Our Commitment
MyNoteWell is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA). We implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI).
Technical Safeguards
- ✓PII Anonymization — All identifiable information is stripped from session data before processing
- ✓Encryption in Transit — All data transmitted over TLS 1.3
- ✓Encryption at Rest — Database encrypted via Supabase (AES-256)
- ✓Access Controls — Row-level security, Clerk authentication, role-based access
- ✓Audit Logging — All access to PHI is logged with timestamps, user IDs, and action types
- ✓Automatic Logout — Session timeout via Clerk
- ✓Data Backup — Automated daily backups via Supabase
Business Associate Agreements (BAA)
We maintain BAAs with all third-party services that may access ePHI:
- Supabase — Database hosting (BAA available on Team/Enterprise plan)
- Vercel — Application hosting (BAA available on Enterprise plan)
- Anthropic — text processing (receives only anonymized data)
- Deepgram — Audio transcription (BAA available)
- Stripe — Payment processing (BAA available)
- Clerk — Authentication (processes only auth data, not PHI)
Patient Rights
- Right to Access — Therapists can export all client data
- Right to Amendment — Clinical notes are editable
- Right to Accounting — Full audit log of PHI access available
- Right to Restriction — Client portal permissions are configurable
Breach Notification
In the event of a data breach involving unsecured PHI, MyNoteWell will notify affected individuals within 60 days as required by the HIPAA Breach Notification Rule. Notifications will be sent via email and posted on our website.
Contact
HIPAA Privacy Officer: privacy@psyweb.app