every share remains compliant in real time.
On every share link open, perform a server-side, real-time authorization check against the latest resident consent scopes and any active Incident Freeze flags before rendering content. The check must evaluate the requesting viewer’s identity, relationship, and permission scopes against all assets referenced by the link (photos, captions, voice-to-text notes, digests), including multi-resident content. The enforcement runs on the server (no client-side trust), supports short-lived tokens, and applies decisions atomically per asset. Target added latency is under 300ms p95, with clear fallback messaging. This ensures that access always reflects the most current policy state, eliminating stale permissions and ensuring compliance.
Dynamically apply policy-driven redaction or full blocking when scope changes are detected at link open. For photos and videos, remove or blur non-consenting faces and identifiable elements using the existing auto-blur engine; for captions and voice-to-text, mask entities and names tied to non-consenting residents. If safe redaction cannot be guaranteed within latency thresholds, block the asset and present neutral, non-revealing messaging to viewers. Redaction must be applied on-the-fly without requiring re-upload, and decisions must be consistent across web and mobile views. Provide graceful UI placeholders to preserve context while ensuring privacy.
When an Incident Freeze is active for any resident represented in an asset, enforce immediate, facility-wide blocking of affected content at link open regardless of prior consent. Support partial blocking for group assets by removing or masking the frozen resident while preserving permissible portions if policy allows; otherwise, block the full asset. Provide neutral viewer messaging, staff-facing context in the admin console, and automatic unblocking on freeze release. Ensure propagation across all existing links and digests without re-publishing.
Record a tamper-evident audit event for every link open and per-asset decision including timestamp, viewer ID, content IDs, resident IDs, evaluated consent version IDs, policy rule path, action (allow/redact/block), and latency metrics. Provide a steward console to search, filter, and export logs (CSV) with retention aligned to compliance policy. Correlate related events via request IDs and support drill-down into the exact redaction rationale without exposing protected content. This enables provable compliance and rapid incident investigation.
Maintain versioned consent records per resident and map viewer authorization scopes to those versions. Issue short-lived, signed link tokens that reference resource IDs and viewer identity but never embed permissions directly. On open, resolve the latest consent versions and enforce them; when consent changes, previously issued links automatically reflect the new policy without cache inconsistencies. Support token revocation lists, clock skew tolerance, and replay protections.
Implement resilient, privacy-first behavior when dependencies degrade. If the consent service or face-redaction engine is unavailable or exceeds timeouts, default to the safest permissible action (block or redact-all) and present neutral messaging. Add exponential backoff, circuit breakers, idempotent retries, and structured error telemetry. Provide service-level objectives (e.g., 99.9% decision availability, 300ms p95 added latency) with dashboards and alerts for breach detection.
Provide an administrative UI to configure consent enforcement policies, including default action on uncertainty (redact vs. block), latency thresholds, redaction strictness, and viewer messaging templates. Enable role-based access for Privacy Stewards to subscribe to real-time alerts and daily summaries of blocked/redacted access attempts via email/SMS/in-app notifications. Allow facility-level overrides and per-resident exceptions with audit trails for all policy changes.
Let recipients acknowledge or send a quick ‘Thanks’ right on the link—no app required. Acks post back to the resident timeline and feed Delta Highlights, signaling to staff that the update was received and reducing follow-up calls.
Generate unique, expiring, recipient-scoped tokens appended to outbound update links (email/SMS) that enable one-tap acknowledgment without login. Tokens are HMAC-signed, time-bound, and tied to a specific update and recipient to prevent replay and spoofing. Backend validates token scope, enforces rate limits, and guarantees idempotent processing of acks. Includes endpoints to issue, validate, and consume tokens; supports revocation, configurable expiry windows, and channel attribution for analytics. Ensures minimal PII in links and server-side mapping to approved contacts.
Deliver a lightweight, mobile-first web page that loads from the shared link and presents large, accessible buttons for “Ack” and “Thanks,” with an optional short note (up to 120 characters). No account or app install required; auto-associates identity from the token and pre-fills known display name when available. Handles expired/invalid link states with clear guidance, prevents duplicate submissions, and shows a confirmation receipt. Meets accessibility (WCAG 2.1 AA), supports localization, and targets sub-1s first contentful paint on 4G. Captures device/channel metadata and consent to display name where policy allows.
On successful acknowledgment, create a structured event on the resident’s timeline with reaction type, timestamp, optional short note, and the actor’s masked identity per policy. Update Delta Highlights with acknowledgment metrics (count per update, time-to-first-ack) and surface an ack badge on the originating update. Ensure deduplication via idempotency keys, correct chronological ordering, and near-real-time propagation to staff views. Respect data retention settings and avoid exposing other recipients’ identities in family-facing contexts.
Provide clear indicators in staff dashboards showing per-update acknowledgment status, counts, and first-ack time. Offer configurable alerts when no acknowledgment is received within a set window or when the first acknowledgment arrives, delivered via in-app badge and optional push/email. Add filters and sorting for unacknowledged updates to prioritize follow-up. Display who acknowledged (name/relationship) to staff according to permissions, while keeping family recipients anonymous to one another.
Enable organization- and resident-level settings to turn Link Ack on/off, select allowed reactions (“Ack,” “Thanks”), toggle optional notes, configure token expiry and resend behavior, and define notification thresholds. Provide default copy and branding for the web ack page, plus customization for language and accessibility. Enforce consent and privacy rules (e.g., whether to display recipient names to staff) and support audit-ready exports of configuration changes.
Track and report acknowledgment KPIs, including ack rate per update, time-to-first-ack, channel performance (email vs SMS), and engagement by unit/facility. Provide trend charts and CSV export, and attribute impact to operational outcomes such as reduced inbound calls and faster handoffs. Integrate metrics into Delta Highlights summaries and allow drill-down from facility level to resident and update. Ensure aggregation and anonymization where required by policy.
Enforce end-to-end HTTPS, strict CSP, and no third-party trackers on the ack page. Store minimal PHI in transit and at rest; keep tokens opaque and short-lived. Log token issuance, validation, and acknowledgment events with timestamps, actor mapping, and hashed IP/device fingerprints for fraud detection. Provide auditable trails and retention controls aligned with regulatory requirements. Prevent enumeration of recipients or updates, and ensure CSRF protection and bot mitigation on ack endpoints.
Instantly invalidate any active SafeShare links for a resident or specific update with a single action (optional DuoTap for sensitive items). The change takes effect immediately and is fully logged, offering a fast, safe response if circumstances change.
Provides a server-side revocation mechanism that immediately invalidates active SafeShare tokens and pre-signed URLs within seconds of activation. Ensures denial of access at API, CDN, and media layers using token versioning and blacklist checks to prevent race conditions and replays. Integrates with KinLoop’s SafeShare service to dispatch revocation events to clients and edge caches, guaranteeing no residual access after the action completes. Surfaces success and failure states in the UI, with clear counts of links affected and robust error handling.
Enables precise selection of revocation scope from Panic Revoke, supporting resident-level (all active links for a resident) or update-level (one or more specific updates). Previews the number of links to be invalidated before confirmation, supports bulk operations with progress feedback, and guarantees idempotency. Honors assignment boundaries so users can only revoke within residents they are permitted to manage. Provides API parity for programmatic use cases.
Introduces an accessible two-tap confirmation pattern to reduce accidental activation for sensitive scopes (resident-level revokes and updates tagged as sensitive). The second tap reiterates scope, impact, and link count, with large touch targets, haptic/audio feedback, and keyboard alternatives. Admin policy controls when DuoTap is required (always, sensitive only, or off). Records confirmation intent in the audit trail.
Propagates revocation instantly across delivery paths, including CDN edges, push deep links, and email links. Purges caches, revokes pre-signed media URLs, and closes active sessions or streams where applicable. Displays a neutral, branded link-expired page to recipients that reveals no PHI, while staff see clear confirmation that propagation completed. Provides a progress indicator until end-to-end confirmation and actionable errors with retry when propagation cannot be verified.
Creates a tamper-evident audit record for every revoke, including actor identity, role, scope and target details, timestamp, reason code and notes, affected link IDs, originating IP/device, and result. Stores entries in an append-only ledger with retention aligned to compliance policies. Provides searchable views, exports, and SIEM-friendly event streams for compliance and incident review.
Restricts Panic Revoke to authorized roles and assigned residents, with optional step-up re-authentication for high-risk actions and recent session inactivity. Applies configurable rate limits and cooldowns to prevent misuse or mass errors, returning clear, localized messages when blocked. Integrates with existing RBAC, SSO, and session management, and logs all policy denials for oversight.
A step‑by‑step, first‑week simulation that walks new Snapshot Aides through mock resident rounds on real devices. Trainees practice one‑tap photos, voice‑to‑text notes, CareTag Shortcuts, and auto‑blur decisions with instant, plain‑language feedback. Scenarios mirror Memory Care, Assisted Living, and Rehab units so staff build confidence where they actually work—no trainer shadowing required.
Provide a curated library of training scenarios tailored to Memory Care, Assisted Living, and Rehab units. Each scenario mirrors real shift workflows (e.g., morning hygiene snapshot, mealtime check-in, PT session handoff) with clear success criteria for photo capture, voice-to-text notes, CareTag Shortcut selection, and blur decisions. Scenarios can be sequenced into a “first week” plan, randomized to prevent rote memorization, and parameterized for difficulty (time limits, noise levels, lighting). The library reuses KinLoop’s production UI components in a read-only training mode to build muscle memory without risking production data. Content is versioned, allowing administrators to publish updates and unit-specific variations while maintaining an audit trail.
Deliver an interactive, on-device guide that overlays coach marks and checklists on the live app, leading trainees through each step: open Snapshot, take a one-tap photo, dictate a note, choose CareTag Shortcuts, and make blur decisions. The walkthrough gates progress until required actions are completed, supports back/skip with confirmations, provides haptic and visual confirmations, and gracefully handles interruptions (lock screen, calls). It operates offline-first and detects device capabilities to adapt prompts. The guide uses plain language with large tap targets and accessibility support to ensure adoption for tech-light staff.
Implement a sandbox mode for camera and voice-to-text that mimics production behavior while ensuring no protected or training data leaves the device. All captured media is stored in encrypted, ephemeral storage and auto-deleted at session end. A built-in gallery of test images/videos and synthetic faces allows practice when live capture is impractical. Voice-to-text uses the same pipeline and UI as production but flags sessions as training to isolate telemetry. The sandbox enforces clear watermarks and headers to avoid confusion with live updates and never posts to family feeds or care timelines.
Provide an interactive module that teaches proper blurring decisions using consent-aware scenarios. The system highlights detected faces and objects, prompts the trainee to choose blur levels, and cross-references a mock consent roster to simulate real compliance decisions. It offers side-by-side previews (blurred vs. original), explains the rationale for correct choices in plain language, and scores accuracy and speed. Edge cases include partial profiles, background bystanders, and low-light images. Guidance aligns with facility policy configurations so that feedback is consistent with actual compliance standards.
Create targeted drills for selecting CareTag Shortcuts quickly and correctly based on scenario cues (e.g., hydration, mobility assist, mood). Drills present timed prompts, suggest best-practice tag combinations, and validate against unit-configured rules. The system surfaces tips when incorrect tags are chosen and tracks improvement over repeated attempts. Results feed into overall training scores and help standardize documentation language across teams.
Integrate a rules-driven engine that validates actions in real time and returns plain-language feedback (e.g., “Great lighting—faces clear,” “Try adding a CareTag for mobility assist”). The engine aggregates per-step and per-session scores, supports streaks and retries, and provides tailored remediation suggestions with links to micro-tips. Rubrics are configurable by administrators to reflect policy and unit norms. Session summaries include strengths, gaps, and suggested next scenarios, and scores are securely logged for analytics.
Track trainee progress across scenarios, attempts, scores, and completion times; surface cohort and unit-level insights to administrators. Provide dashboards, CSV export, and alerts for overdue first-week milestones. When trainees meet configurable thresholds (e.g., minimum scores across required scenarios), automatically issue a “Guided Rounds Ready” badge on their KinLoop staff profile. Maintain an audit log of completions and refresh intervals to support re-certification and policy changes. Access is role-based to protect trainee privacy and compliance data.
A training‑only environment that mirrors live capture and sharing but never publishes to families. Staff can see a ShareSafe preview, trigger Consent Gate checks, and test Incident Freeze without risk. Missteps are highlighted with what to fix and why, so learners practice freely and retain compliant habits faster.
Provide a dedicated training-only mode that mirrors all capture and compose flows while guaranteeing no content is ever published to families. Implement an end-to-end “sandbox” flag propagated from client to backend services, storing training artifacts in segregated data stores/queues and disabling all outbound delivery channels (push, email, digest generation). Display persistent, high-contrast “Training—Not Sent to Families” indicators and watermark previews. Enforce identical encryption, access controls, and audit logging as production while preventing cross-environment data mixing. Support offline use with sandbox-scoped caches. Apply automatic retention (e.g., 30 days) and secure purge for all sandbox data. Provide admin controls to enable/disable Sandbox SafePost per site and role, and expose environment state via telemetry for compliance verification.
Render a pixel-accurate preview of what a family would see for posts created in Sandbox SafePost, using the same templating, formatting, captions, timestamps, auto-blur indicators, and digest batching logic as production but with delivery disabled. Include device-specific previews (mobile push, email digest excerpt, portal view) and accessibility elements (alt text, screen reader order). Surface the “would-be recipients” list using simulated or empty recipients and clearly label as training. Implement automated parity checks against production renderers to detect drift when new styles or components ship.
Simulate the Consent Gate checks using synthetic rosters and configurable consent states (photo allowed/denied, group visibility, HIPAA-sensitive flags) to reproduce real error and warning conditions. Allow trainers to toggle resident consent scenarios and attach them to practice sessions. When a violation is detected, present the exact policy rule, the impacted element (e.g., resident face, name in caption), and actionable steps to resolve (retag, crop, remove PII, adjust audience). Mirror production API response structures and edge cases (mixed consents in group photos, revocations mid-session) without exposing real PHI.
Enable learners to trigger a simulated incident event that immediately freezes related media and notes in the sandbox, disables sharing, and guides them through the incident workflow steps. Include timers, escalation prompts, and supervisor notification simulations. Lock editing per policy while allowing required incident metadata entry. Provide clear visual states for “Frozen” items and a rehearsal of unfreeze/closure when supervisor approval is simulated. Ensure no data exits the sandbox, and log user actions for review.
Detect training missteps in real time—such as missing resident tags, unclear or PII-containing captions, non-consenting faces, or inappropriate audience selection—and surface inline coaching cards that explain what to fix and why, with one-tap fixes where possible. Classify feedback by severity (blocker, warning, tip), localize messages, and link to policy micro-lessons. Capture telemetry on missteps and resolutions for trainer analytics. Run checks on-device when feasible to preserve responsiveness, falling back to sandbox services as needed.
Provide a practice workflow for auto-blur and manual redaction using test media. Run the same face/person detection models as production, display confidence levels, and allow users to accept/reject auto-blur, brush to redact sensitive areas (names on badges, screens), and compare before/after. Persist practice outcomes for trainer review while ensuring all derivatives remain in sandbox storage. Support low-end device performance with progressive rendering and allow retry with different lighting/background examples.
Deliver a trainer dashboard that aggregates sandbox session metrics per learner and cohort: sessions completed, scenario coverage, misstep types/frequency, time-to-fix, pass/fail on required drills (Consent Gate, Incident Freeze, Auto-Blur). Provide export (CSV), filters by site/role/date, and automated completion badges that sync to Admin. Exclude PHI and use pseudonymous identifiers. Respect role-based access and SSO. Offer alerts for learners who stall or repeatedly fail specific checks to target coaching.
Interactive micro‑scenarios that build muscle memory for Scope Templates, Renewal Radar, DuoTap approvals, and FaceLink matches. Examples like “non‑consenting face detected” or “consent expiring today” teach the right next tap and policy rationale. Reduces audit findings by making compliance second nature before going live.
Core engine to render interactive, sub‑60‑second micro‑scenarios that mirror KinLoop workflows (Scope Templates, Renewal Radar notices, DuoTap approvals, FaceLink matches). Simulates system states such as “non‑consenting face detected,” “consent expiring today,” or “missing scope,” with one‑tap choices that match production UI. Provides instant, actionable feedback and the correct next tap, including micro‑explanations and links to the relevant policy. Runs on-device, supports offline mode with pre‑cached scenarios, and uses synthetic resident profiles and media to avoid PHI. Tracks step accuracy, time to resolution, and hesitation points for analytics. Integrates with existing navigation and component libraries to ensure consistency and low maintenance.
Embeds facility‑specific consent rules and Scope Templates into the drills, emulating production decision logic (e.g., allowed media types, approver roles, consent expirations, DuoTap thresholds). When a learner selects an incorrect action, provides the policy rationale, a brief plain‑language explanation, and links to the relevant clause or renewal process. Supports versioned policy bundles per facility and per state, with effective dates and rollback. Syncs with Renewal Radar to reflect real expiration logic and warning windows. Ensures drills stay aligned with compliance changes without app updates via remote configuration.
Surfaces “Practice this” entry points exactly where users encounter consent tasks in KinLoop (e.g., after a FaceLink non‑consent alert, within a DuoTap approval screen, or when Renewal Radar flags an expiring consent). Deep links open a matching drill with the same UI controls and decisions, then return the user to their original task. Includes scheduled nudges for upcoming expirations and first‑day onboarding flows. Respects shift mode and quiet hours, and degrades gracefully on low bandwidth. Admins can target launchers by role, unit, or competency gaps.
Adapts drill frequency and difficulty per user based on accuracy, response time, and error types. Implements spaced repetition to resurface weak concepts (e.g., scope exclusions, renewal timing) until mastery. Provides short mastery streaks, gentle reminders, and optional weekly micro‑reviews. Stores per‑skill competency scores and decays them over time to re‑prompt. Timeboxes sessions to stay under 60 seconds, supporting tech‑light environments and minimizing workflow disruption.
Delivers dashboards and exports covering drill participation, completion rates, accuracy by rule type, time‑to‑correct, and repeat errors. Provides filterable views by facility, unit, role, and date range, with cohort comparisons pre‑ and post‑policy changes. Generates audit‑ready evidence packs (CSV/PDF) mapping competencies to policy clauses and renewal outcomes. Sends proactive alerts when teams fall below mastery thresholds for high‑risk scenarios. Supports de‑identified rollups by default, with RBAC‑gated access to named user views.
Provides a browser‑based and in‑app editor for ops/compliance to create, localize, and version micro‑scenarios without engineering. Authors can select templates (FaceLink, Renewal Radar, DuoTap), define correct/incorrect paths, attach rationale text, and upload or choose synthetic media. Supports preview in production UI skin, review/approve workflow, and rollout scheduling with targeted audiences. Maintains version history with audit logs and quick rollback. Validates scenarios against current policy bundles to prevent contradictions.
Ensures drills never expose PHI by using synthetic resident identities, AI‑generated or stock faces, and placeholder names. Enforces automatic face blurring in all training images/videos by default, with FaceLink‑like detection to simulate non‑consenting faces. Segregates training telemetry from production records, applies data minimization and 30/90‑day retention policies, and encrypts at rest/in transit. Provides clear consent notices for staff training analytics and RBAC to restrict access. Aligns with HIPAA, state privacy rules, and facility policies.
Bite‑size, on‑screen nudges that appear at the moment of need—suggesting tags, reminding about ShareSafe Mode, or prompting clearer voice‑to‑text. Tips adapt as skill grows and can be played as quick audio for tech‑light staff. Learners get just‑in‑time guidance without leaving their flow, shortening the path to proficiency.
A low-latency decision layer that listens to KinLoop app events (e.g., photo capture start, mic activate, tag field focus, ShareSafe state changes, error patterns), user attributes (role, tenure), and environment signals (connectivity, time of day) to determine when and where to surface TapCoach nudges. Must inject tips as non-blocking overlays within 150 ms, respect critical workflows (e.g., emergencies) by suppressing tips, and degrade gracefully offline. Implements configurable rule-based triggers with a pluggable strategy interface for future ML. Persists per-user tip impressions, dismissals, and outcomes for analytics while keeping all decisions on-device to protect PHI. Serves as the foundation enabling moment-of-need guidance without disrupting caregiver flow.
A personalization layer that models per-user proficiency for key skills (tagging, ShareSafe usage, dictation) and adapts tip content, sequence, and frequency accordingly. Hides mastered tips, introduces advanced hints as competency grows, and re-surfaces basics after inactivity. Uses lightweight, privacy-preserving telemetry (impressions, actions, completion times) stored locally with periodic aggregated sync. Supports facility-level policies and role-based presets (caregiver vs. admin). Ensures transparent behavior with a simple "Why this tip?" explainer on each nudge.
Audio-rendered versions of each TapCoach tip optimized for tech-light users: a prominent play button, 3–5 second voice guidance, and offline caching for reliability in low-connectivity facilities. Uses on-device TTS where available; falls back to pre-generated audio packs. Respects device volume, Do Not Disturb, and accessibility settings. Allows replay and slower playback. Localized content and simple language ensure quick comprehension without leaving the task flow.
Real-time prompts that encourage enabling ShareSafe (auto-blur for non-consenting faces) during photo/video capture and attachment. On-device face detection warns when ShareSafe is off and likely non-consenting faces are present, offering a one-tap toggle and brief compliance rationale. Applies cooldowns to avoid repeated prompts, confirms when ShareSafe is enabled, and never uploads media for detection. Integrates with existing auto-blur pipeline and resident consent records to reduce risk and speed compliant handoffs.
Contextual hints that suggest 1–3 relevant tags while composing updates, based on detected keywords from voice-to-text, recent resident context, and media type. Provides one-tap apply with clear rationale (e.g., "heard ‘med pass’"). Runs on-device using lightweight rules and phrase lists initially, with a pluggable interface for future ML models. Optimized for low-end devices and offline operation. Logs acceptance and dismissal to improve precision and measure time saved, without auto-applying to preserve user control.
Subtle, real-time nudges that improve dictation quality: prompts about mic distance, background noise, speaking resident names, and using clear sentence starters. Detects low input volume, prolonged silence, or repeated corrections and surfaces unobtrusive tips with quick actions like "Retry last sentence". Provides example phrasing and optional short audio guidance. All analysis remains on-device; respects privacy and accessibility settings to avoid recording beyond dictation intent.
Global controls that prevent over-notifying and build trust: per-tip cooldown windows, session caps, shift-long snooze, and honoring Do Not Disturb. Suppresses tips during sensitive workflows (e.g., medication pass, active call). Remembers dismissals for a configurable period and optionally captures a quick reason to improve future relevance. Exposes facility-level defaults for administrators while keeping user-level preferences simple and discoverable.
Role‑aware checklists auto‑generated from schedule and unit via RoleSmart Mapping, e.g., “3 Guided Rounds in Memory Care,” “1 ShareSafe post,” “Run an Incident Freeze drill.” Progress, due dates, and blockers are visible to the Onboarding Guide, keeping everyone aligned and reducing trainer follow‑ups.
Build a rule-based mapping engine that auto-generates role-aware checklists from schedule, unit assignment, and care program metadata. Inputs include staff role, shift schedule, unit (e.g., Memory Care), resident roster flags, and compliance requirements. Outputs a per-user daily checklist composed of items like “3 Guided Rounds in Memory Care,” “1 ShareSafe post,” or “Run an Incident Freeze drill.” Supports rule conditions, frequencies, per-shift quotas, dependencies, and effective dates. Integrates with KinLoop’s posting and Incident Freeze modules to create linked tasks and keeps lists in sync when schedules or assignments change. Reduces manual setup, improves consistency, and ensures the right work is surfaced automatically.
Automatically assign checklist items to individuals based on active shift and unit location, with configurable start times, due windows, and recurrence (per shift, daily, weekly). Enforce timeboxing (e.g., 3 rounds distributed across the shift) and unit-specific caps. Handle reassignment for call-offs or schedule changes via API/CSV imports or native scheduler integration. Surface due/overdue states in app and API. Ensures the right task is due at the right time without manual chasing.
Provide real-time tracking of completed, in-progress, and blocked items at the item, checklist, and user levels. Each item supports quick-complete, notes, photo/voice-to-text evidence, and blocker reasons with required fields (e.g., resident asleep, supply unavailable). Allow tagging blockers to residents or locations and attach media. Maintain immutable timestamps, actor, and location metadata for auditability. Expose progress and blockers to Onboarding Guides and admins to reduce trainer follow-ups and enable timely support.
Deliver a role-specific dashboard for Onboarding Guides showing trainee progress, due items, blockers, and SLA breaches across units. Provide drill-down to individual checklists and evidence, quick nudge actions, and assignment adjustments. Include filters by role, shift, unit, and date, plus exportable progress summaries for supervisor reviews. Integrates with notifications and RoleSmart mapping to reflect changes immediately and streamline onboarding oversight.
Send context-aware reminders to assignees based on due windows and completion pace (e.g., prompt when only 1 of 3 rounds is logged mid-shift). Provide overdue alerts and escalation to Onboarding Guides or charge nurses for persistent blockers. Respect quiet hours and notification preferences. Support in-app and push notifications, with optional SMS based on org settings. Record reminder delivery and user responses for accountability.
Enable attaching photos and voice-to-text notes to checklist items with automatic enforcement of KinLoop’s auto-blur for non-consenting faces and PHI minimization. Prevent publishing to family feeds unless required compliance checks pass and faces are cleared. Store media with secure access controls tied to checklist permissions. Ensures dignity, compliance, and safe handoffs when tasks involve resident content.
Support full checklist interaction offline, including viewing assigned items, logging rounds, capturing notes and media, and marking blockers. Implement conflict-aware sync that merges updates, preserves sequence and timestamps, and surfaces conflicts for resolution. Use lightweight, encrypted local storage with per-facility data retention controls. Guarantees continuity in low-connectivity environments common in assisted living.
A visual dashboard scoring each learner on time‑to‑capture, tag coverage, consent accuracy, and error resolution in the sandbox. It recommends the next best drill, flags who’s live‑ready, and produces exportable proof for HR orientation completion. Supervisors focus coaching where it matters and cut ramp time.
Implements a configurable scoring model that calculates an objective readiness score per learner using four core metrics sourced from the KinLoop training sandbox: time‑to‑capture latency, tag coverage completeness, consent accuracy rate, and error resolution efficiency. Supports per-session, 7/14/30‑day rolling windows, and cohort benchmarks. Weightings, thresholds, and pass/fail rules are admin-configurable at org and site levels. Persists score histories for trends, exposes read APIs for the dashboard, and emits events for certification and recommendations. Ensures metric normalization, fairness checks, and localization of labels. Integrates with the auto‑blur service and consent ground truth to validate accuracy and with KinLoop identity services for learner mapping.
Builds a resilient, near‑real‑time pipeline that ingests sandbox events (capture start/submit timestamps, tags applied, consent labels, blur outcomes, error events and their resolution) into Readiness Radar. Guarantees idempotent processing, schema versioning, and at‑least‑once delivery with de‑duplication. Targets end‑to‑end latency under 5 seconds and provides backfill for historical sessions. Applies PII minimization, encryption in transit/at rest, and site scoping. Exposes a monitoring panel with alerts and retry tooling to keep the dashboard data fresh and trustworthy.
Delivers targeted drill recommendations per learner by identifying metric deficits (e.g., slow time‑to‑capture, low tag coverage, consent errors) and mapping them to drills with step‑by‑step guidance. Combines rules with optional ML ranking, ensures explainability (‘recommended due to repeated consent misses’), and respects supervisor overrides, site policies, and device availability. Tracks acceptance and completion, prevents repetition fatigue, and supports A/B tests to measure ramp‑time impact. Integrates with notifications to nudge learners and with the scoring engine to update readiness post‑drill.
Evaluates learners against configurable readiness thresholds and required drills, then issues a certification status with audit evidence. Generates exportable proof for HR orientation completion in PDF/CSV and via a secure API, including learner identifiers, scores, drill history, dates, supervisor sign‑off, and a tamper‑evident watermark. Supports e‑signature capture, revocation/recertification, renewal reminders, and multi‑site reporting. Aligns with HRIS integrations and maintains an immutable audit trail for compliance.
Provides a responsive dashboard with cohort overviews, color‑coded readiness bands, trend sparklines, and sortable leaderboards. Offers advanced filters (site, shift, role, trainer, date range) and quick views for metric deficits (e.g., consent accuracy < 95%). Enables drill‑down to session details with annotated errors and before/after blur examples. Supports CSV/PDF export of filtered views, saved filter presets, and shareable supervisor links with access controls. Optimized for tablet use on the floor and meets accessibility standards.
Adds a validation module that compares learner consent tagging against ground truth and checks auto‑blur outcomes for false positives/negatives. Surfaces misclassifications with visual exemplars, explains the correct action, and assigns remediation drills. Flags severe privacy misses for supervisor review and tracks remediation completion. Aggregates consent accuracy into the readiness score and enforces minimum standards before certifying live‑ready. Integrates with the vision service, sandbox labeling tools, and compliance reporting.
Implements fine‑grained RBAC for learners, supervisors, admins, and HR roles with site‑level scoping. Restricts access to PII and consent exemplars to authorized users, supports SSO, and logs all sensitive actions (score changes, certification issuance, exports, overrides) with timestamp, actor, and reason codes. Provides exportable audit logs, retention policies, and data subject access tooling. Ensures the Readiness Radar aligns with KinLoop’s privacy model and regulatory obligations.
A shift‑change simulator for Shift Relay Leads that practices approvals, Delta Highlights scanning, Priority Queue ordering, and Audio Brief creation. Trainees learn to standardize handoffs and spot misses in minutes. Families get clearer digests from day one while after‑hours callbacks drop sooner.
Provide a rehearsal environment that mirrors the live Shift Relay experience using synthetic or fully de-identified resident data, sample photos with auto-blur, and mock activity feeds. The sandbox supports full practice of approvals, Delta Highlights scanning, Priority Queue ordering, and Audio Brief creation without writing to production timelines or exposing PHI. Role-based access limits usage to Shift Relay Leads and trainers. Scenarios are prebuilt and configurable to reflect facility policies, acuity mixes, and common edge cases (e.g., missing consent, conflicting priorities). Session data is ephemeral, instrumented for training analytics, and isolated from family-facing digests, ensuring compliance while accelerating onboarding.
Embed an in-session guidance layer that provides step-by-step prompts, checklists, and automated checks as trainees conduct simulated handoffs. The system detects misses (e.g., unapproved updates, overlooked Delta Highlights, incorrect queue order, incomplete Audio Brief structure), surfaces corrective tips, and calculates a standardized score with category breakdowns and rationales. Post-run summaries include time-to-complete, error heatmaps, and suggested micro-lessons. Coaching rules are driven by facility-configured rubrics and integrate with the sandbox telemetry to personalize feedback and accelerate skill standardization.
Deliver an admin configuration module where facility leaders define handoff standards that power the simulator and evaluation engine. Inputs include approval checklists, Delta Highlight criteria and thresholds, priority queue weightings and tie-break rules, and the required Audio Brief template (e.g., SBAR). Policies are versioned, scoped to units or shifts, and previewable in the sandbox. The simulator consumes these configurations at runtime to evaluate trainee actions consistently, enabling multi-facility rollouts with local variations and ensuring training remains aligned with evolving compliance and operational expectations.
Offer an interactive exercise where trainees order a dynamic list of resident updates into a Priority Queue under time constraints. The drill presents realistic signals such as fall risk flags, med windows, family SLA commitments, and overnight deltas. Trainees arrange items via drag-and-drop, apply facility-specific tie-break rules, and submit for instant evaluation against the configured rubric. The system explains discrepancies, highlights conflicting cues the trainee missed, and tracks improvement over repeated attempts.
Create a focused module that presents shift notes, observations, and media for a resident set and asks the trainee to select the correct Delta Highlights. The trainer provides optional ML-suggested candidates with reasoning, requires confirmation or rejection, and measures precision, recall, and critical-miss rates against a gold standard derived from policies. Immediate feedback explains why each highlight mattered, with links to policy references and similar past scenarios to reinforce pattern recognition.
Enable trainees to record a structured Audio Brief within the simulator using a facility-defined template (e.g., SBAR), with live transcription, length targets, and quality hints (pace, filler words, missing sections). The tool supports re-recording, quick edits to the transcript, and playback for self-review or mentor feedback. All audio and text remain in the sandbox, with privacy safeguards and no downstream distribution to families. Guidance ties back to the rubric, ensuring trainees practice the exact briefing style required in production.
Provide dashboards for trainees and administrators showing attempt counts, scores by competency (approvals, deltas, priority, audio), time trends, and readiness indicators. Define pass thresholds and auto-issue completion certificates when criteria are met, with exports to staff records. Notify admins of trainees who are stalled or excelling, and suggest targeted drills. All training events are audit-logged for compliance, enabling evidence of standardization and tying improvements to reduced family callbacks and faster shift transitions.
Surfaces the three most likely CareTags at capture based on time of day, location (e.g., dining room vs. therapy room), recent notes, and each resident’s care plan. Snapshot Aides tap once instead of scrolling, boosting speed and consistency. Fewer missed tags mean cleaner analytics and clearer family digests without extra effort.
Aggregate and normalize contextual signals required for SmartSuggest, including time of day, facility/room location, resident identity, recent notes and CareTags, shift information, and structured care-plan data. Provide a lightweight, low-latency context service accessible from the capture screen that delivers a feature vector within strict SLAs to support real-time inference. Implement data adapters to existing KinLoop services and device sensors, with schema versioning, caching, and graceful degradation when certain signals are unavailable. Ensure event logging and traceability for debugging, with minimal battery and bandwidth impact. Expected outcome is a reliable, consistent context layer that materially improves suggestion relevance and enables downstream prediction and analytics.
Enforce privacy and care-plan constraints in SmartSuggest by filtering out any CareTags that conflict with resident consent settings, privacy flags, or plan-of-care restrictions before suggestions are rendered. Integrate with KinLoop’s consent registry and care-plan store to reflect updates in near real time, and maintain an auditable decision trail indicating which rules affected each suggestion. Include configurable facility-level policies and default safe fallbacks. Expected outcome is consistently compliant suggestions that reduce staff error risk and support regulatory audits without adding friction for Snapshot Aides.
Produce the three most likely CareTags for a resident at capture time using a ranking model that consumes contextual signals from the aggregation layer. Meet sub-150ms p95 latency for on-device or edge inference with deterministic ordering and confidence scores. Provide thresholding and fallback logic to default tag sets when confidence is low, plus feature flags for safe rollout and A/B testing. Support multilingual tag labels and taxonomy versioning so predictions remain stable across updates. Expected outcome is highly relevant, instantly available suggestions that reduce scrolling, increase tagging consistency, and improve downstream analytics and family digests.
Deliver an accessible, unobtrusive UI component in the capture screen that presents the predicted CareTags as tappable chips with clear labels and optional icons. Ensure single-tap application with immediate visual confirmation, haptic feedback, and undo. Position and size chips to avoid interfering with the camera shutter and note entry, honoring WCAG contrast and touch target guidelines. Include a lightweight “why suggested” hint for transparency without slowing the flow. Instrument interactions for analytics while preserving performance. Expected outcome is faster, more satisfying tagging with minimal cognitive load for aides.
Continuously improve suggestion relevance by learning from user interactions, including which suggestions are tapped, ignored, or replaced with manual tags. Maintain per-resident, per-facility, and global preference signals with privacy-aware aggregation. Implement a lightweight bandit or re-ranking layer that boosts likely tags based on recent outcomes, with safeguards against bias and drift. Support cold-start heuristics using care plans and location defaults, and allow opt-out at facility level. Expected outcome is steadily increasing precision and user trust as SmartSuggest adapts to local workflows and resident patterns.
Ensure SmartSuggest functions reliably without stable internet by packaging a compact on-device model, caching recent context features, and precomputing fallback suggestion sets per resident. Detect connectivity state and degrade gracefully while maintaining sub-150ms local inference and queuing telemetry for later sync. Manage cache staleness with time-to-live rules and secure storage. Expected outcome is uninterrupted one-tap tagging during rounds, even in dead zones, preserving speed and data completeness.
Provide administrator tools to tune SmartSuggest and monitor performance. Include settings for location-to-tag mappings, confidence thresholds, and eligible tag pools by unit. Expose dashboards for accuracy, coverage, time-to-tag, and top missed or overridden suggestions, with drill-down by resident and shift while respecting privacy. Offer export and alerting when accuracy drops or taxonomy changes impact suggestions. Role-based access ensures only authorized users can modify behavior. Expected outcome is controllable, transparent operation that aligns with facility goals and demonstrates measurable value.
Role- and unit‑aware bundles of curated CareTags (e.g., Memory Care AM, Rehab PM) that auto-load for the right staff via RoleSmart Mapping. Onboarding Guides create and publish packs in minutes; Snapshot Aides see only what’s relevant, cutting hunt time and standardizing language across shifts.
A guided admin experience for Onboarding Guides to create, curate, and publish bundles of CareTags as named Tag Packs scoped by facility, unit, shift, and role. Provides drag-and-drop ordering, category grouping, metadata (e.g., AM/PM/NOC), duplication detection, and validation against retired or restricted CareTags. Includes draft, review, schedule, and publish states with template starters and preview-as-user to see exactly how packs render in the Snapshot Aide mobile view. Published packs propagate to devices via KinLoop’s sync service and integrate with RoleSmart Mapping to determine eligibility, triggering notifications to affected staff upon changes.
A rules engine that assigns Tag Packs to staff based on role (e.g., Snapshot Aide, Nurse), unit (e.g., Memory Care, Rehab), shift window, and optional attributes (e.g., float status, language). Supports rule precedence, conflict detection with resolution suggestions, and a default fallback pack when no rules match. Provides a test/simulation mode to input a user and context and preview the resulting pack set. Fully audited edits and seamless integration with the Pack Builder to reference eligible roles/units and validate mappings before publishing.
Mobile client behavior that auto-loads the correct Tag Pack upon login and whenever the user’s role, unit assignment, or shift changes, showing only relevant CareTags in capture screens. Includes a quick-switch control for multi-role or float staff, a temporary override with auto-expiry, and visual confirmation of active pack. Provides offline resilience by caching last-known eligible packs and deferring updates until connectivity returns. Integrates with RoleSmart Mapping for eligibility and with local device storage for instant performance.
End-to-end version control for Tag Packs with immutable history, semantic versioning, change summaries, and the ability to roll back to a prior version instantly. Supports scheduled effective dates/times, canary rollouts to selected units, and deprecation flags for phased transitions. Ensures version compatibility with RoleSmart Mapping rules and propagates lightweight deltas to clients to minimize bandwidth. Surfaces version badges in the mobile UI so staff can confirm they’re on the latest standard.
A synchronization layer that prefetches and caches Tag Packs on devices based on upcoming shifts and assignments, with bandwidth-aware downloads, content hashing for integrity, and incremental updates. Supports graceful degradation when networks are slow or offline, local encryption at rest, and cache invalidation upon publish or mapping changes. Provides telemetry on sync success and stale cache detection to alert admins of distribution issues across facilities.
Granular permissions that restrict who can create, edit, approve, and publish Tag Packs, aligned to KinLoop’s RBAC model. Requires approval workflows for high-impact changes, captures an immutable audit trail (who, what, when, why) for both pack edits and mapping changes, and exports reports for regulatory reviews. Avoids PHI by logging tag IDs and metadata only, enforces retention policies, and integrates with Single Sign-On and multi-site administration.
Privacy-safe analytics that measure Tag Pack effectiveness, including tag usage frequency, time-to-first-tag, search/no-hit rates, and cross-shift consistency. Provides dashboards and CSV export, highlights stale or unused tags, recommends merges or reordering to reduce hunt time, and tracks impact after changes. Aggregates by facility, unit, role, and shift without exposing resident data, and allows admins to opt-in/opt-out per site.
One tap applies a configurable set of commonly paired tags (e.g., Morning ADL: Hydrated, Groomed, Meds Given). Each tag still logs individually for analytics and digests. Speeds routine documentation while preserving granular reporting and compliance clarity.
Provide a facility-level library of QuickBundles that can be created, edited, cloned, and versioned by authorized staff. Bundles consist of a named set of existing tags with optional default notes and ordering. Versioning maintains historical records of bundle composition for auditability; applying a bundle references the version used. Support facility-wide bundles and unit-specific bundles; caregivers can favorite bundles for faster access. Validation ensures only active tags are included and prevents deletion of tags in active bundles. Changes propagate without altering past logs. Import/export capability allows seeding from templates across facilities.
Single tap applies a selected QuickBundle to the current resident and shift context, logging each contained tag individually. A lightweight preview sheet shows included tags with the ability to deselect items and add notes in-line; default notes from the bundle are pre-filled. Provide a one-tap Undo within a configurable window and an edit window based on role permissions; undo reverses all associated tag entries atomically. Include haptic feedback, clear confirmations, and a progress indicator; maintain sub-200 ms tap-to-preview responsiveness on supported devices. Support keyboardless operation and large-touch targets for speed and accessibility.
Applying a QuickBundle creates discrete log entries for each tag with timestamps, author, resident, location, and a bundle_id and bundle_version reference for traceability. If a tag in the bundle has already been logged for the resident within a configurable time window, de-duplication prompts the user or auto-skips per facility policy while recording a skip_reason. All entries are immutable after the edit window and visible in audit reports, preserving compliance clarity that each tag was individually recorded even when applied via QuickBundle.
Enforce permissions so that only designated roles can create, edit, or delete QuickBundles, while caregivers can apply approved bundles. Bundle visibility can be scoped by facility, unit, role, and resident attributes to prevent misuse. Application and management actions are logged with user identity for accountability. Feature flags enable gradual rollout per site without impacting existing workflows.
QuickBundle application works without network connectivity by queuing per-tag log entries locally under a single bundle transaction envelope. On reconnection, a sync process posts entries with idempotent keys to prevent duplicates from replays, resolves conflicts with server-side validation and de-duplication rules, and maintains original timestamps. The UI clearly shows offline state and pending sync, with automatic retries and user notification on errors requiring attention.
Per-tag entries generated via QuickBundle are included in daily/weekly family digests and internal dashboards exactly like manually-added tags, while preserving a reference to the originating bundle for internal analytics. Digest rendering groups related events for readability without obscuring individual tags. Analytics report bundle adoption, time saved, tag frequency, and de-dup rates by unit and shift, enabling continuous optimization of bundle composition.
Ensure the QuickBundle flow meets defined non-functional standards: sub-200 ms tap-to-preview, sub-500 ms apply under normal network conditions; fully operable with one hand and large touch targets; WCAG AA contrast and screen reader labels for all controls; localized strings; and clear error states. Telemetry captures latency and error rates to monitor real-world performance and guide optimization.
Gentle, on-card prompts when expected tags are missing within a time window (e.g., Hydration by 10am). Integrates with Priority Queue to lift residents with gaps, helping Shift Relay Leads prevent misses before handoff. Nudges never block posting and adapt as completion improves.
Provide an admin-managed rule engine to define expected care tags per resident, group, or care plan with time windows and frequencies (e.g., Hydration by 10am, Range of Motion twice per shift). Rules support templates, per-resident overrides, shift calendars, and timezone-aware scheduling. The engine evaluates real-time activity to detect missing tags, emits nudge-ready signals, and respects consent/privacy settings. Implement lightweight evaluation to run offline with deferred sync; resolve conflicts on re-connect. Expose APIs/events for UI nudges and Priority Queue score updates.
Surface gentle, contextual prompts on the resident update card when expected tags are missing within their time window. Prompts allow one-tap tag add, quick voice-to-text note, or dismiss/snooze without blocking posting. Copy is plain-language, large-tap targets, low-contrast badge when early, elevated banner as due time nears, and calm tone. Respect do-not-disturb mode, offline mode, and accessibility settings. Log interactions for audit and feed completion metrics back to adaptive tuning.
Integrate nudge signals with the existing Priority Queue so residents with unmet tag expectations are elevated based on urgency, care plan weight, and time overdue. Provide a transparent score and reason code for each lift, update in real time, and avoid thrashing via hysteresis and debounce rules. Ensure role-based visibility for Shift Relay Leads and floor staff, and maintain non-blocking behavior.
Adjust nudge frequency, timing, and copy per unit, shift, caregiver, and tag type based on historical completion and interaction patterns to reduce alert fatigue and encourage habit formation. Use deterministic heuristics first (e.g., space nudges after dismissal, suppress after completion, quiet hours) with guardrails and override controls. Store models client-side where possible for responsiveness and privacy; fall back to server recommendations.
Record when nudges are issued, viewed, dismissed, snoozed, and fulfilled, including timestamps, actor, resident, tag, and time-to-completion. Provide filterable reports and export capabilities for compliance reviews and family inquiries, without exposing PHI beyond roles. Support retention policies and data minimization in line with privacy standards.
At shift handoff, present a concise summary of remaining tag gaps by resident and tag, with one-tap bulk nudges or reassignment to the incoming team. Show what was completed post-nudge and what remains, and capture optional notes for context. The summary is advisory and never blocks handoff.
Allow admins and leads to set temporary exceptions to tag expectations for specific residents (e.g., off-site appointment, NPO before procedure, hospice changes) with start/end times and reasons. Provide caregiver-level snooze for a resident/tag within policy limits, with automatic reactivation and audit logging. Exceptions propagate to rule engine, nudges, and Priority Queue.
Automatically routes CareTags into clean, family‑friendly sections in daily/weekly digests and Voice Digest (e.g., Meals, Therapy, Spiritual Life). Shift Relay Leads can reorder or spotlight sections per family preference. Families get faster, clearer updates; staff field fewer clarifying calls.
Implements a canonical digest section schema (e.g., Meals, Therapy, Activities, Spiritual Life, Health & Vitals, Meds, Hygiene, Mobility, Social, Notes) and deterministic rules that map CareTags on updates to one or more digest sections. Supports default and facility-specific taxonomies, one-to-many mappings with priority order, conflict resolution, and a fallback to a General Updates section. Persists normalized section assignments at ingestion time and de-duplicates repeated items within a shift window. Provides versioning, environment configuration, and auditability to ensure consistent routing across facilities.
Enhances routing by analyzing voice-to-text captions and notes when tags are missing or ambiguous. Uses lightweight NLP to infer likely sections and applies confidence thresholds to auto-assign, suggest for review, or leave unassigned. Flags low-confidence items for Shift Relay Lead review, supports language variants, and detects sensitive phrases requiring redaction or exclusion. Operates server-side with graceful offline handling and logs rationale for each automated decision for audit.
Stores per-family digest preferences, including custom section order, visibility toggles, spotlight priorities, and preferred digest cadence (daily/weekly/voice). Defaults inherit from facility standards but allow resident-family overrides. Exposes an API to retrieve effective preferences at render time, with validation, versioning, and audit logs. Ensures changes are immediately reflected in subsequent digests without affecting other families or residents.
Provides a simple, role-gated interface for Shift Relay Leads to drag-and-drop reorder sections, toggle visibility, and mark spotlight sections per family before digest generation. Surfaces low-confidence classification items for quick approval or reassignment, supports undo/redo, and distinguishes temporary per-shift overrides from persistent profile updates. Ensures all actions are tracked with user, timestamp, and reason codes.
Builds scheduled digests per resident-family by applying mappings, family preferences, and spotlights to assemble clean sections with titles, thumbnails, captions, timestamps, and staff attribution. Generates in-app views, accessible HTML/email, and a Voice Digest script that converts to TTS audio with clear section cues. Is timezone-aware, retries on failure, and respects recipient permissions and consent lists. Tracks delivery status, opens, and playback for analytics.
Applies consent-aware media filtering and auto-blur to all digest assets, suppressing content with non-consenting faces or names and redacting PHI per policy. Enforces least-necessary data inclusion, strips sensitive metadata (e.g., precise location), and blocks sections that would expose restricted information. Maintains an audit trail of filtered items with reasons and provides an admin review workflow with justifications for any overrides.
Live coverage and trend insights for CareTags by resident, unit, and shift—completion rates, most/least used tags, and gaps that drive callbacks. Exportable views help supervisors coach teams and tune Tag Packs. Better coverage translates into more confident families and fewer inbound calls.
Provide a real-time dashboard showing CareTag coverage and completion rates by resident, unit, and shift with color-coded status, trend sparklines, and drill-downs. Include filters for time window, staff, and location, and display clear denominators (completed vs. expected) based on care plans and shift definitions. Ensure sub‑minute data freshness with resilient event aggregation, correct late-entry attribution, and timezone-aware shift boundaries. Support annotations for coaching, accessible visuals, and consistent metric definitions, while minimizing PHI exposure and honoring resident consent.
Deliver interactive analytics that highlight most and least used CareTags over selectable ranges (1/7/30/90 days), segmented by resident, unit, shift, and caregiver. Provide baseline comparisons, moving averages, and seasonality cues to reveal behavior changes. Handle tag renames via lineage mapping, maintain a clear definition of "use," and backfill historical data. Offer interactive charts with tooltips, filters, and comparisons, while enforcing role-based visibility and de-identification in aggregated views.
Implement a rules engine that detects missing required tags per resident care plan and quantifies coverage gaps by unit and shift. Correlate gap patterns with inbound family call topics to surface top callback drivers. Provide in-app alerts and daily digests with severity thresholds, quiet hours, and snooze controls. Offer an explainability view that shows which expectations were missed and recommended next actions. Log all alerts for auditability and ensure privacy by suppressing low-count cells.
Enable one-click export of dashboard and analytics views to CSV and PDF with configurable columns, filters, and date ranges. Support scheduled deliveries (daily/weekly/monthly) to authorized recipients via secure, expiring links, with watermarks, audit logging, and timezone-stamped headers. Preserve metric definitions in report metadata, enforce row-level access rules, and apply rate limits and retention policies for generated files.
Generate data-driven recommendations to add, remove, or reorder CareTags within Tag Packs based on usage frequency, gap incidence, and caregiver friction signals. Provide impact projections (e.g., expected coverage lift), a preview of changes, and safe rollout options (A/B by unit or shift) with versioning and rollback. Track post-change outcomes to validate effectiveness and feed future recommendations. Integrate with existing Tag Pack management flows and resident consent constraints.
Enforce role-based access with least-privilege permissions for Tag Pulse, ensuring resident-level drill-downs are restricted to assigned supervisors while aggregated views use de-identification and minimum cell thresholds. Apply consent-aware filtering, encrypt data in transit and at rest, and redact PHI from exports. Maintain HIPAA-aligned audit logs of access, exports, and configuration changes, with session controls and device safeguards suitable for shared workstation environments.
Innovative concepts that could enhance this product's value proposition.
Staff tap an NFC ID badge to instantly sign in on shared devices, auto-assigning role and unit. Cuts password friction and prevents stray logins during shift swaps.
Mobile consent manager stores signed photo/audio permissions with expiry and resident scope. Snapshots auto-check consent at capture, reducing audits and blocking non-compliant posts.
Auto-generate per-resident cards summarizing last 12 hours with key photo, vitals tags, and family acknowledgments. One-tap print or share trims handoff briefings by minutes per resident.
A dedicated phone line reads the latest approved updates via PIN and text-to-speech. Families get answers without staff pickup, deflecting routine calls after hours.
Create time-limited, PIN-protected web links to a single update for relatives without the app. Audit every view and auto-expire to maintain privacy.
Interactive checklists and bite-size prompts guide first-week posts, with simulated residents for practice. Reduces trainer time and builds confident, compliant habits fast.
One-tap tags like Hydrated, PT Done, or Visited Chapel attach to photos and drive digest sections and analytics. Speeds capture while structuring data for reports.
Imagined press coverage for this groundbreaking product concept.
Subscribe to receive a fresh, AI-generated product idea in your inbox every day. It's completely free, and you might just discover your next big thing!
Full.CX effortlessly brings product visions to life.
This product was entirely generated using our AI and advanced algorithms. When you upgrade, you'll gain access to detailed product requirements, user personas, and feature specifications just like what you see below.