A Clinical Photo Vault for Doctors, Nurses, and Therapists

TL;DR

Medical professionals who capture clinical photos on personal iPhones face HIPAA and GDPR obligations that the default Camera Roll cannot meet. AppVault provides AES-256-GCM encryption, a separate encrypted catalog, and a Calculator Launcher to keep patient images off the visible photo grid — no accounts, no servers, no telemetry.

The Problem With Clinical Photos on a Personal iPhone

A dermatologist photographs a lesion before prescribing. A dentist captures a before-and-after series. A nurse documents a wound during a home visit. A therapist takes a snapshot of a whiteboard diagram during a telemedicine session. In every case, the image lands in the same Camera Roll as vacation photos, screenshots, and family pictures.

The regulatory frameworks are clear. In the United States, HIPAA’s Security Rule requires technical safeguards for electronic protected health data (ePHI) — including encryption at rest on devices that store or transmit it. In the European Union, GDPR Article 9 classifies health data as special-category personal data, subject to the strictest processing requirements and requiring explicit consent or a recognized legal basis.

The iPhone Camera Roll satisfies neither framework. It is a single, unencrypted gallery. Anyone who picks up the phone and swipes left can see everything.

Most clinicians know this. Few have a practical solution that does not involve carrying a second device.

What HIPAA Actually Requires for ePHI on Personal Devices

HIPAA’s Security Rule does not mandate a specific product. It mandates outcomes. The encryption standard is NIST FIPS 197 — the Advanced Encryption Standard. The access control standard requires unique user identification and automatic logoff. The audit control standard requires mechanisms to record and examine access.

AppVault addresses the encryption and access control requirements directly. Files are sealed with AES-256-GCM — NIST FIPS 197 and NIST SP 800-38D — using a unique 96-bit nonce per file. The key is derived from the user’s 5×5 pattern through PBKDF2-SHA256 at 600,000 iterations, matching the OWASP 2026 recommendation. That derived key is then wrapped by a key generated inside the iPhone Secure Enclave, which never leaves the chip.

The encrypted catalog is mathematically sealed. Even the list of files — count, names, dates — is encrypted. An attacker with raw storage access cannot determine how many files exist, let alone read them.

HIPAA compliance is an organizational obligation. AppVault provides the technical layer. The clinician’s institution must still conduct its own risk assessment, document its policies, and ensure the overall workflow meets the rule’s administrative and physical safeguard requirements.

GDPR Article 9 and Special-Category Health Data

For European clinicians, the calculus is similar but the framework is different. GDPR Article 9 prohibits processing of health data unless one of several conditions is met — explicit consent, employment law authorization, or substantial public interest, among others. The regulation does not prescribe specific encryption algorithms, but it does require “appropriate technical and organisational measures” given the risk.

AppVault’s zero-knowledge architecture is relevant here. The app makes zero network calls by default. There are no accounts, no telemetry, no third-party SDKs. The privacy nutrition label declares no data collected. The app operator processes no personal data at all — the encryption happens entirely on-device, and the ciphertext never leaves the phone unless the user opts into encrypted iCloud Backup.

For a clinician processing health data under Article 9, this architecture means the vault app itself introduces no additional data processing. It is a local encryption tool, not a data processor.

The Shared Clinic iPad

Many clinics issue a single iPad for patient check-in, telemedicine sessions, or clinical documentation. Multiple providers use the same device across a single day. Without separation, every provider’s clinical photos sit in the same gallery.

AppVault’s Decoy Vault feature addresses this directly. A second 5×5 pattern opens a separate, mathematically independent vault catalog. The two catalogs share no key material. One does not reveal the other’s existence.

This is not a multi-user account system. There is no login, no user management, no cloud sync between vaults. Each provider’s catalog is a self-contained encrypted container. If one provider leaves the clinic, their pattern is simply not shared with the replacement.

The Handover Moment

A colleague borrows the phone to make a quick call. A patient asks to see a photo on the screen and the phone gets passed over. A friend takes a group photo at a restaurant and swipes further than intended.

In every case, the risk is the same: the Camera Roll is a single scroll with no access control. Clinical photos are visible to anyone who holds the phone.

AppVault breaks this pattern. Clinical photos are imported into the encrypted vault and deleted from the Camera Roll. The vault does not appear in the Photos app, the photo grid, or search results. The only way to open it is through the vault’s own interface — behind the 5×5 pattern.

The Calculator Launcher adds another layer. The app presents as a fully functional iOS calculator. The vault is accessed through an opt-in long-press on the equals key. This is not deception — the calculator works. It is an alternate icon built to satisfy Apple guideline 4.3, providing a standard tool with an optional secondary function.

Patient Consent and the Camera Roll Problem

Most clinicians obtain consent before capturing clinical photographs. The consent form typically covers use, storage, and sharing. It rarely addresses the fact that the photo will sit in the same gallery as the clinician’s personal images, visible to anyone who picks up the phone.

This is a gap between consent and technical reality. The patient consented to clinical use of the image. The patient did not consent to the image being visible to the clinician’s family, friends, or anyone who borrows the phone.

AppVault closes that gap. Once a clinical photo is imported into the vault and the original is deleted from the Camera Roll, the image exists only in the encrypted catalog. The consent form’s intent — clinical use only — is matched by the technical implementation.

Telemedicine Snapshots

Telemedicine visits often produce clinical images: a screenshot of a skin condition captured during a video call, a photo of a medication label, a whiteboard diagram the patient drew to explain symptoms. These images are clinical data. They belong in a protected environment, not in the Camera Roll.

AppVault’s import workflow allows direct capture or import from the camera. The image goes straight into the encrypted catalog. It never touches the visible photo grid.

For clinicians who conduct telemedicine from a personal iPhone, this is the difference between a compliant workflow and a Camera Roll full of unencrypted clinical images.

What AppVault Does Not Defend Against

Honesty about limits is a design principle. AppVault does not protect against:

• A compromised iPhone. If the device is jailbroken or running malware, the encryption is irrelevant. The attacker can read the screen, intercept the pattern, or access the decrypted catalog in memory.
• A clinician who shares the pattern. AppVault cannot enforce institutional policy. If a provider gives their pattern to a colleague, the vault is open.
• Physical coercion. AppVault does not include a duress feature. If someone forces the clinician to unlock the phone, the vault opens like any other app.
• iCloud Backup without the backup key. If the user opts into encrypted iCloud Backup but loses the per-device backup key, the backup is unrecoverable. There is no reset.

The threat model page covers these scenarios in detail. A product that overstates its protections is a product that cannot be trusted.

How AppVault Compares to Other Vault Apps

The photo vault category is large. Keepsafe is the category leader by install count. Vaultaire is the closest competitor in the calculator-vault niche. Most apps in this space do not publish their cryptography stack, do not cite primary sources, and do not run with zero network calls by default.

AppVault publishes its full stack: AES-256-GCM, PBKDF2-SHA256 at 600,000 iterations, Secure Enclave key wrapping, unique 96-bit nonce per file. Every claim links to a primary source — NIST, OWASP, Apple Platform Security. The app makes zero network calls by default. The privacy nutrition label declares no data collected.

For a clinician evaluating tools under HIPAA or GDPR, this transparency matters. Compliance depends on understanding what the tool actually does, not what the marketing page claims.

Setup for Clinical Use

The recommended workflow for medical professionals:

1. Install AppVault and set a 5×5 pattern. Write down the recovery passphrase and store it offline — a desk drawer, a locked cabinet, a personal safe.
2. Enable the Calculator Launcher if the alternate icon is useful in your setting.
3. If sharing a device with another provider, set up the Decoy Vault with a second pattern. Each provider uses their own.
4. Import existing clinical photos from the Camera Roll. Delete the originals from the Photos app.
5. Going forward, capture clinical photos directly into the vault or import them immediately after capture.
6. Do not enable iCloud Backup unless you are willing to manage the per-device backup key. If you do enable it, understand that losing the key means losing the backup.

This workflow keeps clinical images in a sealed catalog, separate from personal photos, outside the visible Camera Roll, and encrypted to a standard that satisfies HIPAA technical safeguards and GDPR Article 9 processing requirements.

The Regulatory Burden Is Real

No app eliminates the clinician’s obligation to conduct a risk assessment, document policies, and ensure the overall workflow meets regulatory requirements. HIPAA and GDPR are organizational frameworks. AppVault is a technical tool.

What the tool does is remove the most common failure point: clinical photos sitting in an unencrypted, publicly visible gallery on a personal device. That failure point is the one most likely to trigger a complaint, a breach notification, or a regulatory inquiry.

For a doctor, nurse, dentist, dermatologist, or therapist who already carries an iPhone into clinical settings, AppVault is the difference between a Camera Roll problem and a sealed catalog.