We've detected that you're in . Would you like to go to the MediCam site?

Protecting Patient Privacy

It's easy to use your phone to capture patient photos, video or audio but if you're not using MediCam ...


There's patient data stored on your phone. What if you lose it?


Photos are often auto-uploaded to the cloud. Many breaches in the past.


Patient data often isn't transmitted securely and can be intercepted.


When shared, patient data often isn't stored securely by recipients.


Consent is often not recorded. If there's a disputer later this can mean trouble!


There's no record of who has accessed the data.

Have questions? Call: +61 3 9005 6339

Designed to be secure from the beginning

Once a patient's data has been captured in the MediCam app, the user has three main ways of sending the data.

Encrypted Email

The app fetches a key from a "Key Server" (operated by MediCam or your organization) and secures all data using AES-256 bit encryption. The encrypted report is attached to an email which can then be sent by the user - the same as a "normal" email. The recipient is instructed to open the email on their phone and tap on the attached encrypted report. If the recipient is signed in to MediCam, the app will fetch a key to decrypt the report (thereby leaving an audit trail) and display the report. See Email to Recipient integration docs.

Uploaded to Dropbox or Box

The app transmits the report (PDF, JSON metadata and photo, video and audio files) to Dropbox or Box's servers via HTTPS. MediCam does not encrypt reports using the Key Server when submitting to Dropbox or Box as it is assumed that Dropbox and Box will store all reports securely. Both Dropbox and Box have HIPAA allow you to remain HIPAA compliant. See Upload to Box documentation and Upload to Dropbox documentation.

Uploaded to Medical Record

The app transmits the report to an endpoint setup by an organization (for the purpose of putting it in the patient's medical record). Depending on the endpoint, the report can be transmitted via HTTPS (using the same method as when sent to Box or Dropbox) or via HTTP if the report is encrypted on the device first. The report can be encrypted using a static or dynamic key (using a Key Server). For more information please see here, here, and here.

AES-256 Encryption

We use Advanced Encryption Standard 256-bit keys

Most people will not need to know this but, we also use: CBC mode, password stretching with PBKDF2, password salting, random IV, and encrypt-then-hash HMAC. What you do need to know is that there are no known cases of this encryption having ever been "cracked".

Security Tested

MediCam has undertaken independent Vulnerability Assessment and Penetration Testing (VAPT). The tester is qualified as a "Certified Ethical Hacker"; is a “Certified Information Systems Security Professional"; and is certified with the "Council of Registered Ethical Security Testers".

Certified Ethical Hacking badge Council of Registered Ethical Security Testers badge Certified Information Systems Security Professional badge


When a doctor sends a confidential "paper" report through the post to another doctor, there's an implicit understanding and ethical obligation that the recipient will not in turn act inappropriately with that data (e.g. share it on Facebook). The same applies when using MediCam. By combining this trust with smart design and the latest technology we've been able to create a super-easy-to-use app for securely capturing and transmitting patient photos, videos and audio. Ease-of-use is the most important security feature. If it's not easy-to-use, it won't get used. If it's not getting used then either the patient isn't getting the best treatment or patient data isn't protected.


HIPAA stands for the "Health Insurance Portability and Accountability Act of 1996". It's a US federal mandate that requires the protection and confidential handling of "protected health information" (PHI). MediCam can help your organization comply with its HIPAA obligations. Please review HIPAA to ensure your practices comply.

There are no official certifications for HIPAA compliance. Nonetheless, MediCam has been built using technology, structures and processes that will make it easier for organizations to comply. MediCam never has access to patient data given it never passes through MediCam's servers. Combining this with the technical safeguards (listed in the section below) means you and your organization can assure the confidentiality, integrity, and availability of PHI.


  • If it's not easy-to-use, it won't get used. If it's not getting used then patient data isn't protected.
  • Takes 30 seconds to sign up for the first time.
  • It's as easy to use as the camera app on your phone.

Secure Authentication

  • MediCam uses a "password-less" authentication system. A "key" is emailed to the user in order to sign in (prevents the issue of easy-to-guess passwords).
  • Authentication keys expire if not used in 20 minutes and can only be used once.
  • MediCam user authentication is transmitted over HTTPS.
  • MediCam's user authentication server is securely hosted on Digital Ocean.

No Data Stored on Device

  • No photos, video or audio is stored in gallery on a device after being captured.
  • Upon sending a report, the patient data is completely removed from the device.
  • Data can't be accidentally uploaded to Cloud accounts (both iOS and Android have this turned on by default now).

Informed Consent

  • All reports require signed or recorded verbal consent before they can be submitted.
  • Patient can sign on screen - same legal standing as a paper signature in most countries (see here).
  • Doctor can record patient giving verbal consent. A script is provided.

Transmitted Securely

  • If being emailed, reports are strongly encrypted before being sent. See the security section here for more.
  • If being uploaded to a third party storage service (Dropbox or Box), reports are uploaded over HTTPS.
  • If being uploaded to an endpoint (institutions medical record) reports are uploaded over HTTPS and can be "double encrypted".

Direct Transmission

  • Patient data goes direct from app to email/endpoint. It's not stored by, and never passes through MediCam servers meaning...
    • Even if MediCam's authentication system was compromised patient data would not be compromised.
    • MediCam employees don't have access to patient data.
    • Governments or regulatory authorities, whether inside or outside of the jurisdiction in which you operate, can't request access to patient data through MediCam.

Restrict/Block Access

  • A user can choose to block access to a report they have created by selecting a "Block Access" button in the report log.
  • If your organization wishes to restrict who can open sent reports you can run your own key server.


  • Users get an email every time they sign in on a new device. This email contains a "global sign out" link. In case the user looses their phone, they can triggered this and if anyone tries to access a report from their account they will be automatically signed out.
  • Users will get a warning if a report is access more than 5 times in a 24 hour period. The email contains a link that will allow the user to block access for everyone but themselves.
  • Users will receive an email when a report is first opened (if sent via email). It contains the details of the first person to view the report and a link takes you to the report log.

Audit Trail

  • When an emailed report is opened a "key" is fetched from a "Key Server" (operated by MediCam or your organizations). This logs each access thereby keeping an audit trail.
  • The existence of an audit trail alone is a significant deterrent for inappropriate sharing.
  • If privacy breach occurs you will be able to look back and when, where and who accessed the reports and track down the culprit.
  • The MediCam Key Server is routinely backed up.

MediCam was built from the ground up with security of patient data being of paramount importance.

For more detail on how MediCam works, please read the Integrations documentation, or ...
Call us: +61 3 9005 6339