⏰

Your session expires soon. — Save your work and sign in again to continue.

🎯

Demo data loaded. Users with names like A. Hancock, B. Smith, etc. are sample accounts created by seed-demo-data.js. Sample compliance items are prefixed [SAMPLE]. To remove: node scripts/seed-demo-data.js --reset

👋

Welcome back, Admin

Quick stats loading...

📊

Today: Loading your activity...

—

📊 Dashboard

your day at a glance

Welcome back, —. Here's what needs your attention.

🚀

Get JAICE set up for your practice

— of — complete

🔔

You've been asked to acknowledge a policy

Action needed

🎬

JAICE looks empty — want a guided tour?

Load sample data to see how JAICE looks with a real team: 5 sample users, 8 tasks across the week, 4 time-off entries, 4 compliance items with partial acknowledgement coverage. Sample-only — your real data is untouched. Removable any time.

✓

Sample data loaded. Sample users have [SAMPLE] prefix or @jaice.local emails. Login as sample.alex@jaice.local with password DemoUser2026! to see non-admin views.

☀️

—

Daily brief

🌴

Who's out today

—

Open tasks

—

Compliance overdue

—

Compliance pending

—

awaiting acknowledgement

PTO pending

—

📋 Today's tasks

🛡 Compliance attention

🏖 Who's out today loading…

📅 Booking snapshot loading…

🕒 Recent activity last 24 hours

🔒 Security snapshot admin only

📜 HIPAA & you your responsibilities

JAICE provides the technical safeguards required by HIPAA Security Rule §164.312 — unique authentication, automatic logoff, audit logging, integrity protection, and access controls. Your practice is responsible for administrative (§164.308) and physical (§164.310) safeguards — workforce training, designated security officer, locked offices, screen privacy, device security.

📌

Tasks conflicting with approved PTO

Reschedule needed

These tasks were scheduled before someone's PTO was approved. Click Reschedule to move each one to a clean day, or Reassign to give it to someone else.

Tasks today

—

— done

Compliance overdue

—

action needed

Compliance pending

—

awaiting

Compliance complete

—

acknowledged

T1-CORE

Tasks click row to expand

Loading from database...

— click any day to add a task

Team click for details

30-Day Activity

✓ Completed tasks — done

IMPORT Spreadsheet Import Step 1 of 3 — Upload

Upload a CSV or Excel spreadsheet to bulk-create tasks. JAICE will auto-detect your columns, let you adjust the mapping, validate every row, and import only the rows you confirm. Files are parsed in memory — never written to disk.

Upload a CSV or Excel spreadsheet. JAICE will auto-detect your columns, let you review the mapping, validate every row, and import only the rows you confirm.

Drop your spreadsheet here

or click to browse — supports .xlsx, .xls, .csv, .tsv (max 5 MB)

📊 Detected:

👀 Preview First 10 rows · validation runs as you map

⚖ Validation

✓

T5-GOV Local company compliance

Review and acknowledge your organization's policies. Acknowledgements are logged to the audit trail with a timestamp. Required for: monitoring consent, message review, email observation, AI-assisted decision making.

📜 Acknowledgement history

🪑 Reception Console today

Total Today

—

Completed

—

In Room

—

Waiting

—

Upcoming

—

👥 Team Overview click row for details · manage access

Your organization's active team members. Click any row to expand for details (role, status, last activity). Admins can manage access via the Permissions panel.

📅 Scheduled tasks — with start times

🚨 Emergency Response Checklists

When something goes wrong, panic is the enemy. These checklists give you concrete steps for the most common incidents — breach suspicion, ransomware, lost device, audit/raid, DDoS. Print these and keep a copy with your other emergency procedures. Not a substitute for legal counsel — call your healthcare attorney early.

📋 Compliance Tracking — what JAICE does

JAICE is the tracking and audit-trail layer for your compliance program. Add your policies and training requirements below; users acknowledge them; signatures are stored for 6 years per HIPAA §164.316(b)(2).

JAICE does not provide training content itself. You bring your existing materials — HIPAA training videos, OSHA modules, KnowBe4 phishing simulations, your handbook PDFs — and JAICE captures the proof that each employee completed them.

Compliance items —

T4-SEC Ghost User Audit — Demo / Sample Data

Sample findings shown below. Connect Active Directory, payroll, and email systems in Phase 2 for live scanning.

⏳ Pending approval —

⚙ Time Off settings admin only

Require admin approval for time-off requests When on, regular users submit pending requests. When off, requests are auto-approved.

🎉 Company holidays — configured

No holidays configured yet. Click "+ Federal holidays" to choose which ones apply.

🏖 Time Off Team availability + PTO requests

For user

Type

Duration

Start date

End date

Notes (optional)

💡 Tip: Click a day to set the start date, then click another day to extend the range. Clicking a third day resets the selection.

PTO Sick Personal Off-day Available

📋 Upcoming & recent

My Schedule

Today

—

appointments

Upcoming 7 days

—

scheduled

Recent 7 days

—

completed

📅

No provider record found for your account

Ask your admin to link your account to a provider so you can see your personal schedule here.

📍 Today

🔜 Upcoming (next 7 days)

✓ Recently completed (past 7 days)

📅 Patient/Client Booking

Each provider gets a public booking page that clients can self-book through. JAICE catches conflicts BEFORE confirmation — provider PTO, internal tasks, double-booking, off-hours requests. Share each provider's link directly with clients. No client account required.

Loading today's schedule…

Loading clients…

Upcoming appointments

Filter:

Loading…

—

Today's schedule

Loading…

At a glance

TODAY

—

appts

THIS WEEK

—

appts

PENDING

—

need confirmation

RESCHEDULE

—

need callback

CONFIRMED

—

by patient

WAITLIST

—

waiting

Providers

A provider is any team member who takes patient appointments. Each gets their own public booking link and can offer multiple services with different durations and prices.

Loading…

⚡ Appointment templates

Save a starting point you reuse: "Weekly 60-min Deep Tissue with Sarah". When booking, pick the template and fill in just the date — provider, service, location, and notes auto-fill.

Loading…

💰 Invoices

Track what you've billed and whether it's been paid. Card-on-file processing isn't wired yet — record cash/check/manual-card payments here for now.

Filter:

Loading…

📊 Reports

Export appointments to CSV for accounting, insurance, or system migration. Pick a date range and download.

From

Includes client name/email/phone, provider, service, status, notes

Public booking links

Share these URLs with clients. Each one opens that provider's booking page directly — no login required for the client.

Loading…

Waitlist

Clients sign up here when they want to be notified about openings. Mark a client Notified when you reach out about a slot, then Resolved once they book or pass.

Loading…

📧 Appointment reminders

Confirmation emails go out when an appointment is booked. Reminders fire 24 hours and 1 hour before the start time.

📝 Email template editor

Customize the wording of automated emails sent to patients. Use merge tags like {{client_name}} to insert dynamic values at send time. Click "Revert to default" to clear an override and use the built-in template again.

Subject line Body

— / 5000

Available merge tags

                  {{client_name}}
                  {{provider_name}}
                  {{service_name}}
                  {{datetime}}
                  {{practice_name}}
                  {{practice_phone}}
                  {{practice_email}}
                  {{practice_address}}
                  {{cancel_link}}
                

Click any tag to insert it at the current cursor position in the body. The system replaces these with real values when each email is sent.

Reminder queue

Loading…

Loading intake forms…

📊 Practice analytics

Loading…

Practice information

These show up on your public booking pages and inform the in-app help chatbot. Patients see this info when they book.

Practice name

Phone

Website

Address

Parking info

What to bring

Payment & insurance

Cancellation policy

Shown to clients when they cancel through their confirmation link. Keep it clear — patients who understand your policy upfront cancel less often without notice.

Hours notice required

Late-cancel fee ($)

Policy text — English Policy text — Spanish (optional)

Out of office

When OOO is on, your public booking pages show a message instead of the booking form. Patients can still join the waitlist.

Pause online booking

Message to show patients OOO until (optional — auto-clears)

Booking preferences

Allow patients to join waitlist when booking Require phone number on bookings Require intake form for new clients

New patient welcome message (sent on confirmation)

📱 SMS reminders checking…

Send appointment reminders by text in addition to email. Patients receive a short, generic message: "Reminder: appointment with [practice] tomorrow at [time]." Never includes diagnosis, treatment, or other PHI — SMS travels through carriers in plaintext.

⚠ Required before turning on:
1. Twilio account credentials in .env (TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_FROM)
2. HIPAA-eligible Twilio account with executed BAA
3. Phone numbers collected at booking time (enable "Require phone number" above)

Enable SMS reminders for confirmed appointments

🔐 Permissions & Access Control

Four things live here:

Team Invitations — invite new staff via magic link, no admin password handling
Access Reviews — quarterly attestation of who has what role (HIPAA §164.308(a)(4))
Permissions List — view and edit individual user roles and access flags
IP Allowlist — restrict JAICE access to specific office networks or VPN ranges

T5-GOV Team Invitations — magic-link onboarding for new staff

Send a one-time signup link to a new staff member's email. They click, set their own password, and land in JAICE with the role you assigned. You never touch their password — better security and simpler onboarding.

Loading invitations…

T5-GOV Access Reviews — HIPAA §164.308(a)(4) attestation

Quarterly review confirms who has access to what — required by HIPAA §164.308(a)(4) Information Access Management. Each review captures a frozen snapshot of all users + roles at that moment, plus your written attestation. Auditors specifically ask for this history.

Review history

T5-GOV Permissions & Active Directory

Click any user row to expand · admin password required for elevated changes · all edits SHA-256 signed

T4-SEC IP Allowlist — restrict JAICE access to specific networks

When empty, JAICE accepts logins from any IP. When you add entries, only those CIDR ranges or IPs can access JAICE for your organization. Your current IP must be in the list before saving — otherwise you'd lock yourself out.

📡 Connection Status your session and network

JAICE doesn't run a VPN — your IT team does. What JAICE provides is network-level access control via IP allowlist. If your org has an allowlist set, only authorized network locations can reach JAICE. This page shows your current connection state and what's enforced.

🔒 Active IP Allowlist admin-only details

🛡 Network controls JAICE provides

✓ TLS 1.2+ in transit — when deployed at https://jaice.app, all traffic is encrypted browser-to-server.

✓ Per-org IP allowlist — admins can restrict access by CIDR. Configured in Permissions view.

✓ HMAC-signed session tokens — 8-hour expiry, signature verified every request.

✓ 15-minute idle timeout — automatic logoff per HIPAA §164.312(a)(2)(iii).

✗ JAICE does not — operate a VPN, manage your AD/Okta, run a firewall, or replace your IT team's network controls.

📡 VPN setup recommendations your IT runs this, not JAICE

Why a VPN? Combining JAICE's IP allowlist with a VPN lets you say "only authenticated VPN-connected staff can reach our practice systems." Strong defense-in-depth.

Recommended VPN vendors with HIPAA BAAs:

Cloudflare Zero Trust / WARP — free for ≤50 users; signs BAA on Enterprise. Modern zero-trust replacement for traditional VPN.
Tailscale — easy mesh VPN, free for personal/small. Business plan signs BAA. Devs love it.
Cisco AnyConnect — traditional enterprise VPN. BAA on request. Heavyweight but well-known.
Palo Alto GlobalProtect — common in larger practices. BAA available.
OpenVPN Access Server — self-hosted option; BAA only if you run it on a HIPAA-compliant cloud (AWS/Azure with BAA).

Setup pattern (high level):

IT picks a VPN vendor and signs a BAA with them. Add to Vendor BAAs in JAICE.
Issue VPN credentials per user (no shared accounts — same rule as JAICE).
Determine the VPN's egress IP range (public IPs the VPN exits from).
In JAICE: Permissions → IP Allowlist → add the VPN's egress range as CIDR.
Test from on/off VPN to confirm only on-VPN traffic gets through.
Document the setup in your Compliance items so auditors can see it.

⚠ Don't do this without IT or a healthcare attorney. Misconfigured allowlists can lock everyone out, including you. Test the allowlist with a backup admin who has out-of-band recovery access before enforcing it.

T4-SEC JAICE's Active Security Layers

These are the security controls JAICE actively enforces on every request. Each is implemented in code, audit-logged, and verifiable. Click any layer to see exactly how it works.

Authentication

HMAC-signed session tokens

SHA-256 HMAC, constant-time verification, 8-hour TTL, 4KB cap. Server-side only.

Enforced

Authorization

Role-based access control

Admin / User / Security / CFO. Backend-enforced via requireRole — not just hidden UI.

Enforced

Multi-tenant

Org isolation

Every query scoped by organization_id. SQL-level enforcement. Verified across 10+ routes.

Enforced

Rate limiting

Brute-force defense

10 logins / 15 min per IP. 300 API calls / 15 min per IP. Account lockout after 4 failed attempts.

Active

Audit log

Append-only trail

Database trigger prevents UPDATE/DELETE. Every login, edit, ack recorded with timestamp + user + IP.

Immutable

Pre-detection

Anomaly scoring

URL pattern + body inspection. Soft-bans IPs that probe for vulnerabilities. In-memory, per-process.

Active

CIS · NIST Top 5 Security Practices for Small Teams (5–100)

These are recommended practices for any healthcare practice. Some are handled by JAICE, some are your responsibility, some are on the JAICE roadmap. Status is honest — green means JAICE actively does this, blue means you/your IT does it, amber means it's being built.

📚 Compliance Resources curated reference for your practice

Quick links to authoritative sources you'll need when running a compliant practice. Bookmark or share with your team. Not a substitute for legal advice.

📋 Vendor BAAs tracking Business Associate Agreements

HIPAA §164.502(e) requires a signed Business Associate Agreement with every vendor that touches PHI. Auditors ask for this list. Track each one here: vendor name, when the BAA was signed, when it expires, and your contact for compliance questions. JAICE will warn you 60 days before any BAA expires.

Loading…

⚠ Privacy Incident Log HIPAA §164.530(d) compliance

Document every privacy complaint, suspected breach, near-miss, and confirmed breach. Required by HIPAA — practices are fined for not having this log. Each incident captures who reported it, what happened, the 4-factor risk assessment, and the response. Retained 6 years.

Loading…

T4-SEC Security Posture Loading...

📊 Diagnostics Live performance metrics

Endpoint latency (rolling window)

🛡 Active Defensive Layers

👥 User Sessions

✅ Recent Successful Logins

⚠ Recent Failed Login Attempts

🚫 Active Soft-Bans (Pre-detection layer)

T5-GOV Audit Trail — entries

🔒 Append-only audit log. Entries are write-once at the application layer — no UI surface ever updates an existing entry. Deletions are themselves recorded in audit_deletions, so removing entries leaves a permanent trail of what was removed. Entries retained 6 years per HIPAA §164.316(b)(2). Database-level integrity (hash chaining, SQLCipher) is roadmap.