HIPAA Compliant Use

PhraseExpress can support HIPAA-compliant use through local data storage, controlled access permissions and optional AES-256 encryption.

Recommended Configuration

  • Store PhraseExpress databases only in approved local locations.

  • If sharing phrases with a cloud service, consider using a self-hosted cloud service, such as OwnCloud or NextCloud.

  • If using a SQL server to host phrases, consider a self-hosted SQL server on your premise (vs. cloud based options such as Microsoft Azure or Amazon AWS).

  • Restrict access to authorized users and groups. Important: Phrase access restrictions can be overruled by the administrator.

  • Use individual user accounts instead of shared credentials.

  • Protect workstations, servers, and backups with appropriate access controls and encryption.

  • Keep the operating system, database software and PhraseExpress up to date.

  • Review access permissions regularly.

  • Consider disabling the clipboard cache if you have concerns that sensitive information may be catched by the clipboard.

Handling Protected Health Information

  • Store only the information required for the intended workflow.

  • Avoid saving patient-specific data in text snippets.

  • Verify patient-related content before inserting it into another application.

  • Do not store passwords, access tokens, or other credentials in text snippets.

Cloud Synchronization

PhraseExpress can optionally synchronize databases through cloud services such as iCloud or Google Drive and also self-hosted options, such as OwnCloud.

When synchronizing protected health information:
  • Enable AES-256 encryption.

  • Keep the encryption password secure and separate from the database.

  • Use only cloud services and subscription plans approved by your organization.

  • Ensure that any required Business Associate Agreement is in place with the cloud provider.

Support Requests

Do not send databases, screenshots, log files, or exported settings containing protected health information to Bartels Media. Remove or replace sensitive data before submitting support material.

Backups and Recovery

  • Encrypt database backups.

  • Restrict access to backup locations.

  • Test database restoration regularly.

  • Remove obsolete copies according to your retention policy.

PhraseExpress provides features that can support HIPAA-compliant use, but HIPAA compliance depends on your complete technical and organizational environment. Please note that the U.S. Department of Health and Human Services generally does not issue official HIPAA product certifications. HIPAA compliance depends on how the software is used within your organization.

Table of Contents


Table of Contents