NoteAssist

No-PHI Policy

Effective: 2026-04-27. Plain English.

What this is

NoteAssist is a charting buffer for aesthetic injectors. You speak clinical shorthand; we transcribe and structure it. You then copy the result into your real EMR (Aesthetic Record, Symplast, PatientNow, paper chart, whatever you use). NoteAssist is not your EMR and is not the system of record for your practice.

We don't want patient identifiers

You agree not to enter Protected Health Information (PHI) into NoteAssist. PHI includes:

  • Patient first or last name, full name, or initials
  • Date of birth or specific dates that identify a patient
  • Phone number, email, address, or social security number
  • Medical record number or insurance ID
  • Photos of the patient, including before/after images
  • Anything else that could reasonably be used to identify a specific individual

The Reference field on each note is for your own code or chair number — for example, "JS-0412" or "Chair 2, 2pm". Use whatever scheme lets you cross-reference back to your real EMR. Do not put names there.

Notes auto-delete after 7 days

Every note you create is automatically deleted from our database 7 days after creation. You can extend retention to 30 days once per note from the dashboard. Copy your note into your real EMR before the deletion date.

Auto-deletion is enforced by a daily database job, not by user action. After deletion, the note is gone from our active database. Database backups, if any, are retained per our standard schedule and rotated.

We are not a HIPAA Business Associate

NoteAssist does not currently sign Business Associate Agreements (BAAs) and does not represent itself as HIPAA-compliant. If your practice is a covered entity under HIPAA — which most aesthetic practitioners are — you are responsible for keeping PHI out of NoteAssist. Use of the service while entering PHI is a violation of these terms and may expose you to regulatory liability that is your responsibility, not ours.

If you need a vendor that signs BAAs, use a HIPAA-compliant EMR for that data. NoteAssist is a transcription-and-shorthand tool, not an EMR.

What we do to help

  • The structured note schema has no patient name, DOB, MRN, phone, or email field.
  • Our extraction model is instructed to redact apparent personal names from the free-text field.
  • The recorder warns you not to speak names or DOBs.
  • Notes auto-delete after 7 days by default.
  • Audio recordings are processed and discarded — never stored.

These are best-effort guards, not guarantees. Ultimately, what you dictate is what gets stored.

Where data goes

Audio is sent to OpenAI for transcription and discarded after processing. The transcript and structured fields are stored in Supabase (Postgres) under your account, scoped by row-level security so other users cannot read your notes. Deployment is on Vercel. Payment processing, when applicable, is via Stripe; no note content is sent to Stripe.

See the Privacy Policy for full processor details.

Reporting accidental PHI entry

If you accidentally entered PHI and want it removed immediately, delete the note from your dashboard. Deletion is immediate. If you need help or believe a security incident has occurred, email support@noteassist.app.

← Back to NoteAssist