Viewing as
ONEHEALTH · FOR DPOs & COMPLIANCE

Audit chain. DSAR queue. Retention controls.

The OneHealth admin platform consolidates audit explorer, DSAR queue, retention dashboard, break-the-glass review, and Safe-Harbor de-identification. Server endpoints are live today (OH-12); the unified DPO UI ships 2026-H2 as part of the Fastclinic admin platform.

Talk to compliance teamRead the docs
OneHealth gives the data protection officer a daily compliance posture — hash-chain integrity, DSAR queue, retention countdown, break-the-glass review, and de-identification export — all bound by NDPA 2023 §40 retention and §65 processor obligations.
01 / 06

1 · Verify the audit chain

Daily, you run integrity verification across the full audit chain. The verifier replays the canonical-hash function over every row and confirms each prev_hash matches the previous row's hash. Any break is reported with the row number and the audit explorer surfaces the offending row. The verifier shares the canonical-hash function with the writer so a schema evolution does not silently false-flag every legitimate row.

Audit chain · last 4 rows
  1. n-3 · record.createdOK
    prev_hash 0000…0000
    hash 9b2a…d4f1
  2. n-2 · grant.createdOK
    prev_hash 9b2a…d4f1
    hash 1c8e…77a3
  3. n-1 · session.startedOK
    prev_hash 1c8e…77a3
    hash f4d9…02bc
  4. n · record.readOK
    prev_hash f4d9…02bc
    hash a661…5e08
SHA-256 · canonical JSON7y retention · WORM S3
Chain integrity verified
onehealth.fastclinic.xyz/audit/chain
02 / 06

2 · Review break-the-glass

Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that ticks every five minutes. Your queue shows the flagged accesses with reason text, scope, duration, and the originating provider. You confirm or escalate each one; the audit chain records emergency.reviewed with your DPO ID. The forty-eight-hour SLA is enforced by the worker emitting emergency.auto_flagged on the row when the SLA window passes without a review.

Emergency override · DCM 110127
Patient cannot consent · ETREAT
Your access will be auto-flagged for DPO review within 48 hours.
Scope
prescription · vital_signs
Duration
2 hours
Open emergency access
Provenance role=revision · purpose ETREAT · reviewed within 48 hours
Break-the-glass
onehealth.fastclinic.xyz/emergency/new
03 / 06

3 · Process the DSAR queue

Patient DSAR requests under NDPA 2023 §36 land in your queue. Each request bundles the patient's records, documents, grants, rectifications, and audit log into a FHIR R4 Bundle (type=collection). The bundle is encrypted with a per-export DEK and signed with Ed25519. Your job is approval — the assembly is automatic. The download is available to the patient for thirty days; after cool-off, the DEK is destroyed and the blob is deleted under NIST 800-88 crypto-erase semantics.

Building your record export · NDPA §36
  1. Collect records · 9 entries · 2 documents
  2. Map to FHIR R4 Bundle (collection)
  3. Encrypt envelope · per-export DEK
  4. ...Sign manifest · Ed25519
  5. ·Upload to download URL
Bundle
Patient · Observation · DocumentReference · Consent · Provenance
Audit
NDJSON sidecar · 7y
FHIR R4AES-256-GCMEd25519
DSAR · in progress
onehealth.fastclinic.xyz/dsar/exports/d8f2
04 / 06

4 · Watch retention

The retention dashboard shows records nearing the seven-year mark from creation. Auto-erase is the default — the per-record DEK is destroyed when retention expires, the ciphertext becomes unrecoverable. Some records are held under active care: a chronic-care prescription, an ongoing oncology episode. You toggle hold/release per record; the audit chain records every state change. The seven-year clock satisfies NDPA 2023 §40 and HIPAA §164.308(a)(1)(ii)(D) audit-log requirements.

Records nearing 7-year retentionNDPA §40 · NIST 800-88
TitleCreatedErase scheduledAction
Discharge summary · LASUTH2019-04-302026-04-30 · 4 daysAuto
Lab result · LFT panel2019-05-122026-05-12 · 16 daysAuto
Imaging report · MRI L-spine2019-05-292026-05-29 · 33 daysAuto
Prescription · ARV regimen2019-06-012026-06-01 · 36 daysHold (active care)
Crypto-erase · DEK destroyedAfrican data residencyWORM S3 · 7y
Retention queue · 14 records
onehealth.fastclinic.xyz/admin/retention
05 / 06

5 · Export Safe-Harbor de-identification

Research and analytics teams need de-identified record exports under HIPAA Safe Harbor or the equivalent NDPA standard. The de-identification endpoint produces a record export with the eighteen Safe-Harbor identifiers stripped and statistical disclosure controls applied. The exported bundle is signed and audit-logged. Your role is determining the lawful basis for each export under NDPA 2023 §25 and approving or denying the request; the de-identification itself is automatic.

DPO · daily compliance postureServer live · UI ships 2026-H2
Audit chain
Verified
14,221 rows · 0 breaks
DSAR queue
3 pending
SLA · 30 days
Break-glass review
2 due <48h
Auto-flagged
Retention
14 nearing 7y
NDPA §40
OH-12 endpoints live · OH-13 UI in designSafe-Harbor de-identify export
Coming 2026
onehealth.fastclinic.xyz/admin
06 / 06

6 · Generate the compliance report

The compliance-report endpoint aggregates NDPA and HIPAA-flavoured metrics: total records under management, record reads in window, grants created and revoked in window, sessions started and ended in window, emergency accesses with review status, DSAR requests by status, retention countdowns, key rotations, audit-chain integrity status. The report is generated server-side, exported in JSON or PDF, and signed with the same Ed25519 key as the DSAR manifests so a regulator can verify it offline.

DPO · daily compliance postureServer live · UI ships 2026-H2
Audit chain
Verified
14,221 rows · 0 breaks
DSAR queue
3 pending
SLA · 30 days
Break-glass review
2 due <48h
Auto-flagged
Retention
14 nearing 7y
NDPA §40
OH-12 endpoints live · OH-13 UI in designSafe-Harbor de-identify export
Coming 2026
onehealth.fastclinic.xyz/admin
What you get

Live DPO endpoints today, unified UI 2026-H2

GET /v1/admin/audit, /v1/admin/compliance-report, /v1/admin/deidentify, /v1/admin/dsar-queue, and PUT /v1/admin/pricing are live in production today (OH-12). The unified DPO UI is part of the consolidated Fastclinic admin platform shipping 2026-H2. Until then, the endpoints are scriptable from a service token under the appropriate scope.

Hash-chain integrity verification

Daily integrity check over the full audit chain. The verifier and writer share one canonical-hash function so the check survives schema evolution. Breaks are surfaced with the row number; the chain has not had a break since OH-04 shipped.

Forty-eight-hour break-glass review SLA

Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that runs every five minutes. The audit row carries the reason text, the scope, and the duration; your action is confirm or escalate. SLA breaches are emitted as emergency.auto_flagged.

FHIR R4 + Safe-Harbor de-identification

DSAR exports use the HL7 FHIR R4 Bundle format (type=collection) with Patient, Observation, DocumentReference, Consent, Provenance, and AuditEvent resources. The de-identification endpoint applies the Safe-Harbor eighteen-identifier strip and statistical disclosure controls. Every export is signed with Ed25519.

Capabilities

Records
  • 11 record types · 6 display categories
  • Envelope encryption · AES-256-GCM
  • AAD = UUIDv5 · two namespaces
  • Cursor pagination · keyset over (created_at, id)
  • Archive · 7y retention · NIST 800-88 crypto-erase
  • Document blobs · S3 · per-record DEK
Consent & access
  • Time-limited grants · 30-day default, 10y max
  • Scope-bound · record-type or record-ID lists
  • Patient-initiated revoke
  • Suspend-all · single atomic transaction
  • 5-min expirer · SKIP LOCKED claim
  • FastCredits hold · capture-on-end · release-on-revoke
Audit
  • Hash-chained · SHA-256 · canonical JSON
  • 7-year retention · WORM S3 · daily export
  • §9.7 metadata sanitiser · 25 forbidden keys
  • 35+ event constants · live emitter list
  • Africa/Lagos timezone · business-hours flag
  • Per-actor · per-IP · per-grant correlation
Emergency
  • DCM 110127 · ETREAT · Break-the-glass
  • 20–500 char reason · max 7-day duration
  • 48h DPO auto-flag · worker-driven
  • Cost-neutral · capture_state pre-set
  • Provenance role=revision on rectification
  • Capped at 500 records · truncated flag
DSAR & FHIR
  • FHIR R4 Bundle · type=collection
  • Patient · Observation · DocumentReference · Consent
  • Provenance · AuditEvent NDJSON sidecar
  • Manifest · Ed25519 signed · embedded pubkey
  • Per-export DEK · 30-day cool-off
  • NIST 800-88 crypto-erase on expiry
Compliance
  • NDPA 2023 §35, §36, §40, §65
  • African data residency · single region
  • Documented data-processing record
  • Safe-Harbor de-identification export
  • DPO endpoints live (UI ships 2026-H2)
  • Configurable key rotation · default 90 days

Integrations

Fastclinic
FastLogin

Every OneHealth API call carries a JWT access token issued by Hydra at fastlogin.fastclinic.xyz. OneHealth caches the JWKS for five minutes and refreshes through a singleflight group on unknown-kid lookups, so a FastLogin key rotation propagates ecosystem-wide in five minutes without thundering. Provider identity is the MDCN-verified FastLogin identity; OneHealth has no separate clinical login.

Fastclinic
FastCredits

Sessions place a FastCredits hold on session start and capture on session end. The hold TTL is computed from the session lifetime plus a 120-second buffer rather than relying on the FastCredits 10-minute default. Suspend-all and revoke cascade release the hold; the session reconciler (5-minute tick) recovers any hold that landed in pending or failed state.

Fastclinic
Doorcta

Doorcta consultation notes auto-attach to OneHealth records via POST /v1/records under the services:onehealth scope. The Doorcta migration is planned for 2026; until it ships, records continue to land via the partner-integration path with the same scope and audit semantics.

External
Vault Transit · AWS KMS

Both KMS providers are first-class. Vault Transit is the default for self-hosted deployments; AWS KMS is the default for AWS-native deployments. The wrapper interface in internal/crypto/kms.go is symmetric over both; the data-encryption key is wrapped per record and per key version.

External
S3 · WORM audit

Document blobs sit in S3 as envelope-encrypted ciphertext, never as plaintext. The audit chain exports daily to write-once-read-many S3 in the same African region; the seven-year retention satisfies NDPA 2023 records-of-processing obligations and the HIPAA §164.308 audit-log requirement.

External
FHIR R4 (HL7)

DSAR exports use FHIR R4 (Bundle, Patient, Observation, DocumentReference, Consent, Provenance, AuditEvent). The mapper anchors on LOINC where possible, with an opaque-JSON escape hatch for record types that do not have a clean LOINC mapping. Bundle entries use urn:uuid references so the bundle is self-contained.

Compliance & safety

NDPA 2023 — patient as controller, hospital as processor

OneHealth processes personal health data under NDPA 2023 §25 lawful bases — consent, contract, legal obligation, vital interest. The patient is the controller of their record; the hospital and the Fastclinic data controller (Fastclinic Limited, RC 1919428) operate as processors under written agreement. The data-processing record is updated alongside every release that touches a new dataset or a new processor.

NDPA 2023
Envelope encryption — AES-256-GCM, KMS-wrapped, AAD-bound

Every record's plaintext field is encrypted with a per-record data-encryption key. The DEK is wrapped by a KMS master key — Vault Transit or AWS KMS. The AEAD additional-authenticated-data tag is a UUIDv5 derived from a fixed namespace and the record ID, so tampering with the surrounding metadata breaks the AEAD tag and the read fails closed. Key rotation runs on a configurable cadence with a default of ninety days.

NIST SP 800-38D (GCM)
Hash-chained audit — 7-year retention, daily WORM export

Every record read, grant create, grant revoke, session start, session end, emergency invocation, and DSAR action is hashed into a Postgres-side chain. The verifier and writer share one canonical-hash function so the integrity check survives schema evolution. The chain exports daily to write-once-read-many S3 storage; the seven-year retention satisfies NDPA 2023 §40 and HIPAA §164.308(a)(1)(ii)(D).

HIPAA Security Rule
DSAR export — FHIR R4, Ed25519-signed, NIST 800-88 erase

Exports use the HL7 FHIR R4 Bundle format (type=collection). The manifest is signed with Ed25519 and the public key is embedded for offline verification. After a thirty-day cool-off post-download, the per-export data-encryption key is destroyed under NIST 800-88 crypto-erase semantics and the blob is scheduled for deletion. The export carries Patient, Observation, DocumentReference, Consent, Provenance, and AuditEvent resources.

FHIR R4 (HL7)
Break-the-glass — auditable emergency, 48-hour DPO review

Emergency access is recorded as a Provenance with DCM 110127 (Emergency Override Started) and purposeOfEvent ETREAT. Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that runs every five minutes. The reason text — between twenty and five hundred characters — is preserved in the audit chain. Break-the-glass in v1 is cost-neutral so cost cannot become a deterrent against legitimate use.

DICOM Audit Codes
African data residency — single region, named processors only

Records, documents, audit log, key wraps, and DSAR exports run in a Nigerian-region AWS account in normal operation. No cross-border transfer happens for OneHealth's normal read and write paths. The data-processing record names every processor; for OneHealth, the list is short.

Plain answers

Compliance posture, automated where it can be.

Audit chain. DSAR queue. Retention enforcement. Break-the-glass review. Safe-Harbor de-identification. Server endpoints live today; unified DPO UI ships 2026-H2.

Talk to compliance teamRead the docs