Security & privacy

Virtual Clinic is built around the principle that each provider's data belongs exclusively to that provider. The sections below explain the specific mechanisms that enforce that boundary at every layer of the platform.

Isolated workspaces

Every clinic operates on its own subdomain backed by its own dedicated database schema. No clinic shares tables or rows with another clinic — the isolation exists at the data layer, not just the application layer. Independent doctors are similarly partitioned from one another within their shared workspace: each doctor's records are scoped to their own account and cannot be read by another practitioner on the platform.

Sessions that stay put

When you sign in, the platform issues a short-lived access token that is cryptographically bound to the specific clinic or portal where you authenticated. That token is rejected if it is used anywhere else on the platform. Access tokens expire after five minutes; they are refreshed automatically in the background so you stay signed in without re-entering your password. Refresh tokens last one day. Because each token is tied to exactly one provider, a compromised credential at one clinic cannot be used to access records at another.

Access control by role

What you can see and do inside a clinic is determined by your role in that workspace. Admins can only manage accounts within their own clinic. Lab and chemist accounts are similarly scoped to their workspace. There is no super-role that spans clinic boundaries — every permission check is evaluated against the specific clinic you signed in to, regardless of any roles you may hold elsewhere on the platform. Which patient charts a doctor can open is a separate question, covered next.

Chart access

Whether a doctor can open a particular patient's chart depends on the workspace's chart-access model:

  • Open charts (the default for a clinic). Every doctor in the clinic can see every patient in that clinic. This matches how small practices actually work — colleagues cover for each other, handle walk-ins, and pick up where someone left off — and it is backed by the audit trail rather than hard walls. The "minimum necessary" privacy standard does not restrict access for treatment purposes.
  • Relationship-based access. In the independent-doctors portal, and in any clinic that turns on the Strict chart access feature, a doctor only sees patients they have a treatment relationship with: an appointment, a prescription, a medical test, an uploaded document, a conversation, or being the patient's assigned primary doctor. A patient who self-registers but never books, and is not assigned to anyone, is not visible to any doctor until one of those links exists. Patients always see their own records regardless, and admins are never restricted.

Break the glass

Where relationship-based access is in effect, a doctor can still reach a chart they have no relationship with in a genuine emergency by breaking the glass: they record a reason, and access is granted for a limited time (24 hours by default). Access is never hard-blocked in an emergency — instead it is made deliberate and visible. Every break-the-glass event is written to the audit trail and listed for administrators on a dedicated report, so improper use is discoverable and attributable.

Audit trail

Clinics that have the Activity Log feature enabled keep a timestamped record of significant actions taken inside their workspace. Each entry captures the timestamp, the user who performed the action, the action type, and a description. This log is visible to clinic administrators and gives you visibility into what happened inside your workspace and when.

Encryption in transit

Virtual Clinic is served exclusively over HTTPS. All data exchanged between your browser and the platform — including authentication tokens, medical records, and messages — is encrypted in transit. Unencrypted connections are not accepted.

Security & privacy — Virtual Clinic Docs