OverviewThis WebsiteHome LabTrading BotEcosimThe NomadStonewell Free Clinic
···
Procedural GenerationOrbit CameraKeybind PluginGPU Shaders
Projects

Stonewell Free Clinic

A free gender affirming care clinic co-founded in Charlottesville, VA — staffed entirely by volunteer community members and health professionals, and backed by a secure self-hosted electronic medical records system.

Background

The Clinic

The Rivanna Area Queer Center (RAQC) is a volunteer-run LGBTQ+ community center that opened in spring 2025 at 801 W. Main St. in Charlottesville, VA. Alongside the center's broader community programming, a group of organizers — including myself — worked to establish a free clinic offering gender affirming care to members of the local community.

The clinic operates entirely on volunteer labor: community members handle coordination and logistics while licensed health professionals donate their time to provide care. The goal is to remove cost as a barrier to affirming care for anyone who needs it in the Charlottesville area.

Security Posture

A Non-Public Deployment

From the start, a non-public, air-gapped deployment was not just preferred — it was necessary. The current federal political environment has demonstrated active hostility toward gender affirming care, including executive actions targeting providers and patients alike. Patient records at a gender affirming care clinic carry a level of sensitivity that demands a security posture well beyond a typical self-hosted application.

The system is not reachable from the public internet. There is no domain, no exposed port, no attack surface to enumerate. Access is gated entirely behind VPN — providers connect through an authenticated tunnel before the application is reachable at all.

Electronic Medical Records

OpenEMR

OpenEMR is a fully open-source electronic medical records and practice management platform used by clinics worldwide and certified for HIPAA compliance. It supports patient scheduling, clinical documentation, prescriptions, and a full audit trail of record access — everything a small clinic needs without a recurring SaaS licensing cost.

The deployment runs on community-donated hardware. I researched available open-source EMR options, evaluated OpenEMR against the clinic's requirements, and handled the full installation and configuration: database setup, TLS termination on the internal network, backup procedures, and initial provisioning of provider accounts. The hardware stays on-premises — patient data never leaves the building through normal operation.

Provider Access

OpenVPN

Health providers are volunteers who aren't always on-site. To let them review charts, complete documentation, or prepare for appointments without being physically present, I set up an OpenVPN server that gives authenticated providers a private tunnel into the clinic network. From their perspective it's a single certificate install and a connection — from a security perspective, the EMR remains completely invisible to the rest of the internet.

Each provider has their own certificate and key pair. Revoking access for a departing volunteer is a single command with no shared credentials to rotate. The setup keeps participation convenient without trading away the network isolation the deployment depends on.

Ongoing

Tech Support

Beyond the initial deployment, I serve as the on-call technical resource for the clinic. That means handling software updates, troubleshooting access issues for providers, managing certificate renewals, and making sure backups are running cleanly. For an all-volunteer organization, having a reliable technical contact means the people providing care can focus on patients rather than infrastructure.