TTM|Documentation
PressBoxInciteCareIncite
← Back to Site
DocsCareInciteOperationsSecurity & HIPAA

Security & HIPAA

Practice OwnerExecutive Administrator·4 min read·Updated May 2026

CareIncite is built from the ground up with HIPAA compliance as a core requirement. Every layer of the architecture — database, API, authentication, and client portal — enforces data isolation and access control to protect patient health information.

Architecture overview

Row-Level Security (RLS)
Every database query is scoped by the authenticated user's organization and role using Supabase Row-Level Security policies. There is no application-layer workaround that could expose data across organizations. Users can only query rows that belong to their organization.
Tenant isolation
Each practice is a separate tenant in the database. All tables include an organization reference that is enforced by RLS policies. Cross-tenant data access is architecturally impossible, not just restricted by application logic.
Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database connections use SSL. API requests are served exclusively over HTTPS.
Authentication
Staff authentication uses Supabase Auth with JWT tokens. Client portal authentication is completely separate, using the client_users table. Staff and client auth systems cannot cross-authenticate.
Role-based access control
Four account roles (ceo, admin, support_staff, specialist) and four company roles (supervisor, qmhp, intake, office_support) control what each user can see and do. Permissions are enforced at both the middleware (route-level) and database (RLS) layers.

HIPAA compliance measures

Business Associate Agreement (BAA) with Supabase and Vercel
PHI is never logged in application logs or error tracking
Client portal exposes only appointment metadata — no clinical notes
All API endpoints require authenticated sessions with valid JWT
Middleware blocks unauthorized route access before page load
Audit logging for data access and modification events
Security questions?
If you have specific security or compliance questions, contact us at triplethreatmathematics.com/book.
Was this helpful?
Next Steps