Back to blog
HealthtechSupabaseRLS

Healthtech on Supabase: patient records and RLS pitfalls that stick

Published on 2026-04-164 min readCleanIssue

> TL;DR: A patient record needs stricter isolation than a regular SaaS. Common RLS mistakes in young healthtech products.

Why are Row Level Security policies critical for HR SaaS?

A patient record is not a support ticket

In a healthtech product, the access rule isn't "my organization" but "my patient, my practitioner, this treatment, this period". That's finer-grained than a typical B2B SaaS.

What breaks often

  • RLS filters on organization without filtering on patient;
  • document sharing between practitioners with no expiry;
  • full history visible to all clinic accounts, including reception staff.
  • The right level of rigor

    A healthcare product must be able to answer: who saw what data, when, and why. If the answer depends on an optional application log, that's not enough for HDS-hosted data.

    Key Takeaways

  • Test every RLS policy with different role tokens — a single missing SELECT policy exposes all data.
  • Storage buckets need their own policies, separate from table RLS.
  • Automate tenant isolation tests in CI/CD before every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-16

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit