Security & HIPAA
MyDotPhrases is designed with healthcare data security in mind from the ground up. Here's how we protect your information.
HIPAA & Protected Health Information
MyDotPhrases does not store Protected Health Information (PHI). Your dot phrases are generic documentation templates with placeholder variables like [PATIENT_NAME] and [CHIEF_COMPLAINT]. They contain no patient-specific data.
Patient information is only entered when you use a phrase — you fill in the variables, the completed text is copied to your clipboard, and you paste it into your EMR. MyDotPhrases never receives, processes, or stores the completed note with patient data.
Because no PHI touches the MyDotPhrases platform, a Business Associate Agreement (BAA) is not required. MyDotPhrases functions similarly to a text editor or word processor — it helps you compose documentation, but the patient-specific content only exists in your EMR.
How we protect your data
Row-Level Security
Every database query is scoped to your user ID via Supabase Row-Level Security (RLS). Your phrases are only accessible to you and any teams you explicitly join.
Encryption
All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Your phrases are never stored in plaintext on disk.
Secure Authentication
Authentication is handled by Supabase Auth with secure, httpOnly session cookies. Passwords are hashed with bcrypt and never stored in plaintext.
Minimal Data Collection
We only collect what’s needed to run the service: your email, display name, and phrase content. No analytics trackers, no ad networks, no data brokers.
Full Data Export
Export your entire phrase library as JSON at any time from the dashboard. Your data is portable and never locked in.
Right to Deletion
Delete individual phrases, folders, or your entire account from the settings page. Account deletion permanently removes all associated data.
Your responsibilities
While MyDotPhrases is designed to keep PHI off our platform, you play an important role in data security:
- Do not store PHI in your templates. Use placeholder variables like [PATIENT_NAME] instead of actual patient names. Templates should be generic and reusable.
- Keep your account credentials secure. Use a strong, unique password. Do not share your login with others.
- Review shared phrases carefully. When sharing phrases with a team, ensure the templates do not contain any patient-specific information.
- Follow your institution's policies. Always comply with your hospital or practice group's IT security and documentation policies.
Infrastructure
- Database: Supabase (PostgreSQL on AWS) with row-level security.
- Hosting: Vercel (serverless, edge network).
- Error monitoring: Sentry (no PII is included in error reports).
- Authentication: Supabase Auth with secure session management.
Security questions?
If you have questions about our security practices or need documentation for your institution's IT review, email us at security@mydotphrases.com.
Also see our Privacy Policy and Terms of Service.
Ready to accelerate your documentation?
Create your free account and start using clinical dot phrases in seconds.