OpenClinic Privacy Policy
Last updated: May 2026
OpenClinic is a local-first clinical workspace prototype. It is designed to demonstrate patient charting, encounter documentation, and medical RAG search utilizing secure local storage and on-device processing. We do not collect, store, sell, or proxy your clinical data.
1. Clinical Data Storage (Local Sandbox)
OpenClinic is designed under a local-first architecture. All Protected Health Information (PHI), patient records, clinical documentation, and anatomical imaging remain stored strictly on your device.
- SwiftData local store: Clinical profiles, diagnoses, medication lists, and appointments are stored inside a local SQLite database managed by SwiftData. The developer has no access to this database.
- Local Clinical Images: Photos captured for dermatology tracking are saved in the app's local sandbox directory. They are not uploaded to iCloud Photo Library or developer servers.
- Secure Keychain: Authentication tokens and sandbox EHR endpoints are stored locally in the iOS Keychain.
2. On-Device AI Engine & Processing
All clinical intelligence and search functionalities are designed to run locally, avoiding cloud-based leakage of clinical data.
- Local Tokenization and Embeddings: Text chunking and vector embeddings are generated on-device using a bundled Core ML embedding model and tokenizer vocabulary.
- Local Search Indexes: Vector search (via SQLite) and keyword search (via SQLite FTS5) run locally on your device.
- Local Synthesis: Clinical summaries and chart Q&A use Apple Foundation Models APIs where supported by the device operating system, running entirely on-device. No medical records are uploaded to commercial LLM APIs.
3. SMART on FHIR Interoperability
OpenClinic includes functionality to import clinical patient records from EHR systems using the SMART on FHIR profile.
- Direct Connections: All network requests to discovery endpoints, capability statement URLs, and FHIR resource APIs are made directly from your device over secure HTTPS/TLS. No proxy servers are used.
- EHR Authentication: User sign-in and OAuth authorization occur directly on the EHR platform's server using secure system browser views (
ASWebAuthenticationSession). The developer never intercepts, logs, or stores your access tokens or credentials. - Local Provenance: Imported FHIR resources (Patient, Condition, MedicationRequest, Appointment) are stored in SwiftData and tagged with provenance metadata showing the authoritative source system.
4. Requested Device Permissions
- Microphone & Speech Recognition: Required for clinical dictation. Speech processing occurs on-device using Apple Speech APIs.
- Camera & Photo Library: Required to capture and catalog clinical photos of anatomical regions.
- Network Access: Required to query and import data from SMART on FHIR EHR sandboxes.
5. Retention, Revocation, & Deletion
- Record Deletion: Removing a patient profile, clinical photo, or encounter note deletes it immediately from the local SwiftData store.
- Keychain Reset: Stored EHR credentials can be cleared in the Settings section.
- Complete Wipe: Uninstalling the application completely erases all local database records, clinical photography, diagnostic logs, and Keychain credentials.
6. HIPAA & Regulatory Alignment
As a prototype clinical playground, OpenClinic does not collect or process patient records on developer-owned servers. Providers using OpenClinic are responsible for ensuring that their use complies with HIPAA rules, institutional policies, and patient consent constraints.
7. Contact
For privacy inquiries, contact the developer at: gunnarguy@me.com.