> ## Documentation Index
> Fetch the complete documentation index at: https://docs.symetri.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Privacy & Patient Consent

> How Symetri protects patient data, HIPAA considerations, consent best practices, and device security.

<Warning>
  This guide provides general information about best practices. It is not legal advice. Consult with a healthcare attorney familiar with the laws in your jurisdiction for advice specific to your practice.
</Warning>

***

## How Symetri Stores Patient Data

### Everything Stays on Your Device

Symetri is a fully local app. There is no cloud server, no account sync, no external data transmission.

<CardGroup cols={2}>
  <Card title="Local only" icon="hard-drive">
    Photos and case records are stored in your iPhone's protected Documents directory. Nothing is uploaded to Symetri servers or any third party.
  </Card>

  <Card title="iOS encryption" icon="lock">
    All files use iOS Data Protection (completeFileProtection). Files are encrypted at rest and inaccessible when the device is locked.
  </Card>

  <Card title="Face ID lock" icon="face-id">
    Symetri requires Face ID or passcode on launch and re-activates automatically when backgrounded.
  </Card>

  <Card title="Screen recording blocked" icon="video-slash">
    Symetri blocks iOS screen recording broadcast to external displays while active.
  </Card>
</CardGroup>

***

## Patient Consent Fundamentals

### Why Written Consent Matters

Even if a patient verbally agrees to photos, publishing them without documented consent creates legal liability. Written consent:

* Protects your practice if the patient later claims they didn't agree
* Specifies exactly what the photos can be used for
* Complies with HIPAA's authorization requirements
* Is a professional standard expected by regulatory bodies in most jurisdictions

### Minimum Consent Elements

A valid patient photo consent form should include:

1. Patient identification — name, date of birth, date of signing
2. Description of the photos — body area, treatment, approximate dates
3. Purpose statement — what the photos may be used for
4. Scope of use — internal records vs. social media vs. marketing
5. De-identification option — whether patient allows face to be shown or prefers eye blur
6. Right to withdraw — patient can revoke consent for future use
7. Patient signature and date
8. Witness or practitioner signature

### Consent Categories

Patients should consent to specific uses, not blanket permission:

| Use                                         | Requires Separate Consent? | Notes                                 |
| ------------------------------------------- | -------------------------- | ------------------------------------- |
| Internal medical records                    | No                         | Covered by treatment consent          |
| Staff training / education                  | Yes                        | Specify "internal educational use"    |
| Social media                                | Yes                        | Specify platforms                     |
| Website gallery                             | Yes                        | Specify "clinic website"              |
| Advertising / paid promotion                | Yes — higher standard      | Often requires separate authorization |
| Shown to other patients during consultation | Yes                        |                                       |

<Tip>Use separate checkboxes for each category so patients can consent to medical records but decline social media, or consent to website but decline paid advertising.</Tip>

***

## HIPAA Considerations (US Practices)

### Are Patient Photos PHI?

Yes. Patient photographs are Protected Health Information (PHI) under HIPAA when associated with a patient's identity and medical treatment — even if the photo doesn't show the face.

### Publishing Before/After Photos

To publish a patient photo on social media or your website, you need a **HIPAA-compliant Authorization** specifying:

* The information to be disclosed (the photos)
* Who can view it (the public)
* The purpose (marketing, education)
* An expiration date or event
* The patient's right to revoke

### De-Identification as an Alternative

HIPAA allows publishing photos without authorization if the image is de-identified. For facial photos, this typically requires:

* Eyes obscured (use Symetri's Eye Blur feature)
* No visible tattoos, birthmarks, or identifying features
* No name, date, location, or other metadata in the image

<Warning>De-identification under HIPAA is a high standard. If there is any reasonable way to identify the patient, the image is still PHI. Consult your attorney before relying on de-identification.</Warning>

### State Law May Be Stricter

Many US states have medical privacy laws stricter than HIPAA — California (CMIA), New York, Texas, and others. Always check state-specific law for your practice location.

***

## International Considerations

<AccordionGroup>
  <Accordion title="EU / UK (GDPR / UK GDPR)">
    Patient photos are "special category" personal data requiring explicit documented consent for each specific purpose. Patients have rights to access, correct, and delete their data.

    Because Symetri is fully local with no cloud processing, deletion requests are satisfied by deleting the case from the app and removing any exported files from Photos and any platforms where they were published.
  </Accordion>

  <Accordion title="Australia">
    Patient photos are regulated by the Privacy Act 1988 and the Australian Privacy Principles. Health information requires explicit consent for secondary uses including social media.
  </Accordion>

  <Accordion title="Canada">
    PIPEDA (federal) and provincial health information laws apply. Photos used for marketing require patient consent separate from treatment consent.
  </Accordion>
</AccordionGroup>

***

## Using Symetri's Privacy Features

### Eye Blur for Published Photos

For any photo where the patient has not consented to full face identification, enable eye blur before exporting.

<Steps>
  <Step title="Open the case editor" />

  <Step title="Tap the Eye icon in the toolbar" />

  <Step title="Toggle Eye Blur on" />

  <Step title="The AI automatically detects and blurs both eyes" />

  <Step title="Adjust position and intensity with the sliders if needed" />
</Steps>

Eye blur applies to both before and after images simultaneously, so the comparison remains fair and consistent.

### Consent-Based Case Naming

Use a naming convention to flag consent status directly in the case name:

| Case Name Suffix | Meaning                                   |
| ---------------- | ----------------------------------------- |
| `- OK`           | Full consent — can post with face visible |
| `- EYES`         | Eye blur required before posting          |
| `- NO`           | Records only — do not export for social   |

### Deleting Patient Data

If a patient revokes consent or requests deletion:

<Steps>
  <Step title="Open Symetri and find the case" />

  <Step title="Delete the case — permanently removes the case record and all image files from the app" />

  <Step title="Delete any exported files from your Photos library" />

  <Step title="Remove any files uploaded to social media or your website from those platforms" />
</Steps>

Symetri does not retain any copy — once deleted from the app and Photos, the data is gone.

***

## Recommended Consent Workflow

### Before the First Appointment

Send a photo consent form with your intake paperwork. Digital forms (DocuSign, PracticeBetter, etc.) create a timestamped record.

### At the Appointment

1. Confirm the patient signed the consent form.
2. Note which categories they consented to.
3. Encode consent status in the case name (`- OK`, `- EYES`, or `- NO`).

### Before Posting

1. Check the case name consent flag.
2. `OK` → export with full branding.
3. `EYES` → enable eye blur, export.
4. `NO` → records export only, do not post.

***

## Device Security Checklist

<Steps>
  <Step title="Strong passcode — 6-digit or alphanumeric, not Face ID alone" />

  <Step title="Auto-lock set to 30 seconds or 1 minute (Settings → Display & Brightness → Auto-Lock)" />

  <Step title="iCloud backup enabled — so data survives if device is lost" />

  <Step title="Find My iPhone enabled — device can be remotely wiped if lost or stolen" />

  <Step title="Do not share the device with non-clinical staff for patient-facing use" />

  <Step title="Face ID / Touch ID enabled for Symetri (prompted on first launch)" />
</Steps>

***

## Summary

| Topic             | Key Point                                                                      |
| ----------------- | ------------------------------------------------------------------------------ |
| Data storage      | Local only. Nothing leaves your device unless you export and share it.         |
| Encryption        | Full iOS Data Protection — files inaccessible when device is locked.           |
| Face ID           | Required on launch. Auto-activates when app is backgrounded.                   |
| HIPAA             | Patient photos are PHI. Publication requires explicit written authorization.   |
| Consent           | Separate categories for records, social, website, and advertising.             |
| De-identification | Eye blur + no other identifiers. High standard — consult your attorney.        |
| Deletion          | Delete case in app + delete from Photos + remove from any platforms published. |
