The Privacy Architecture
Link codes, not email auto-match.
Auto-linking patient portal accounts to clinical records by email is a known security risk — what if the email belongs to someone else, has been reassigned, or is shared? ELLEXMED does not auto-link by email.
Staff generate a unique 8-character link code for a specific patient record. The code expires in 7 days. The patient enters it in their portal. Staff review and approve the linkage request. This creates a verified, human-reviewed connection between the portal account and the clinical record.
Linkage Flow
Staff generates link code
8-character alphanumeric code generated for the patient's clinical record. Expires in 7 days.
Patient enters code
Patient submits the code in their portal profile. A linkage request is created (status: pending).
Staff reviews request
Staff approve or reject the linkage request through the ELLEXMED dashboard.
Link established
On approval, the patient portal account is linked. The patient can now view their clinical data.
Patient portal capabilities
Appointment Booking
Patients book from public booking pages — review-approved, then paid via Stripe or auto-confirmed
Medical File Upload
PDF, JPG, PNG up to 25MB — lab reports, imaging, specialist letters, pharmacy printouts
AI Document Summaries
AI summarizes uploaded files with clinical focus, PII-excluded. Available on demand.
Clinical Record Linkage
Privacy-first 8-character link code system — no auto-link by email. Staff-reviewed approval.
Health Profile
Patients manage demographics, contact information, and emergency contacts
Separate Authentication
Patient accounts are entirely separate from staff — distinct session cookies, distinct auth flow
FAQ
Patient portal — answered.
How do patients link their portal account to their clinical record?
ELLEXMED uses a privacy-first link code system. Patients cannot auto-link to clinical records by email address (which would be a security risk if an email address is reused or spoofed). Instead, a staff member generates an 8-character link code for a specific clinical patient record. The patient enters this code in their portal profile. A linkage request is created and reviewed by staff. Upon approval, the patient account is linked to the clinical record and the patient can view their data.
What files can patients upload in the portal?
Patients can upload PDF, JPG, and PNG files up to 25MB each. Typical uploads include: lab reports, imaging reports, pharmacy printouts, letters from other specialists, vaccination records, and prescription documents. DICOM and raw imaging formats are not supported for patient-side uploads. Files are encrypted at rest (AES-256) and are visible to the treating clinical team.
How does the AI document summary work for patient files?
After a patient uploads a file, they can request an AI-generated summary. ELLEXMED uses Gemini 2.0 Flash to analyze the document content and generate a clinically focused summary. The system prompt explicitly instructs the AI to exclude personally identifiable information from the summary output — the summary focuses on clinical findings, values, and recommendations rather than demographic data.
Do patients need a separate account from doctors and staff?
Yes. Patient portal accounts are entirely separate from staff accounts. Patients register at /patient/signup with their own credentials and receive a 'patient' role with a separate authentication cookie (patient_session). Staff use a different sign-in flow (/signin) with a staff session cookie. The two authentication contexts never mix — a doctor cannot access the patient portal with their staff credentials.
What can patients see after linking to their clinical record?
Once linked, patients can view their appointment history, view their uploaded medical files and AI summaries, track their care roadmap (if configured by the treating doctor), and access lab results that have been formally submitted through the diagnostics module. Patients cannot see unstructured clinical notes, raw transcripts, or AI Suggest outputs — those remain within the clinical team's scope.
Is the patient portal HIPAA compliant?
Yes. The patient portal operates under the same security controls as the rest of ELLEXMED: AES-256 encryption at rest, TLS 1.3 in transit, organization-scoped access rules at the database level, and an immutable audit trail. Patient authentication uses short-lived session cookies. File storage enforces type and size restrictions at the storage rules level.