Are non-SSL connections safe in a local wireless network with password protection
Although messages sent over wi-fi are encrypted with a session key, a device that already knows the pre-shared key can decipher the traffic. WPA doesn't implement Forward Secrecy, therefore by owning the pre-shared key anyone can decrypt all the traffic which is not encrypted by upper OSI layer protocols (say, TLS).
Therefore, when transferring sensitive data you should use an external data protection mechanism - for example, TLS.
So, all I need to extract anything from your network is the single network key thats stored on all devices... Makes it pretty easy to intercept and manipulate your IoT devices. Better use TLS in an End-to-End configuration.
But to answer your question about WiFi, the connection you setup with your endpoint will have some level of encryption. enough to prevent most kind of drive-by abuse. but not enough to prevent determined individuals to decrypt your communication. The strength of the enciphering is dependent on the length of the key used to encrypt the channel (so a longer passwords would yield a better protected channel)
MAC filtering is only useful in networks that rarely connect (since any message in the network form a device will leak its MAC).
It is almost always better to invest the few dollars needed to include a TLS-chip or Software module. as an example you can check out this site that is targeted at IoT makers.
So in conclusion, while WiFi does employ encryption it is not good enough to rely sole upon for data integrity or abuse. your solution will most likely require a TLS component for its security.
When patient data is involved, HIPAA/HITECH (in the US, similar laws elsewhere) requires that data-in-motion be encrypted. You could argue, reasonably, that WiFi encrypts the signal and therefore you are covered.
If I were personally performing an evaluation of your deployment, I would argue that the data is only encrypted through the WiFi segments of the network, which isn't sufficient protection. Nothing is stopping the data from being routed through non-WiFi network segments and therefore you must not rely solely on WiFi encryption. It's also possible to disable (or render ineffective) WiFi encryption while TLS will definitely function.
As others have said, gaining access to the network will trivially allow an unauthorized client to see any otherwise unencrypted traffic to be captured. Use of TLS prohibits this attack vector.
While you may be able to survive a lawsuit based upon the claim that "WiFi is encrypted, so we are fine," I would never pay for a solution which relies solely on WiFi for encryption, and I would never allow a client to use such technology either.