Compliance

HIPAA & Patient Privacy

Last updated: April 11, 2026

Important Notice

Doctria is not a HIPAA Covered Entity or Business Associate. Doctria is a peer learning platform for medical professionals, not a system that stores, transmits, or processes Protected Health Information (PHI) on behalf of healthcare providers or their patients.

The responsibility for de-identifying all patient information before posting a case rests entirely with the posting physician. Doctria provides tools and reminders to help you meet de-identification standards, but we cannot verify or enforce compliance on your behalf.

What Is PHI?

Under HIPAA, Protected Health Information includes any information that can be used to identify an individual patient in connection with their health condition, care, or payment. This includes but is not limited to:

  • Names, initials, or aliases
  • Geographic identifiers smaller than a state (city, zip code, address)
  • Dates (other than year) — including admission, discharge, and birth dates
  • Phone numbers, fax numbers, email addresses
  • Social Security numbers, medical record numbers, account numbers
  • Photographs or other identifying images
  • Any other unique identifying number or characteristic

Your Obligation Before Posting

Before posting any case on Doctria, you are required to ensure that all PHI has been removed from both the text description and any images. HIPAA provides two methods of de-identification:

Safe Harbor Method. Remove all 18 categories of identifiers listed above from the case content and images, and have no actual knowledge that the remaining information could identify the individual.

Expert Determination Method. A qualified statistical or scientific expert determines that the risk of identifying the individual is very small.

When in doubt, apply the Safe Harbor method. If you are unsure whether a case can be fully de-identified, do not post it.

What Doctria Does

  • Displays a de-identification reminder on every case submission screen
  • Does not request or store patient identifiers as part of case submissions
  • Stores all data with encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Restricts platform access to registered users
  • Does not share case content with third parties for commercial purposes

What Doctria Does Not Do

  • Doctria does not automatically scan, detect, or redact PHI from posted content
  • Doctria does not sign Business Associate Agreements (BAAs)
  • Doctria does not guarantee that all posted content is free of PHI
  • Doctria does not provide legal or compliance advice

Reporting a Potential PHI Exposure

If you identify a post on Doctria that you believe contains PHI, please report it immediately at privacy@doctria.io. We will review and remove the content as quickly as possible. Users who repeatedly post non-de-identified content will have their accounts suspended.

Security Practices

Doctria uses Supabase for data storage and authentication, hosted on AWS infrastructure. Security measures include:

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row-Level Security (RLS) policies on all database tables
  • Optional two-factor authentication (TOTP) for user accounts
  • Automatic session expiration after periods of inactivity
  • FLAG_SECURE on sensitive screens to prevent screenshots (Android)

Questions

For questions about HIPAA compliance, patient privacy, or our security practices, contact us at privacy@doctria.io. We recommend consulting a qualified healthcare attorney for compliance advice specific to your practice or institution.