FASTCLINIC SOLUTION · ONEHEALTH

Patient-controlled health records.

Encrypted at rest. Time-limited consent. Hash-chained audit. FHIR R4 export. OneHealth is the personal health record platform behind every Fastclinic clinical product — and the one a patient actually controls.

Request demoRead the docs
Your records · 9 entriesAES-256-GCM · KMS-wrapped
AllConsultationLabMedicationImagingEpisodeGeneral
TitleTypeDateStatus
Annual physical · Dr. AdesinaConsultation note2026-04-22Active
Full blood countLab result2026-04-21Active
Amoxicillin 500mg · 7dPrescription2026-04-21Active
Chest X-ray · CRImaging report2026-03-14Active
Hep-B boosterImmunization2026-02-09Active
BP 128/82 · Pulse 74Vital signs2026-04-22Active
Ear-infection follow-upConsultation summary2025-11-30Archived
7 active2 archived7-year retention
Encrypted at rest
onehealth.fastclinic.xyz/records
Choose your path
I'm a

Patient

Your records. Granted on your terms.

Read this view →
I'm a

Healthcare Provider

Time-limited access to records you actually need.

Read this view →
I'm a

Compliance Officer

Audit chain. DSAR queue. Retention controls.

Read this view →
OneHealth is the patient-controlled health-record platform of the Fastclinic ecosystem — every record encrypted, every access bound by an explicit consent grant, every event captured in a tamper-evident audit log.

Technical overview

Nigerian healthcare data lives in too many places — hospital systems that don't talk to each other, chat threads with photos of lab results, paper folders the patient carries between specialists. When something goes wrong, no single party holds the full record, and the patient holds it least of all.

OneHealth replaces that fragmentation with a single, encrypted health record that the patient owns. No clinician can read it without an explicit consent grant — scoped to a specific slice of the record, such as your lab results or your imaging, and time-limited so access expires automatically rather than lingering. Every grant, and every individual record it touches, is written to a tamper-evident audit trail.

Records are encrypted at rest with envelope encryption, and the documents behind them — lab PDFs, imaging, scanned referrals — are stored only in encrypted form, never as plaintext. The platform runs entirely within African data residency, so when a regulator asks where a patient's data lives, the answer is short.

When a patient exercises their right of access under the NDPA 2023, OneHealth returns their record in a standards-based, portable format that another hospital or health system can actually read — accompanied by a verifiable record of who accessed what, and when.

The result treats health records the way the rest of the platform treats identity: encrypted, scoped, expiring, and tamper-evident — designed so patients direct access to their own records, with care providers as accountable participants.

Capabilities

Records
  • 11 record types · 6 display categories
  • Envelope encryption · AES-256-GCM
  • AAD = UUIDv5 · two namespaces
  • Cursor pagination · keyset over (created_at, id)
  • Archive · 7y retention · NIST 800-88 crypto-erase
  • Document blobs · S3 · per-record DEK
Consent & access
  • Time-limited grants · 30-day default, 10y max
  • Scope-bound · record-type or record-ID lists
  • Patient-initiated revoke
  • Suspend-all · single atomic transaction
  • 5-min expirer · SKIP LOCKED claim
  • FastCredits hold · capture-on-end · release-on-revoke
Audit
  • Hash-chained · SHA-256 · canonical JSON
  • 7-year retention · WORM S3 · daily export
  • §9.7 metadata sanitiser · 25 forbidden keys
  • 35+ event constants · live emitter list
  • Africa/Lagos timezone · business-hours flag
  • Per-actor · per-IP · per-grant correlation
Emergency
  • DCM 110127 · ETREAT · Break-the-glass
  • 20–500 char reason · max 7-day duration
  • 48h DPO auto-flag · worker-driven
  • Cost-neutral · capture_state pre-set
  • Provenance role=revision on rectification
  • Capped at 500 records · truncated flag
DSAR & FHIR
  • FHIR R4 Bundle · type=collection
  • Patient · Observation · DocumentReference · Consent
  • Provenance · AuditEvent NDJSON sidecar
  • Manifest · Ed25519 signed · embedded pubkey
  • Per-export DEK · 30-day cool-off
  • NIST 800-88 crypto-erase on expiry
Compliance
  • NDPA 2023 §35, §36, §40, §65
  • African data residency · single region
  • Documented data-processing record
  • Safe-Harbor de-identification export
  • DPO endpoints live (UI ships 2026-H2)
  • Configurable key rotation · default 90 days

Integrations

Fastclinic
FastLogin

Every OneHealth API call carries a JWT access token issued by Hydra at fastlogin.fastclinic.xyz. OneHealth caches the JWKS for five minutes and refreshes through a singleflight group on unknown-kid lookups, so a FastLogin key rotation propagates ecosystem-wide in five minutes without thundering. Provider identity is the MDCN-verified FastLogin identity; OneHealth has no separate clinical login.

Fastclinic
FastCredits

Sessions place a FastCredits hold on session start and capture on session end. The hold TTL is computed from the session lifetime plus a 120-second buffer rather than relying on the FastCredits 10-minute default. Suspend-all and revoke cascade release the hold; the session reconciler (5-minute tick) recovers any hold that landed in pending or failed state.

Fastclinic
Doorcta

Doorcta consultation notes auto-attach to OneHealth records via POST /v1/records under the services:onehealth scope. The Doorcta migration is planned for 2026; until it ships, records continue to land via the partner-integration path with the same scope and audit semantics.

External
Vault Transit · AWS KMS

Both KMS providers are first-class. Vault Transit is the default for self-hosted deployments; AWS KMS is the default for AWS-native deployments. The wrapper interface in internal/crypto/kms.go is symmetric over both; the data-encryption key is wrapped per record and per key version.

External
S3 · WORM audit

Document blobs sit in S3 as envelope-encrypted ciphertext, never as plaintext. The audit chain exports daily to write-once-read-many S3 in the same African region; the seven-year retention satisfies NDPA 2023 records-of-processing obligations and the HIPAA §164.308 audit-log requirement.

External
FHIR R4 (HL7)

DSAR exports use FHIR R4 (Bundle, Patient, Observation, DocumentReference, Consent, Provenance, AuditEvent). The mapper anchors on LOINC where possible, with an opaque-JSON escape hatch for record types that do not have a clean LOINC mapping. Bundle entries use urn:uuid references so the bundle is self-contained.

Compliance & safety

NDPA 2023 — patient as controller, hospital as processor

OneHealth processes personal health data under NDPA 2023 §25 lawful bases — consent, contract, legal obligation, vital interest. The patient is the controller of their record; the hospital and the Fastclinic data controller (Fastclinic Limited, RC 1919428) operate as processors under written agreement. The data-processing record is updated alongside every release that touches a new dataset or a new processor.

NDPA 2023
Envelope encryption — AES-256-GCM, KMS-wrapped, AAD-bound

Every record's plaintext field is encrypted with a per-record data-encryption key. The DEK is wrapped by a KMS master key — Vault Transit or AWS KMS. The AEAD additional-authenticated-data tag is a UUIDv5 derived from a fixed namespace and the record ID, so tampering with the surrounding metadata breaks the AEAD tag and the read fails closed. Key rotation runs on a configurable cadence with a default of ninety days.

NIST SP 800-38D (GCM)
Hash-chained audit — 7-year retention, daily WORM export

Every record read, grant create, grant revoke, session start, session end, emergency invocation, and DSAR action is hashed into a Postgres-side chain. The verifier and writer share one canonical-hash function so the integrity check survives schema evolution. The chain exports daily to write-once-read-many S3 storage; the seven-year retention satisfies NDPA 2023 §40 and HIPAA §164.308(a)(1)(ii)(D).

HIPAA Security Rule
DSAR export — FHIR R4, Ed25519-signed, NIST 800-88 erase

Exports use the HL7 FHIR R4 Bundle format (type=collection). The manifest is signed with Ed25519 and the public key is embedded for offline verification. After a thirty-day cool-off post-download, the per-export data-encryption key is destroyed under NIST 800-88 crypto-erase semantics and the blob is scheduled for deletion. The export carries Patient, Observation, DocumentReference, Consent, Provenance, and AuditEvent resources.

FHIR R4 (HL7)
Break-the-glass — auditable emergency, 48-hour DPO review

Emergency access is recorded as a Provenance with DCM 110127 (Emergency Override Started) and purposeOfEvent ETREAT. Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that runs every five minutes. The reason text — between twenty and five hundred characters — is preserved in the audit chain. Break-the-glass in v1 is cost-neutral so cost cannot become a deterrent against legitimate use.

DICOM Audit Codes
African data residency — single region, named processors only

Records, documents, audit log, key wraps, and DSAR exports run in a Nigerian-region AWS account in normal operation. No cross-border transfer happens for OneHealth's normal read and write paths. The data-processing record names every processor; for OneHealth, the list is short.

Plain answers

Ready to ship with OneHealth?

Request a 30-minute architecture review. We will walk through the integration points, the compliance posture, and the timeline.

Request demoRead the docs