CARF IT Readiness: Technology, Security, and Documentation Requirements for Community Health Organizations

If your CARF survey is six months out and your technology plan is a Word document from 2021, this article is for you.

Most CARF preparation guidance focuses on clinical documentation, person-centred care plans, and program structure. That makes sense — those are the core of what CARF evaluates. But organizations pursuing or maintaining accreditation consistently underestimate the technology readiness components that can generate survey recommendations just as easily. We know this firsthand — Fusion Computing has partnered with Access Independent Living Services through multiple CARF accreditation cycles, working alongside their Managing Director to prepare and maintain the technology components that surveyors evaluate. The pattern we see repeatedly is organizations with strong clinical programs but weak technology documentation, which is entirely fixable with the right preparation.

In our experience supporting CARF-accredited organizations, surveyors are asking sharper questions about IT infrastructure, cybersecurity posture, and data protection than they were even two years ago. They want to see a living technology plan, documented security controls, tested disaster recovery procedures, and evidence that your organization treats information security as an operational priority rather than an afterthought.

This guide breaks down what CARF expects from your IT environment, maps those requirements to actionable controls, and identifies the gaps that most commonly trip up community health organizations during survey.

A note on standards versions: In CARF’s public 2026 CCRC materials, standards previously housed under a dedicated technology subsection were incorporated into other ASPIRE subsections or eliminated, with subsections relettered. Organizations should always confirm the current standards manual for their specific program type and survey year. The technology expectations described below are drawn from CARF’s public survey preparation materials and reflect the substance of what surveyors evaluate, regardless of where in the manual the requirements currently appear.

Who This Applies To

CARF accredits a broad range of health and human services: behavioural health, community mental health, addiction and substance use programs, aging services, employment and community services, child and youth services, and medical rehabilitation. In Canada, CARF Canada is recognized across provinces and territories, with specific recognition in Ontario for long-term care homes through the province’s accreditation framework.

If your organization falls into any of these categories and you’re pursuing or maintaining CARF accreditation, the IT requirements in this guide apply to you.

What CARF Technology Readiness Actually Looks Like

In CARF’s public survey preparation materials, the technology standards focus on how organizations assess their current technology use, maintain an actionable plan, implement security and continuity procedures, test recovery, and train personnel. The following five areas represent what surveyors will evaluate.

1. Ongoing Assessment of Your Current Technology Use

CARF expects your organization to maintain active awareness of the technology it uses and how that technology supports service delivery. This includes hardware (servers, workstations, laptops, tablets, mobile devices, network equipment, peripherals), software (EHR/EMR systems, case management tools, scheduling platforms, billing, productivity suites), communication technologies, how sensitive data flows through your systems, any technology services purchased from or contracted to third parties, and assistive technology used by persons served or personnel.

What this means operationally: you need a maintained asset register with purchase dates, warranty status, and lifecycle projections. Hardware running end-of-life operating systems should have documented remediation or replacement plans. Windows 10 support ended on October 14, 2025, so any remaining Windows 10 estate should now be sitting inside a documented remediation or replacement plan. Software inventories need version numbers, update schedules, and licensing compliance records.

2. A Documented Technology and System Plan

The technology plan is where most organizations stumble. CARF defines a plan as a written, action-oriented document — not a policy statement. The plan should be based on your current technology use plus identified gaps, and should include goals and priorities for technology, planned acquisition, maintenance, and replacement schedules, required resources (budget, staffing, training), and realistic timeframes with assigned owners.

Organizations frequently receive survey recommendations because they present a static policy when CARF expects a working plan. If your technology document doesn’t have dates, owners, and measurable objectives, it will be flagged. The plan should be updated at least annually and should reflect what your organization is actually doing with technology, not what it aspirationally intends to do.

3. Written Technology Policies and Procedures

CARF expects documented policies and procedures covering the operational and security aspects of your technology environment. Based on CARF’s public survey preparation materials, these should address:

• Acceptable use of organizational technology and systems
• Backup and recovery procedures for critical data and systems
• Business continuity and disaster recovery planning
• Access management — who has access to what, how access is granted and revoked
• Audit capabilities — how you log and monitor system access and changes
• Data transfer — how sensitive information moves between systems, people, and locations
• Hardware decommissioning and data destruction — what happens to devices and data at end of life
• Protection from malicious activity — antivirus, endpoint protection, email filtering, patching
• Remote access and support — how staff and providers connect to systems from outside the office
• Updates, configuration, and change control — how you manage software updates, system changes, and configuration standards

CARF’s public materials do not require a single document called a “WISP” (Written Information Security Program). But in practice, a written security program, a dated risk assessment, incident response procedures, and clearly documented access and device policies make it much easier to demonstrate conformance to the security, continuity, and training expectations surveyors examine. In our experience, organizations without any consolidated security documentation are being flagged during surveys even when no breach has occurred. The standard isn’t about whether something went wrong — it’s about whether you’re prepared if it does.

4. Annual Disaster Recovery Testing

This is non-negotiable and is one of the most explicitly stated requirements in CARF’s public materials. CARF asks whether business continuity and disaster recovery procedures are tested at least annually and whether the tests and their analysis are documented.

What this means operationally:

• A defined backup frequency based on data criticality and operational risk
• Secure offsite or cloud-based backup storage
• Defined recovery time objectives (RTO) and recovery point objectives (RPO)
• Recovery procedures that have been executed — not just designed — at least once per year
• Documentation of test results, any failures or gaps identified, and corrective actions taken

Having a backup system is not the same as having a tested recovery procedure. In our experience, surveyors ask when the last test was performed and what the results were.

5. Personnel Training

CARF expects initial and ongoing training in two areas: cybersecurity awareness (phishing, password hygiene, data handling, incident reporting) and competency with the technology staff use to perform their jobs (EHR systems, scheduling tools, documentation platforms, communication systems).

Completion records must be maintained. Training without documentation is invisible to surveyors.

Critically, training expectations extend beyond frontline staff. Surveyors may ask the executive director or program manager to describe how the organization protects client data. A response of “our IT provider handles that” is not sufficient. Part of technology readiness is ensuring that leadership can confidently walk a surveyor through how consumer data is protected, how systems are backed up, and what happens if a critical system goes down.

Book a free CARF IT readiness assessment

CARF Technology Readiness at a Glance

CARF Focus Area	What Surveyors Will Look For	Evidence to Have Ready
Current technology use	Inventory and gap awareness across all sites	Asset register, software list, vendor/contractor list, data flow map
Technology/system plan	Action-oriented goals with timelines and owners	Dated plan with priorities, budget alignment, progress notes
Policies and procedures	Security and continuity discipline	Acceptable use, backup/recovery, DR, access management, remote access, change control, data destruction
Recovery testing	Proof that recovery actually works	Annual test report with findings, analysis, and remediation log
Training	Staff and leadership readiness	Cybersecurity training log, role-based technology training records, onboarding documentation

Mapping CIS Controls to CARF Technology Requirements

CARF’s technology standards are outcome-focused — they tell you what to achieve but not how to achieve it. A recognized security framework gives your organization a structured implementation path and demonstrates to surveyors that your controls aren’t ad hoc.

CIS Controls v8.1, published by the Center for Internet Security, is particularly well-suited for community health organizations because it’s designed to be implementable by organizations without large security teams and is already referenced by Canadian cybersecurity guidance including the Canadian Centre for Cyber Security.

Here’s how key CIS Controls map to CARF technology expectations:

CIS Control 1: Inventory and Control of Enterprise Assets maps directly to CARF’s technology assessment requirement. Maintain an actively managed inventory of all devices connected to your network, including those used by remote staff for telehealth or virtual service delivery.

CIS Control 2: Inventory and Control of Software Assets addresses the software component. Track authorized software, remove unauthorized installations, and maintain licensing compliance.

CIS Control 3: Data Protection supports CARF’s security requirements and overlaps with provincial privacy obligations. Classify data by sensitivity, encrypt data at rest and in transit, and control access based on role.

CIS Control 4: Secure Configuration of Enterprise Assets and Software is the baseline hardening that prevents your systems from running with default credentials or unnecessary services exposed.

CIS Control 7: Continuous Vulnerability Management demonstrates to surveyors that you’re not just reacting to threats but proactively identifying and remediating weaknesses.

CIS Control 8: Audit Log Management provides the evidence trail that CARF surveyors look for when they ask how you monitor system access and detect unauthorized activity.

CIS Control 11: Data Recovery maps directly to disaster recovery. Maintain tested, automated backups with defined retention periods and recovery procedures.

CIS Control 14: Security Awareness and Skills Training addresses staff training on cyber hygiene, which CARF now explicitly evaluates during surveys.

Aligning your technology plan with CIS Controls gives you two advantages: a defensible framework during the CARF survey, and a foundation that also satisfies cyber insurance requirements, which are tightening across the health and human services sector.

We align every client’s IT environment to CIS Controls v8.1. Learn how our cybersecurity services work.

What CARF IT Readiness Looks Like in Practice: Access Independent Living Services

Understanding CARF’s technology requirements in theory is one thing. Putting them into practice across a multi-site, Ontario Health-funded organization is another.

Fusion Computing has partnered with Access Independent Living Services (AccessILS) through multiple CARF accreditation cycles, working directly with the Managing Director to prepare and maintain the technology components that surveyors evaluate. AccessILS is a Toronto-based non-profit providing attendant care services to adults with physical disabilities across six programs and multiple locations in the Toronto Region of Ontario Health. They’ve held continuous CARF accreditation since 2013 and maintain the Three-Year Accreditation — CARF’s highest outcome.

The IT challenges facing an organization like AccessILS are representative of what most community health organizations encounter during CARF preparation:

Multi-site infrastructure across distributed locations. AccessILS operates out of residential buildings and community settings across the GTA, not a single office. Every location that handles consumer data or connects to organizational systems needs to be inventoried, secured, and documented in the technology plan. That includes network equipment, staff workstations, and any devices used for scheduling, care documentation, or communication. In our experience, surveyors don’t limit their evaluation to the head office — they can and do visit service delivery locations.

Consumer data protection with a mobile workforce. Independent Living Assistants deliver services in consumers’ homes and community settings. When staff access scheduling systems, care plans, or internal communications from mobile devices, the organization needs policies and technical controls that travel with them: mobile device management, encrypted connections, and clear acceptable use policies. These aren’t theoretical requirements — in our experience, surveyors ask how consumer information is protected when accessed outside the office.

Technology plan as a living document. For each CARF renewal cycle, Fusion works with the AccessILS leadership team to update the technology plan: refreshing the hardware and software inventories, documenting completed and planned infrastructure changes, updating the security risk assessment, and verifying that disaster recovery procedures have been tested and documented. The technology plan isn’t something we dust off six months before survey — it’s maintained as part of the ongoing managed IT engagement so the documentation is always survey-ready.

Alignment between IT controls and governance standards. AccessILS is accredited under both program standards and Governance Standards Applied, which means the board and senior leadership are evaluated on their oversight of organizational operations — including technology. That means the executive team needs to understand and be able to explain the organization’s technology posture, not just delegate it to an IT provider. Part of our role is ensuring that leadership can confidently walk a surveyor through how consumer data is protected, how systems are backed up, and what happens if a critical system goes down.

The result across multiple accreditation cycles has been technology readiness maintained as part of the ongoing managed IT relationship rather than treated as a last-minute survey exercise.

“The biggest lesson from working through multiple CARF cycles with AccessILS is that the organizations that struggle with the technology section aren’t the ones with bad infrastructure — they’re the ones that treat IT documentation as a survey prep task instead of an operational habit. By the time you’re scrambling to build a technology plan for the surveyor, you’ve already lost. The plan should be a living artifact of how you actually manage technology, updated continuously, not a document you create under pressure.”

— Mike Pearlstein, CISSP, CEO, Fusion Computing

Book a free Technology Health Check

Canadian Compliance Context: Provincial Privacy and Funding

If your organization operates in Ontario, PHIPA (the Personal Health Information Protection Act) should be reflected directly in your technology and security documentation. PHIPA governs the collection, use, and disclosure of personal health information and places real weight on information practices, breach handling, and the protection of personal health information. Key IT implications include encryption of personal health information at rest and in transit, access logging and audit trails for electronic health records, breach notification procedures (mandatory reporting to the Information and Privacy Commissioner of Ontario for significant breaches), and data residency considerations if using cloud-hosted systems.

If you operate outside Ontario, do not default to HIPAA language or assume the same rules apply across Canada. The governing privacy framework depends on the province and, in some cases, whether the organization is a private-sector provider or a public body. Your technology plan should reference the legislation applicable to your jurisdiction.

Funding and accreditation linkage. In Ontario long-term care, accreditation can affect access to incentive funding. CARF has published that Ontario LTC homes may qualify for the Quality Attainment Premium through one of the recognized accreditors, including CARF. For community health organizations, the financial stakes are still real, but they are usually tied more to governance credibility, funder confidence, and operational risk than to a simple one-line premium. A one-year accreditation instead of a three-year accreditation sends a signal to funders, referral partners, and the community that something needs attention.

Common IT Gaps Surveyors Flag

Based on our experience supporting accredited organizations through the CARF process, these are the IT-related gaps most likely to generate recommendations:

The “binder plan” problem. A technology plan that reads like a policy statement and hasn’t been updated in two or more years. Surveyors want dates, assigned owners, and evidence of progress against stated goals.

No documented risk assessment. Organizations often perform security reviews informally but don’t document the methodology, findings, or remediation steps. Without documentation, it didn’t happen.

Untested disaster recovery. Having a backup system is not the same as having a tested recovery procedure. In our experience, surveyors ask when the last DR test was performed and what the results were.

Incomplete training records. Staff completed cybersecurity awareness training but there’s no centralized record of who completed what and when. Training without documentation is invisible to surveyors.

Leadership can’t articulate the security posture. This is increasingly common. Surveyors may ask the executive director or program manager to describe how the organization protects client data. A response of “our IT guy handles that” is not sufficient.

No mobile device management. Staff using personal phones to access email, EHR systems, or client information without any MDM policy or technical controls. This is a security gap and a privacy gap simultaneously.

EHR access controls aren’t role-based. Everyone has the same access level, or former employees still have active credentials. Access reviews should be documented at least annually.

What a CARF-Ready IT Partnership Looks Like

Community health organizations rarely have in-house IT teams large enough to manage all of these requirements. A managed IT provider with experience in healthcare compliance environments can fill that gap, but only if the engagement is structured correctly.

Look for a partner that provides documented asset and software inventories maintained in real time (not generated annually for the survey binder), a managed security program with risk assessments and incident response planning included as standard deliverables, backup and disaster recovery with tested recovery procedures and documented results you can present to surveyors, staff training on cybersecurity fundamentals with tracked completion records, compliance reporting that maps controls to your accreditation requirements (not just generic IT metrics), and alignment with a recognized framework like CIS Controls v8.1, which provides the structured evidence base that CARF surveyors respect.

The right MSP doesn’t just keep your systems running. It produces the documentation and evidence trail that demonstrates ongoing conformance to the technology standards — between surveys, not just in preparation for them.

This is exactly how we work with CARF-accredited organizations like Access Independent Living Services. The technology plan, asset inventories, security documentation, backup test reports, and training records exist as byproducts of the ongoing managed IT relationship — not as deliverables we scramble to produce when the survey date is announced. When your IT partner maintains these artifacts continuously, survey preparation becomes a review exercise rather than a documentation sprint.

Book a free 30-minute Technology Health Check

Frequently Asked Questions

What IT documentation does CARF expect?
CARF expects a documented technology and system plan covering current technology use, identified gaps, goals, timelines, and responsible owners. Supporting documentation includes written policies on security, acceptable use, backup/recovery, disaster recovery, and access management. The plan must be an active working document, not a static policy. CARF standards should always be reviewed against the current manual for your program and survey year.

Does CARF require disaster recovery testing?
Yes. CARF’s survey preparation materials ask whether business continuity and disaster recovery procedures are tested at least annually and whether the tests and their analysis are documented. Having a backup system without tested recovery procedures is a common gap that generates survey recommendations.

Does CARF require cybersecurity training for staff?
Yes. CARF expects initial and ongoing training on cybersecurity and on the technology staff use to perform their jobs. Training records must be maintained. Surveyors also expect leadership to be able to articulate how the organization protects sensitive information.

What is a WISP and does CARF require one?
A Written Information Security Program (WISP) is a documented framework describing how an organization protects sensitive information. CARF does not require a document called a WISP by name, but a written security program, a dated risk assessment, incident response procedures, and documented access and device policies make it much easier to demonstrate conformance to the security expectations surveyors examine.

How does CARF accreditation relate to HIPAA or PHIPA?
CARF’s technology standards overlap with but do not replace health privacy legislation. In Ontario, PHIPA governs the collection, use, and disclosure of personal health information. Outside Ontario, the governing privacy framework depends on the province and whether the organization is a private-sector provider or a public body. Your technology plan should reference the legislation applicable to your jurisdiction.

Can a managed IT provider help with CARF accreditation?
Yes, if the provider understands healthcare compliance requirements and can produce the documentation CARF surveyors evaluate. Look for a provider that maintains asset inventories, conducts risk assessments, tests disaster recovery, tracks staff training, and maps controls to a recognized framework like CIS Controls v8.1.

---