Security & Privacy Provider Access Controls

Provider Access Controls

How physician access to patient data is granted, scoped, and revoked.

The Consent Model

No physician can access a patient's PancreaTrack data without explicit patient consent. The linking process requires the patient to actively accept a physician's connection request — there is no administrative override.

Patient is always in control

Patients can review which physicians are linked to their account at any time from Profile → Connected Providers and can unlink any provider instantly.

What a Linked Physician Can Access

  • All pain log entries (scores, timestamps, notes)
  • All meal log entries (food, fat grams, timestamps)
  • All bowel log entries (Bristol type, oily flag, timestamps)
  • All lab values entered by the patient
  • CGM glucose data synced from Dexcom
  • AI-generated clinical brief (same data the patient can generate)
  • Onboarding health profile (diagnosis, medications)

What a Linked Physician Cannot Access

  • The patient's password or authentication credentials
  • The patient's payment or billing information
  • Private notes the patient has not shared
  • Data from other physicians' note fields
  • The patient's account settings or personal profile beyond the health context

Physician Permissions Are Read-Only

Physicians cannot create, edit, or delete any patient-entered data. The only physician-writable field is the Physician Notes tab — which is private to the physician and not visible to the patient.

Access Revocation

Either party can terminate the link:

  • Patient revokes: Profile → Connected Providers → Unlink. Access is terminated immediately.
  • Physician removes: Physician Portal → Patient → Remove Patient. Access is terminated immediately.
  • Account deletion: If the patient deletes their account, all physician links are automatically severed.

Multi-Physician Access

A patient can link to multiple physicians simultaneously. Each physician sees the same complete data view. Physicians cannot see each other's private notes.

Audit Logging

Physician data access audit logging is on the HIPAA roadmap for Q3 2026. Once implemented, all physician page views of patient data will be timestamped and retained in an audit log accessible to the patient and to PancreaTrack administrators. See the HIPAA Roadmap for timeline.