Browser-based encryption/decryption with private key from browser keystore

There's a javascript implementation of AES encryption which encrypts the plaintext in the browser. If you build something around those tools, the server side would store only the encrypted text and would not have the passphrase.

http://www.fourmilab.ch/javascrypt/

Shouldn't require any extra installation on the client side, but probably will require some development effort to get the user experience right.

Take a look at Web-browser encryption of personal health information, whose "Abstract" section seems to describe your same problem. However, their "passcode" that generates the encryption key must be shared, which wouldn't let you differentiate medial staff.

We describe a system for remote data entry that allows the data that would identify the patient to be encrypted in the web browser of the person entering the data. These data cannot be decrypted on the server by the staff at the data center but can be decrypted by the person entering the data or their delegate. We developed this system to solve a problem that arose in the context of clinical research, but it is applicable in a range of situations where sensitive information is stored and updated in a database and it is necessary to ensure that it cannot be viewed by any except those intentionally given access.