This refers to data that remains on a user's device after they log out of the program. Breaches have occurred when users had laptops stolen that were not encrypted and stored the entire database on the laptop. Since the usual access to OpenEMR is by HTTPS connection, I think all that's required is that data from the session not be cached.

There's a technical discussion of this on Stack Overflow https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers

Basically puts this on each page:

Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0

also on https://cristian.sulea.net/blog/disable-browser-caching-with-meta-html-tags/