CARF IT Readiness for Community Health Organizations

If your CARF survey is six months out and your technology plan is a Word document from 2021, this article is for you. Over 85% of accredited organizations report improved client outcomes after implementing structured IT compliance.

Fusion Computing: Named one of Canada’s 50 Best Managed IT Companies (2024 & 2025)

This guide breaks down what CARF expects from your IT environment, maps those requirements to actionable controls, and identifies the gaps that most commonly trip up community health organizations during survey.

Who This Applies To

CARF IT readiness means an organization’s technology infrastructure meets the Commission on Accreditation of Rehabilitation Facilities standards for data protection, access controls, backup and disaster recovery, cybersecurity, and IT governance. CARF accreditation reviewers assess whether IT systems support service delivery continuity and protect client data.

TL;DR

If your organization falls into any of these categories and you’re pursuing or maintaining CARF accreditation, the IT requirements in this guide apply to you.

What CARF Technology Readiness Actually Looks Like

CARF accreditation requires organizations to maintain documented IT policies, encrypted data storage, access controls, disaster recovery plans, and regular security risk assessments. Systems handling client information must comply with privacy legislation and demonstrate audit-ready logging. Partnering with an MSP experienced in CARF standards simplifies survey preparation and ongoing compliance.

In CARF’s public survey preparation materials, the technology standards focus on how organizations assess their current technology use, maintain an actionable plan, implement security and continuity procedures, test recovery, and train personnel. The following five areas represent what surveyors will evaluate.

1. Ongoing Assessment of Your Current Technology Use

What this means operationally: you need a maintained asset register with purchase dates, warranty status, and lifecycle projections. Hardware running end-of-life operating systems should have documented remediation or replacement plans. Windows 10 support ended on October 14, 2025, so any remaining Windows 10 estate should now be sitting inside a documented remediation or replacement plan. Software inventories need version numbers, update schedules, and licensing compliance records.

2. A Documented Technology and System Plan

The technology plan is where most organizations stumble. CARF defines a plan as a written, action-oriented document, not a policy statement. The plan should build on your current technology use plus the gaps you identify. It should set goals and priorities, schedules for acquisition, maintenance, and replacement, the resources required (budget, staffing, training), and realistic timeframes with assigned owners.

Organizations frequently receive survey recommendations because they present a static policy when CARF expects a working plan. If your technology document doesn’t have dates, owners, and measurable objectives, it will be flagged. The plan should be updated at least annually and should reflect what your organization is actually doing with technology, not what it aspirationally intends to do.

3. Written Technology Policies and Procedures

CARF expects documented policies and procedures covering the operational and security aspects of your technology environment. Based on CARF’s public survey preparation materials, these should address:

  • Acceptable use of organizational technology and systems
  • Backup and recovery procedures for critical data and systems
  • Business continuity and disaster recovery planning
  • Access management: who has access to what, how access is granted and revoked
  • Audit capabilities: how you log and monitor system access and changes
  • Data transfer: how sensitive information moves between systems, people, and locations
  • Hardware decommissioning and data destruction: what happens to devices and data at end of life
  • Protection from malicious activity: antivirus, endpoint protection, email filtering, patching
  • Remote access and support: how staff and providers connect to systems from outside the office
  • Updates, configuration, and change control: how you manage software updates, system changes, and configuration standards

4. Annual Disaster Recovery Testing

This is non-negotiable and is one of the most explicitly stated requirements in CARF’s public materials. CARF asks whether business continuity and disaster recovery procedures are tested at least annually and whether the tests and their analysis are documented.

What this means operationally:

  • A defined backup frequency based on data criticality and operational risk
  • Secure offsite or cloud-based backup storage
  • Defined recovery time objectives (RTO) and recovery point objectives (RPO)
  • Recovery procedures that have been executed, not just designed, at least once per year
  • Documentation of test results, any failures or gaps identified, and corrective actions taken

Having a backup system is not the same as having a tested recovery procedure. In our experience, surveyors ask when the last test was performed and what the results were.

5. Personnel Training

CARF expects initial and ongoing training in two areas: cybersecurity awareness (phishing, password hygiene, data handling, incident reporting) and competency with the technology staff use to perform their jobs (EHR systems, scheduling tools, documentation platforms, communication systems).

Completion records must be maintained. Training without documentation is invisible to surveyors.

Critically, training expectations extend beyond frontline staff. Surveyors may ask the executive director or program manager to describe how the organization protects client data. A response of “our IT provider handles that” is not sufficient. Part of technology readiness is ensuring that leadership can confidently walk a surveyor through how consumer data is protected, how systems are backed up, and what happens if a critical system goes down.

Book a free CARF IT readiness consultation

CARF Technology Readiness at a Glance

CARF-ready IT requires access independence, secure data management, proper vendor oversight, and documented policies demonstrating control and accountability.

CARF Focus Area What Surveyors Will Look For Evidence to Have Ready
Current technology use Inventory and gap awareness across all sites Asset register, software list, vendor/contractor list, data flow map
Technology/system plan Action-oriented goals with timelines and owners Dated plan with priorities, budget alignment, progress notes
Policies and procedures Security and continuity discipline Acceptable use, backup/recovery, DR, access management, remote access, change control, data destruction
Recovery testing Proof that recovery actually works Annual test report with findings, analysis, and remediation log
Training Staff and leadership readiness Cybersecurity training log, role-based technology training records, onboarding documentation

Mapping CIS Controls to CARF Technology Requirements

CARF’s technology standards are outcome-focused: they tell you what to achieve but not how to achieve it. A recognized security framework gives your organization a structured implementation path and demonstrates to surveyors that your controls aren’t ad hoc.

Here’s how key CIS Controls map to CARF technology expectations:

CIS Control 1: Inventory and Control of Enterprise Assets maps directly to CARF’s technology assessment requirement. Maintain an actively managed inventory of all devices connected to your network, including those used by remote staff for telehealth or virtual service delivery.

CIS Control 2: Inventory and Control of Software Assets addresses the software component. Track authorized software, remove unauthorized installations, and maintain licensing compliance.

CIS Control 3: Data Protection supports CARF’s security requirements and overlaps with provincial privacy obligations. Classify data by sensitivity, encrypt data at rest and in transit, and control access based on role.

CIS Control 4: Secure Configuration of Enterprise Assets and Software is the baseline hardening that prevents your systems from running with default credentials or unnecessary services exposed.

CIS Control 7: Continuous Vulnerability Management demonstrates to surveyors that you’re not just reacting to threats but proactively identifying and remediating weaknesses.

CIS Control 8: Audit Log Management provides the evidence trail that CARF surveyors look for when they ask how you monitor system access and detect unauthorized activity.

CIS Control 11: Data Recovery maps directly to disaster recovery. Maintain tested, automated backups with defined retention periods and recovery procedures.

CIS Control 14: Security Awareness and Skills Training addresses staff training on cyber hygiene, which CARF now explicitly evaluates during surveys.

Aligning your technology plan with CIS Controls gives you two advantages: a defensible framework during the CARF survey, and a foundation that also satisfies cyber insurance requirements, which are tightening across the health and human services sector.

We align every client’s IT environment to CIS Controls v8.1. Learn how our cybersecurity services work.

Working through this for your business?

Mike Pearlstein, CISSP, and the Fusion Computing team support Canadian SMBs with preparing for a CARF accreditation review or aligning your IT controls with the standards. Free 30-minute consult, we will tell you what we would do.

Book a consult →

What CARF IT Readiness Looks Like in Practice: Access Independent Living Services

Understanding CARF’s technology requirements in theory is one thing. Putting them into practice across a multi-site, Ontario Health-funded organization is another.

The IT challenges facing an organization like AccessILS are representative of what most community health organizations encounter during CARF preparation:

The result across multiple accreditation cycles has been technology readiness maintained as part of the ongoing managed IT relationship rather than treated as a last-minute survey exercise.

Mike Pearlstein, CISSP, CEO, Fusion Computing

Book a free 30-Minute IT Consultation

Canadian Compliance Context: Provincial Privacy and Funding

If you operate outside Ontario, do not default to HIPAA language or assume the same rules apply across Canada. The governing privacy framework depends on the province and, in some cases, whether the organization is a private-sector provider or a public body. Your technology plan should reference the legislation applicable to your jurisdiction.

For organizations in federally regulated sectors, the forthcoming will introduce mandatory cybersecurity programs and incident-reporting requirements. Even organizations not directly covered may feel its effects through supply-chain expectations from regulated partners and funders.

Common IT Gaps Surveyors Flag

“Surveyors don’t ask if you have technology, they ask whether your access controls, audit logs, and incident response are documented, exercised, and reviewed annually. Most CARF deficiencies in IT come down to evidence the agency knows it should have but never wrote down. Document the controls you already run, and Section 1.M closes itself.”

, Mike Pearlstein, CISSP, CEO, Fusion Computing

Statistics Canada’s 2023 Canadian Survey of Cyber Security and Cybercrime found health and social services among the sectors with the highest cyber-incident rate; Ontario’s IPC notes inadequate access controls and missing audit logs as the recurring PHIPA enforcement themes. CARF Section 1.M asks surveyors to verify the same controls.

Based on our experience supporting accredited organizations through the CARF process, these are the IT-related gaps most likely to generate recommendations:

The “binder plan” problem. A technology plan that reads like a policy statement and hasn’t been updated in two or more years. Surveyors want dates, assigned owners, and evidence of progress against stated goals.

No documented risk assessment. Organizations often perform security reviews informally but don’t document the methodology, findings, or remediation steps. Without documentation, it didn’t happen.

Untested disaster recovery. Having a backup system is not the same as having a tested recovery procedure. In our experience, surveyors ask when the last DR test was performed and what the results were.

Incomplete training records. Staff completed cybersecurity awareness training but there’s no centralized record of who completed what and when. Training without documentation is invisible to surveyors.

Leadership can’t articulate the security posture. This is increasingly common. Surveyors may ask the executive director or program manager to describe how the organization protects client data. A response of “our IT guy handles that” is not sufficient.

No mobile device management. Staff using personal phones to access email, EHR systems, or client information without any MDM policy or technical controls. This is a security gap and a privacy gap simultaneously.

EHR access controls aren’t role-based. Everyone has the same access level, or former employees still have active credentials. Access reviews should be documented at least annually.

Fusion Computing services related to this topic

Not sure which fits? Tell us about your situation and we will point you to the right next step.

What a CARF-Ready IT Partnership Looks Like

Community health organizations rarely have in-house IT teams large enough to manage all of these requirements. A managed IT provider with experience in healthcare compliance environments can fill that gap, but only if the engagement is structured correctly.

The right MSP doesn’t just keep your systems running. It produces the documentation and evidence trail that demonstrates ongoing conformance to the technology standards, between surveys, not just in preparation for them.

Book a free 30-minute IT assessment

Guides & Resources

Free guides and resources for evaluating IT providers and understanding managed IT services.

Frequently Asked Questions

CARF IT readiness sits inside a broader security program. Fusion’s managed cybersecurity services hub explains the CISSP-led, 24×7 stack that backs every accredited-provider engagement: SentinelOne, Huntress, Keeper, and Fortinet. That includes a 1-hour response SLA, a 93% first-contact resolution rate, and quarterly evidence packs mapped to CIS Controls v8.1 and CARF Section 1.M.

Post-assessment, teams develop a phased roadmap prioritizing quick wins and foundational changes. Organizations following structured plans complete implementations 2x faster.

What IT documentation does CARF expect?
CARF expects a documented technology and system plan covering current technology use, identified gaps, goals, timelines, and responsible owners. Supporting documentation includes written policies on security, acceptable use, backup/recovery, disaster recovery, and access management. The plan must be an active working document, not a static policy. CARF standards should always be reviewed against the current manual for your program and survey year.

Does CARF require disaster recovery testing?
Yes. CARF’s survey preparation materials ask whether business continuity and disaster recovery procedures are tested at least annually and whether the tests and their analysis are documented. Having a backup system without tested recovery procedures is a common gap that generates survey recommendations.

Does CARF require cybersecurity training for staff?
Yes. CARF expects initial and ongoing training on cybersecurity and on the technology staff use to perform their jobs. Training records must be maintained. Surveyors also expect leadership to be able to articulate how the organization protects sensitive information.

Can a managed IT provider help with CARF accreditation?
Yes, if the provider understands healthcare compliance requirements and can produce the documentation CARF surveyors evaluate. Look for a provider that maintains asset inventories, conducts risk assessments, tests disaster recovery, tracks staff training, and maps controls to a recognized framework like CIS Controls v8.1.

Mike Pearlstein, CISSP is CEO of Fusion Computing, a Canadian-owned managed IT and cybersecurity firm serving organizations across Toronto, Vancouver, and Hamilton since 2012. Fusion partners with CARF-accredited community health organizations including Access Independent Living Services to maintain technology compliance between accreditation cycles.

IT Support for Other Industries

Fusion serves managed IT across multiple verticals. Each industry has distinct compliance, security, and operational requirements.

Accounting
IT support and cybersecurity for accounting firms, CPAs, and bookkeeping practices.
Learn more →
Construction
Managed IT for construction firms, general contractors, and project-driven businesses.
Learn more →
Financial Services
IT support and cybersecurity for financial advisors, brokers, and investment firms.
Learn more →
Manufacturing
Managed IT and cybersecurity for manufacturing plants, production facilities, and industrial operations.
Learn more →
Transport & Logistics
IT support for transport companies, freight operators, and logistics providers.
Learn more →
Design & Architecture
IT support for architecture firms, engineering consultancies, and design studios.
Learn more →
Non-Profit Organizations
Managed IT and cybersecurity for Canadian non-profits with 10 to 150 employees.
Learn more →

Is Your Organization CARF Survey-Ready?

Fusion offers a CARF IT Readiness Review, a structured assessment that maps your current technology practices against CARF’s administration, information management, and technology requirements. Most organizations complete it in 2–3 weeks with a written gap report included.

Book a CARF IT Readiness Review

No obligation to engage Fusion for remediation. The gap report is yours to act on with any provider.

Frequently Asked Questions About CARF IT Readiness

We answer common questions from CARF funders and disability service organizations about IT readiness requirements and what a compliant technology foundation looks like.

What IT requirements does CARF accreditation include?

CARF standards require documented IT planning, data privacy protections, business continuity procedures, and cybersecurity safeguards. Specific requirements vary by program type but all require evidence of systematic IT governance and risk management.

How far in advance should we start IT readiness preparation?

We recommend starting at least 6 months before your survey date. This allows time to identify gaps, implement solutions, document policies, and conduct internal testing before the actual CARF review.

Does Fusion Computing have experience with rehabilitation facilities?

Yes. Fusion serves community health and rehabilitation organizations across Canada with managed IT, cybersecurity, and compliance support. Our team understands the intersection of clinical operations and IT governance that CARF requires.

What cybersecurity framework do you align with for CARF?

We align with CIS Controls v8.1 as the primary framework, supplemented by NIST CSF where applicable. This gives CARF surveyors clear evidence of a systematic, risk-based approach to cybersecurity.

Can you help with the documentation CARF surveyors request?

Absolutely. We prepare IT policies, business continuity plans, incident response procedures, network diagrams, and access control documentation. All formatted to align with CARF surveyor expectations and evidence requirements.

What does CARF IT readiness cost?

Pricing depends on your organization size, current IT maturity, and accreditation timeline. We start with a scoping call to assess where you stand, then provide a fixed-scope engagement with clear deliverables and timeline.



Updated