Authorization guide

Upload does not mean authorized sharing

Uploading files starts record preparation. It should not automatically send records to a hospital, care team, or other recipient.

Last updated: 2026-07-06patient-authorized record preparation

Separated states

1

Intake: explain the record goal and expected materials.

2

Upload: add files for preparation only.

3

Processing: organize, translate, index, and flag missing items.

4

Review-before-sharing: inspect packet content before any external use.

5

Authorization: approve recipient, scope, duration, and controls.

State separation

Upload

Files are available for preparation.

Review

The patient checks prepared content and source context.

Authorization

The patient approves recipient and sharing terms.

Revocation

Future access can be narrowed or stopped when supported.

What this is not

  • A file upload is not consent to external sharing.
  • A share link is not a diagnosis or referral pathway.
  • Robots.txt is not privacy protection for sensitive routes; private routes need authentication and noindex controls.

FAQ

Can I upload first and choose recipients later?

Yes. The product boundary keeps upload and external sharing separate so the patient can review first.

What should an authorization include?

Recipient, purpose, scope, expiry or duration, download and forwarding controls, and a revocation path when available.

Next step

Review how MedDossier handles authorization and data requests.

Review Trust Center