I hear you about HIPAA. But on the other hand, a user stores 1,000 images of medical importance, the user's 3 year old drops the phone in the toilet, and all those images are gone forever? You might want to include some opt-in to upload to a hospital's medical record or something. It's an area I've never worked in directly, so I don't know the law, but from a data perspective, it seems like a fragile way to store critical information that might have been obtained over a period of years and cannot be replaced.
I don't know the best storage scheme for a device-only photo gallery, but one criterion seems to be that it would all be in a single well-labeled folder, so a user could easily back up to a desktop computer if desired.