Patient Experience
Patients get a single, patient-owned, consent-controlled timeline of their health story.
Core screens
Key flows
Consent grant
Patients grant scoped, revocable consent per provider or care team:
| Scope | Example |
|---|---|
patient_self | the patient accessing their own record |
contact_disclosure | provider can see contact details |
referral_read | specialist can see referral chain |
family_read | family member view |
care_team | whole team visibility |
Every grant is timestamped + audit-chained. Revoke is immediate — no stale cache.
Document upload vault
- Patient uploads prior records, imaging, discharge summaries
- PHI envelope-encrypted at repo boundary (FR-005)
- Scanned for PHI-free invariant before indexing
- Deletable (right-to-erasure compliant)
- Audit event for every upload + view
Family groups + proxy consent
Parents / guardians manage minor accounts with explicit age-of-majority graduation (spec 013):
- Proxy consent scoped to minor's record
- Minor's 18th birthday → automatic transition prompt
- Parent loses proxy; minor retains all history
- Family group can grant each other
family_readscope
Mobile-first
Every patient surface is responsive from 390px up:
- Primary CTAs ≥ 44px tap target
- No hover-dependent interactions
- Legible typography (Inter 16px base)
- High-contrast color pairs (WCAG AAA on headings)
Privacy controls
| Control | Effect |
|---|---|
| View audit log | See every access to record |
| Revoke consent | Immediate; next request denied |
| Request data export | FHIR R4 export |
| Delete account | Cascading deletion + audit retention per HIPAA |
| Break-glass alert | Patient notified when any break-glass access occurs |
Accessibility
- WCAG 2.1 AA baseline
- Screen-reader landmarks + aria-labels
- Keyboard nav + visible focus rings
useIdleSignOuton every authenticated shell (FR-009h)- No UI-only state (always a form-submit fallback)
See ux-review for the review rubric every patient screen passes.