CellarFor clinicians

Every patient could arrive already briefed.

Cellar gives your patients one home for every lab, scan, wearable data, and visit note. When they share, you open a single link and their history is in front of you. No portal, no account, nothing for your practice to run.

See a sample packetHow to mention it

Compliant to recommend

Your patient owns it and shares it under their own right of access (HIPAA and GDPR), so recommending it is yours alone to decide.

  • Not your business associate: no BAA to sign, no patient data to store
  • Encrypted, read-only, revocable, processed in your patient's region
  • Your call alone: no IT, procurement, or privacy-office sign-off
How this works for HIPAA and GDPR
Shared by patientRead-onlyNot medical advice

Prepared

Jun 4, 2026

Patient summary

Marcus Avery

45 · Male · Prepared for a cardiology follow-up · Access expires Jun 30, 2026

Allergies

  • Penicillin · hives
  • Sulfa drugs · rash

Active medications

  • Rosuvastatin · 10 mg · daily
  • Lisinopril · 10 mg · daily
  • Vitamin D3 · 2,000 IU · daily

Active problems

  • Hyperlipidemia · improving on therapy
  • Prediabetes · lifestyle-managed
  • Hypertension · controlled

Flagged results

2

of 22 markers outside range

Down from 6 a year ago

Compliance

Recommending Cellar is compliant. Here is why.

Cellar is a personal health record, held and controlled by your patient. Receiving a link is the patient handing you their own records, like the folder they would bring to a visit, only legible and source-linked. The review a hospital runs before buying a vendor does not apply here, because a patient sharing their own records runs on their right of access, which keeps the obligations off your practice.

A personal health record

Cellar is patient-held and patient-controlled, like the records a patient keeps themselves. It is not an EHR or a portal, and it does not connect to your systems.

The patient's right of access

Under HIPAA and GDPR, patients have the right to obtain and share copies of their own records. A patient sending you a Cellar link is exercising that right, on their own initiative.

Nothing for you to approve

Because the patient chose Cellar and directs the data, Cellar is not your business associate: no BAA to sign, and no patient data for your practice to store. There is no vendor for IT, procurement, or your privacy office to review, because nothing connects to your systems.

Bottom line: this is a decision you can make on your own. Telling a patient about Cellar, or opening a link they send, is a clinical judgment, not a procurement decision.

For patients in the EU, records are processed in their assigned region under no-training terms, and patients can export everything or delete it permanently anytime. This explains how patient-directed records work and is not legal advice; see our terms for the full picture.

Security modelPrivacyTerms

The reconstruction tax

Care begins with reconstruction.

Before the clinical question, there is the archaeology. The history exists. It just isn't legible yet, so the start of a visit goes to assembling a picture instead of reading one.

A folder of PDFs

Scans and exports in no order, some legible, some photographed at an angle.

Half-remembered values

A number, a date, and a unit, all approximate.

Portals that don't talk

One login per health system, none sharing a timeline with the others.

Another hospital or country

Records from a prior city, system, or language that never reach your desk.

The cost is real: blind spots, repeated tests, and minutes spent rebuilding a history the patient already lived. Cellar moves that work before the visit, where the patient can do it once.

What you receive

A handoff, built by the patient.

Your patient assembles it in Cellar from their own records and the vitals they sync from a wearable. You open a clean, read-only summary: structured, source-grounded, and current. This is a real example.

Packet for Dr. Rivera · CardiologySource-grounded
Shared by patientRead-onlyNot medical advice

Prepared

Jun 4, 2026

Patient summary

Marcus Avery

45 · Male · Prepared for a cardiology follow-up · Access expires Jun 30, 2026

Allergies

  • Penicillin · hives
  • Sulfa drugs · rash

Active medications

  • Rosuvastatin · 10 mg · daily
  • Lisinopril · 10 mg · daily
  • Vitamin D3 · 2,000 IU · daily

Active problems

  • Hyperlipidemia · improving on therapy
  • Prediabetes · lifestyle-managed
  • Hypertension · controlled

Flagged results

2

of 22 markers outside range

Down from 6 a year ago

Record summary

45-year-old male with established hyperlipidemia and prediabetes, here for cardiology follow-up. LDL improved from 168 to 112 mg/dL over 18 months on therapy, and triglycerides have normalized. HbA1c is 5.7% (prediabetic range), trending down with lifestyle change. Clinic and home systolic pressures are now under 130. Echocardiogram (Mar 2026) showed normal left ventricular function (EF 55%). Resting heart rate synced from the patient's wearable declined from 64 to 57 bpm over the past year, with heart-rate variability rising in parallel. No prior ECG or coronary calcium score is in the record.

Values over time

LDL cholesterol

4 readings · mg/dL

112 mg/dL
In range
110120130140150160170Nov 12, 2024Jun 3, 2026
Reference range stated by your reports
  • Jun 3, 2026112 mg/dL · In range
  • Dec 3, 2025128 mg/dL · In range
  • May 20, 2025151 mg/dL · Above range
Triglycerides

4 readings · mg/dL

132 mg/dL
In range
120140160180200220240Nov 12, 2024Jun 3, 2026
Reference range stated by your reports
  • Jun 3, 2026132 mg/dL · In range
  • Dec 3, 2025148 mg/dL · In range
  • May 20, 2025188 mg/dL · Above range
Hemoglobin A1c

4 readings · %

5.7 %
Above range
44.555.56Nov 12, 2024Jun 3, 2026
Reference range stated by your reports
  • Jun 3, 20265.7 % · Above range
  • Dec 3, 20255.8 % · Above range
  • May 20, 20256.0 % · Above range
Systolic blood pressure

3 readings · mmHg

126 mmHg
In range
125130135140145150May 20, 2025Jun 3, 2026
Reference range stated by your reports
  • Jun 3, 2026126 mmHg · In range
  • Dec 3, 2025134 mmHg · Above range
  • May 20, 2025148 mmHg · Above range
Resting heart rate
Wearable

Daily average · bpm

57 bpm
58606264Aug 15, 2025May 15, 2026
  • May 15, 202657 bpm
  • Feb 15, 202659 bpm
  • Nov 15, 202561 bpm
Heart rate variability
Wearable

Daily average · ms

52 ms
3840424446485052Aug 15, 2025May 15, 2026
  • May 15, 202652 ms
  • Feb 15, 202649 ms
  • Nov 15, 202544 ms

Source-grounded values

LDL cholesterol
In range

Lipid panel · Jun 3, 2026 · source page 2

112 mg/dL
ref < 130
Source quotePage 2

LDL cholesterol, calculated: 112 mg/dL (reference: < 130 mg/dL). Specimen collected 2026-06-03.

Left ventricular ejection fraction

Echocardiogram (TTE) report · Mar 14, 2026 · source page 1

55 %
Source quotePage 1

Left ventricular ejection fraction estimated at 55%. Normal LV size and systolic function. No regional wall-motion abnormality.

Lipoprotein(a)
Unconfirmed

Outside lab report (photographed) · Dec 3, 2025 · source page 1

38 nmol/L
ref < 75
Source quotePage 1

Lp(a): 38 nmol/L. (Value read from a photographed page; awaiting patient confirmation.)

Imaging included

Transthoracic, parasternal long axisMar 14, 2026Echocardiogram
Hip and lumbar spineFeb 2, 2026DEXA

Built for the visit

Cardiology follow-up

Included for this specialty

  • Lipid panel (4 readings)
  • Hemoglobin A1c
  • Blood pressure
  • Echocardiogram (TTE)
  • Comprehensive metabolic panel
  • Resting heart rate and HRV (wearable)

Stated gaps, not guessed

  • No ECG in the record
  • No coronary calcium (CAC) score on file
  • Lipoprotein(a) is unconfirmed (photographed source)

Illustrative example built from the real product. The patient and values are fictional.

  1. 1

    A clinician handoff header

    Who shared it, DOB and age, when it was prepared, when access expires, and how many sources it draws on.

  2. 2

    Values grounded to the source

    Every value cites the exact document, date, and page, with the original quote one click away and the original file included.

  3. 3

    Trends, labs and wearables together

    Repeat lab measures are normalized across labs and units and charted against the reference range. Vitals the patient syncs from a wearable, like resting heart rate and HRV, trend on the same view, so a direction is visible at a glance.

  4. 4

    Honest flags, not a clean fiction

    Low-confidence or conflicting values are marked unconfirmed. When a packet is built for a specialty, gaps are stated rather than guessed.

  5. 5

    Read-only and revocable

    The link does not allow edits, can carry an expiry, and the patient can revoke it anytime. Nothing about your systems is touched.

Verifiable, not asserted

Patient-provided. Not patient-asserted.

This is not a patient retyping numbers from memory. Cellar reads the patient's own original documents and grounds every value to the page and text it came from. You can verify in one click.

Trace any value to its page

Each fact carries its document, date, page, and the exact quote it was read from.

The original is always kept

Originals are included in the packet, so you can open the source document, not just a restatement.

Uncertainty is shown, not hidden

Anything low-confidence or conflicting is flagged unconfirmed, never folded in silently.

From value to sourceGrounded
1
LDL cholesterol 112 mg/dL
the value in the summary
2
Lipid panel · page 2
the document and page it came from
3
“LDL cholesterol, calculated: 112 mg/dL (reference < 130). Collected 2026-06-03.”
Original document included

Zero adoption

Nothing to install. Nothing to integrate.

Receiving a Cellar packet costs your practice no setup, no training, and no maintenance.

Not an EHR

Cellar doesn't replace or connect to your systems. It rides alongside them, held by the patient.

No account for you

You open a link in any browser. There is nothing to provision, learn, or sign in to.

No data burden

The records are the patient's, shared by the patient, and revocable by the patient. You receive a read-only copy.

Security, stated plainly

Built to the standard hospitals require.

We describe our security plainly and only claim what is true. Here is the part that matters for the data your patients share with you.

Encrypted at rest and in transit

Envelope encryption per record, wrapped to a per-account key and a key-management service. Everything moves over TLS.

Never trained on

To read a document, Cellar decrypts it transiently in the patient's assigned region and sends it to a third-party AI model under no-training terms.

Honest about access

We call this compliant processing, not an architecture where the operator is technically incapable of access. We only claim what is true, and our roadmap moves processing into a confidential-computing enclave.

Patient-controlled

Revoke anytime, set an expiry on the link, export everything in one step, and delete permanently. Deletion destroys the account key.

Access trail

Share links are validated by a hashed token and show the owner when they have been opened. Every record query is scoped to its own account.

No analytics or tracking

No third-party analytics, advertising pixels, session recording, or trackers. Diagnostic error reports are scrubbed of record content and identifiers.

Read the full security modelPrivacySubprocessors

For practices and hospitals

Referrals and second opinions that arrive complete.

The benefit compounds across a panel. When patients keep their history in Cellar, the people you see arrive legible, whatever system or country they came from.

Complete referrals

New and referred patients arrive with history already organized and verifiable, so the first visit starts on the clinical question.

Any specialty

Patients can build a visit-specific packet for a given specialty, surfacing the relevant records and stating what is missing.

Any language, original kept

Records in other languages are read and the original is preserved. A packet can be generated in the language you read.

What to tell patients

One sentence to a patient. Better visits after.

Telling a patient is light: one sentence, not a vendor you take on. Pointing them to a tool they own is not choosing a system for your practice, and the payoff arrives at the next visit, and every one after it.

Before a visit

Ask them to bring their history

Suggest new and returning patients keep their records in Cellar and bring a link ahead of the appointment.

In your summary

Add one line to the after-visit note

A ready sentence patients can act on, so the record they build follows them to the next clinician too.

For complex patients

Suggest a visit-specific packet

For referrals or second opinions, point patients to build a packet for the specialty they are seeing.

Sentence you can give a patient

Keep your records in Cellar and bring a link to our next visit: carecellar.com

Free for you to receive. Patients start with a 14-day trial, then $200 a year.

Questions clinicians ask

Straight answers.

Is this an electronic health record?+

No. Cellar is a personal, patient-held vault. It does not replace or connect to your EHR. The patient organizes their own records and shares a read-only summary with you.

Do I need an account or a login?+

No. You open the patient's link in any browser. There is nothing to install, provision, or sign in to.

Does recommending it create HIPAA obligations or need a BAA?+

No. Cellar is a personal health record the patient chooses and controls, so it is not your business associate and there is no BAA to sign. A patient sharing their records is exercising their own right of access under HIPAA and GDPR. This is information about how patient-directed records work, not legal advice.

I'm employed by a hospital or health system. Do I need its approval to suggest Cellar or open a patient's link?+

No. Your institution is not adopting, integrating, or contracting anything, nothing connects to its systems, and it stores no data. Suggesting a tool to your patient, and reading records they chose to share, is a clinical judgment, not a procurement decision. This describes how patient-directed records work, is not legal advice, and does not replace any policy your employer sets.

A patient sent me a Cellar link I was not expecting. Is it safe to open?+

Yes. It opens read-only in any browser, with nothing to install or sign into. These are the patient's own records, shared and revocable by them. Open it as you would a PDF they emailed, except every value traces to its source page.

Can I trust data a patient assembled?+

It is read from the patient's own documents, not typed from memory, and every value is grounded to the exact page and quote. Originals are included, and low-confidence values are flagged unconfirmed. You can verify any value in one click.

Is it secure and private?+

Records are encrypted at rest and in transit, are never used to train models, and are processed by a third-party AI model in the patient's assigned region under no-training terms. We describe the model honestly rather than overstating it.

What does it cost me or my patients?+

Nothing for you to receive a packet. Patients start with a 14-day trial, then $200 a year.

Can a patient revoke access after sharing?+

Yes, anytime. Links are read-only, can carry an expiry, and the patient can turn off access whenever they choose.

What about records in other languages or countries?+

Cellar reads records in any language and always keeps the original. A clinician packet can be generated in a chosen language.

Can I trust vitals from a patient's wearable?+

Wearable vitals are imported deterministically, not read by a model: each metric maps to a known type and is aggregated to one value per day. You see resting heart rate, HRV, sleep, and weight between visits, labeled as device-measured and shown as trends, never as a diagnosis. The import is read-only, so Cellar never writes back to the device.

Cellar for clinicians · Every patient, already briefed.