Dr Choice
Dr Choice
Log in
HIPAA-Ready Platform

HIPAA Compliance

Dr Choice is designed with HIPAA compliance as a foundational requirement — not an afterthought. Here's how we protect your patients' protected health information (PHI).

Important note: While Dr Choice is built with HIPAA compliance in mind, achieving and maintaining HIPAA compliance is a shared responsibility. Clinics must execute a BAA with us and implement appropriate administrative, physical, and technical safeguards on their end. This page describes our controls — it does not constitute legal advice.

Our security pillars

Six core protections that underpin how we handle PHI.

Encryption at Rest & In Transit

All patient data is encrypted using AES-256 at rest within Supabase, and transmitted exclusively over TLS 1.3. No plaintext PHI ever touches disk or wire.

Audit Trails

Every read, write, and deletion of protected health information is logged with timestamp, user identity, and action type. Logs are immutable and retained for 6 years.

Role-Based Access Control

Granular permissions for Admin, Doctor, Nurse, and Embryologist roles using Supabase Row Level Security (RLS). Users only see what they are authorised to see.

Infrastructure Security

Dr Choice runs on SOC 2 Type II certified infrastructure. Database access is restricted to private VPC networks. No direct public database access is permitted.

BAA Available

We offer a Business Associate Agreement (BAA) to all clinic customers on Professional and Enterprise plans. Contact us to execute a BAA before going live with PHI.

Breach Response

In the event of a suspected breach, we follow a documented incident response plan including 60-day notification (HIPAA requires 60 days; we aim for 72 hours).

Safeguard categories

Administrative Safeguards

  • Designated Security Officer responsible for HIPAA compliance programme
  • Workforce training on PHI handling and minimum necessary standards
  • Access authorisation procedures and periodic access reviews
  • Contingency plan with data backup and disaster recovery procedures
  • Business Associate Agreement (BAA) with all sub-processors

Physical Safeguards

  • Workstation use policies and screen lock requirements
  • No on-premise hardware — all infrastructure is cloud-hosted with certified physical security
  • Facility access controls managed by Supabase (SOC 2 certified data centres)

Technical Safeguards

  • Unique user identification — no shared credentials permitted
  • Automatic session timeout after period of inactivity
  • AES-256 encryption at rest; TLS 1.3 in transit
  • Row-level security (RLS) policies enforced at the database layer
  • Immutable audit logs for all PHI access and modification events
  • Multi-factor authentication (MFA) supported and encouraged for all accounts

Need a Business Associate Agreement?

BAAs are available to all Professional and Enterprise plan customers. Contact us to initiate the BAA process before going live with patient data.

Request a BAA

Questions? Email support@dr-choice.glimtalk.com