Well the data is always only in the user's browser (or clipboard). There is no server side component of this its all client side js and html served as a static site.
But I did ask my wife about HIPAA and she said it wouldn't be considered protected data unless you name your session or task with a patient's PII