Viewing as
ONEHEALTH · FOR PATIENTS

Your records. Granted on your terms.

Every clinical record encrypted at rest. Every doctor's access bound to a time-limited grant. Every read recorded in an audit chain you can scroll through. Revoke anything, any time. Export everything as FHIR R4.

Request demoHow it works
OneHealth gives you a single encrypted health record, time-limited consent over who reads it, and a tamper-evident log of every access — owned by you, retained for seven years, exportable as a signed FHIR R4 Bundle, and bound by NDPA 2023 §36 data-subject rights you can exercise from your own dashboard.
01 / 07

1 · See your records

Every consultation note, lab result, prescription, imaging report, immunisation, and vital-signs reading from any Fastclinic-connected provider lives in your record library. Eleven record types. Six display categories so the long list is browsable. Every record is encrypted at rest with AES-256-GCM and a per-record data-encryption key wrapped by a KMS master key. The library is yours; the encryption is the platform's job.

Your records · 9 entriesAES-256-GCM · KMS-wrapped
AllConsultationLabMedicationImagingEpisodeGeneral
TitleTypeDateStatus
Annual physical · Dr. AdesinaConsultation note2026-04-22Active
Full blood countLab result2026-04-21Active
Amoxicillin 500mg · 7dPrescription2026-04-21Active
Chest X-ray · CRImaging report2026-03-14Active
Hep-B boosterImmunization2026-02-09Active
BP 128/82 · Pulse 74Vital signs2026-04-22Active
Ear-infection follow-upConsultation summary2025-11-30Archived
7 active2 archived7-year retention
Encrypted at rest
onehealth.fastclinic.xyz/records
02 / 07

2 · Open a record

Tap a record and you see the structured fields plus the audit history of who has read it. The PHI fields are decrypted server-side after your session validates; the network ciphertext never touches your device. The audit panel shows every read by every grantee, with timestamp, IP, and the grant ID that authorised the read. NDPA 2023 §36 says the access record is yours; we make it the default view rather than a buried export.

Annual physical · Dr. AdesinaActive
Type
Consultation note
Created
2026-04-22 10:14 (Africa/Lagos)
Source
doorcta · consult #c3f2
Retention
7 years · NDPA §40
Open audit history
  1. 10:14record.created · doorcta · consult close
  2. 10:42record.read · grant g4f1 · provider Adesina
  3. yesterdayrecord.read · patient · self-view
Encrypted at rest
onehealth.fastclinic.xyz/records/0c9f8d2e
03 / 07

3 · Receive a request

When a provider asks for access, you get a notification on your phone. The request names the provider, the scope they want — for example lab_result and imaging_report — the purpose, and a default duration. You pick the duration: an hour, a day, a week, up to a year. Approve and the grant is created with status=active, expires_at set, and an audit row written. Deny and nothing happens, also recorded.

10:42MTN5G
Access request
Dr. Adesina · LUTH Lagos
Wants to read your Lab results · Imaging
lab_resultimaging_report
Purpose · annual physical follow-up
Approve
Deny
You can revoke any time · audit logged · NDPA §36
04 / 07

4 · See active grants

Granted is not the same as gone. Your active-grants view shows every provider who currently has access, the scope, the expiry countdown, and a one-tap revoke. Suspend-all is a single transaction that suspends every active grant for you at once — useful when a phone is lost or you want to pause access globally without remembering each grant individually.

10:43MTN5G
Granted
Active
Dr. Adesina can read your records for the next
23h 47m
lab_resultimaging_report
What happens next
  1. nowgrant.created · 24h · scope=lab,imaging
  2. tomorrow 10:42grant.expired · auto
Revoke now
05 / 07

5 · Watch a session in progress

When a provider opens a session under one of your grants, the session timer is visible in your app. Time remaining, scope, and an end-session button. Sessions place a small FastCredits hold on the provider's account when they start and capture it when the session ends; if you revoke mid-session, the hold is released. Sessions auto-end at the grant expiry. The session does not re-issue itself; the provider has to request a new grant.

Reading · Ada O. · annual physical
Time remaining
23h 47m
lab_resultimaging_report
Hold
FastCredits · 5 cr / hour
Audit
3 reads · hash-chained
End session
Session active
onehealth.fastclinic.xyz/sessions/s7c2
06 / 07

6 · Read the audit feed

Every record read, grant created, grant revoked, session started, session expired, and emergency access against your record lives in the audit feed. The chain is hashed: every row carries the hash of the previous row plus its own canonical content, so no row can be edited without breaking integrity. The chain exports daily to write-once storage and is retained seven years per NDPA 2023 §40. The §9.7 sanitiser strips Tier-4 keys before any logging happens, so secrets never end up in the audit metadata.

Who accessed · last 7 daysNDPA §40 · §9.7 sanitised
WhenActionActorOrigin
10:14record.createddoorcta · systemservice · ng-west-1
10:42grant.createdpatient · self102.89.42.7 · Lagos
10:43session.startedprovider · g4f141.220.11.88 · Lagos
10:44record.readprovider · g4f141.220.11.88 · Lagos
18:01session.expiredsystem · expirer
yesterdayemergency.accessedprovider · BTG10.0.4.21 · Abuja
All hashes verified1 break-glass · review by 48hAfrica/Lagos
7y retention · hash-chained
onehealth.fastclinic.xyz/audit
07 / 07

7 · Export everything

Whenever you want a copy of your record — under NDPA 2023 §36 or just because — request a DSAR export. OneHealth assembles your records, documents, grants, rectifications, and audit log into a FHIR R4 Bundle. The Bundle is encrypted with a per-export DEK, wrapped in a ZIP, and the manifest is signed with Ed25519 with the public key embedded for offline verification. The download is available for thirty days; after cool-off, the DEK is destroyed (NIST 800-88 crypto-erase) and the blob is deleted. The export contains the same record set you'd hand a regulator, a hospital, or another country's PHR system.

Your record export · 12.4 MB
File
onehealth-export-2026-04-26.zip
SHA-256
a3 2f 9b 4d … 7c 11
Manifest sig
Ed25519 · 64-byte
Public key
embedded · base64
Available until
2026-05-26 · 30d cool-off
Download ZIP
FHIR R4 BundleNIST 800-88 crypto-eraseNDPA §36
Signed · ready
onehealth.fastclinic.xyz/dsar/exports/d8f2/receipt
What you get

Encrypted at rest, by default

Every record's plaintext field is encrypted with AES-256-GCM and a per-record data-encryption key wrapped by KMS. Documents in S3 are envelope-encrypted blobs. The AAD is bound to the record ID so tampering with the metadata breaks the read.

Time-limited consent over every access

Default thirty days, configurable up to ten years, revocable any time. The grant is scoped to the record types or the specific record IDs the provider asked for. Suspend-all stops every grant at once if you need a global pause.

Audit feed you can read

Every read, grant, revoke, session, and emergency access lives in a hash-chained audit log. Seven-year retention, daily WORM export, business-hours flagging, IP and device columns. Your access record is the default view, not a paywall feature.

FHIR R4 export, signed

Your data exports as a FHIR R4 Bundle in a signed ZIP. Ed25519 manifest signature with the public key embedded. NIST 800-88 crypto-erase after the thirty-day cool-off. The format a regulator or another country's system can actually read.

Capabilities

Records
  • 11 record types · 6 display categories
  • Envelope encryption · AES-256-GCM
  • AAD = UUIDv5 · two namespaces
  • Cursor pagination · keyset over (created_at, id)
  • Archive · 7y retention · NIST 800-88 crypto-erase
  • Document blobs · S3 · per-record DEK
Consent & access
  • Time-limited grants · 30-day default, 10y max
  • Scope-bound · record-type or record-ID lists
  • Patient-initiated revoke
  • Suspend-all · single atomic transaction
  • 5-min expirer · SKIP LOCKED claim
  • FastCredits hold · capture-on-end · release-on-revoke
Audit
  • Hash-chained · SHA-256 · canonical JSON
  • 7-year retention · WORM S3 · daily export
  • §9.7 metadata sanitiser · 25 forbidden keys
  • 35+ event constants · live emitter list
  • Africa/Lagos timezone · business-hours flag
  • Per-actor · per-IP · per-grant correlation
Emergency
  • DCM 110127 · ETREAT · Break-the-glass
  • 20–500 char reason · max 7-day duration
  • 48h DPO auto-flag · worker-driven
  • Cost-neutral · capture_state pre-set
  • Provenance role=revision on rectification
  • Capped at 500 records · truncated flag
DSAR & FHIR
  • FHIR R4 Bundle · type=collection
  • Patient · Observation · DocumentReference · Consent
  • Provenance · AuditEvent NDJSON sidecar
  • Manifest · Ed25519 signed · embedded pubkey
  • Per-export DEK · 30-day cool-off
  • NIST 800-88 crypto-erase on expiry
Compliance
  • NDPA 2023 §35, §36, §40, §65
  • African data residency · single region
  • Documented data-processing record
  • Safe-Harbor de-identification export
  • DPO endpoints live (UI ships 2026-H2)
  • Configurable key rotation · default 90 days

Integrations

Fastclinic
FastLogin

Every OneHealth API call carries a JWT access token issued by Hydra at fastlogin.fastclinic.xyz. OneHealth caches the JWKS for five minutes and refreshes through a singleflight group on unknown-kid lookups, so a FastLogin key rotation propagates ecosystem-wide in five minutes without thundering. Provider identity is the MDCN-verified FastLogin identity; OneHealth has no separate clinical login.

Fastclinic
FastCredits

Sessions place a FastCredits hold on session start and capture on session end. The hold TTL is computed from the session lifetime plus a 120-second buffer rather than relying on the FastCredits 10-minute default. Suspend-all and revoke cascade release the hold; the session reconciler (5-minute tick) recovers any hold that landed in pending or failed state.

Fastclinic
Doorcta

Doorcta consultation notes auto-attach to OneHealth records via POST /v1/records under the services:onehealth scope. The Doorcta migration is planned for 2026; until it ships, records continue to land via the partner-integration path with the same scope and audit semantics.

External
Vault Transit · AWS KMS

Both KMS providers are first-class. Vault Transit is the default for self-hosted deployments; AWS KMS is the default for AWS-native deployments. The wrapper interface in internal/crypto/kms.go is symmetric over both; the data-encryption key is wrapped per record and per key version.

External
S3 · WORM audit

Document blobs sit in S3 as envelope-encrypted ciphertext, never as plaintext. The audit chain exports daily to write-once-read-many S3 in the same African region; the seven-year retention satisfies NDPA 2023 records-of-processing obligations and the HIPAA §164.308 audit-log requirement.

External
FHIR R4 (HL7)

DSAR exports use FHIR R4 (Bundle, Patient, Observation, DocumentReference, Consent, Provenance, AuditEvent). The mapper anchors on LOINC where possible, with an opaque-JSON escape hatch for record types that do not have a clean LOINC mapping. Bundle entries use urn:uuid references so the bundle is self-contained.

Compliance & safety

NDPA 2023 — patient as controller, hospital as processor

OneHealth processes personal health data under NDPA 2023 §25 lawful bases — consent, contract, legal obligation, vital interest. The patient is the controller of their record; the hospital and the Fastclinic data controller (Fastclinic Limited, RC 1919428) operate as processors under written agreement. The data-processing record is updated alongside every release that touches a new dataset or a new processor.

NDPA 2023
Envelope encryption — AES-256-GCM, KMS-wrapped, AAD-bound

Every record's plaintext field is encrypted with a per-record data-encryption key. The DEK is wrapped by a KMS master key — Vault Transit or AWS KMS. The AEAD additional-authenticated-data tag is a UUIDv5 derived from a fixed namespace and the record ID, so tampering with the surrounding metadata breaks the AEAD tag and the read fails closed. Key rotation runs on a configurable cadence with a default of ninety days.

NIST SP 800-38D (GCM)
Hash-chained audit — 7-year retention, daily WORM export

Every record read, grant create, grant revoke, session start, session end, emergency invocation, and DSAR action is hashed into a Postgres-side chain. The verifier and writer share one canonical-hash function so the integrity check survives schema evolution. The chain exports daily to write-once-read-many S3 storage; the seven-year retention satisfies NDPA 2023 §40 and HIPAA §164.308(a)(1)(ii)(D).

HIPAA Security Rule
DSAR export — FHIR R4, Ed25519-signed, NIST 800-88 erase

Exports use the HL7 FHIR R4 Bundle format (type=collection). The manifest is signed with Ed25519 and the public key is embedded for offline verification. After a thirty-day cool-off post-download, the per-export data-encryption key is destroyed under NIST 800-88 crypto-erase semantics and the blob is scheduled for deletion. The export carries Patient, Observation, DocumentReference, Consent, Provenance, and AuditEvent resources.

FHIR R4 (HL7)
Break-the-glass — auditable emergency, 48-hour DPO review

Emergency access is recorded as a Provenance with DCM 110127 (Emergency Override Started) and purposeOfEvent ETREAT. Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that runs every five minutes. The reason text — between twenty and five hundred characters — is preserved in the audit chain. Break-the-glass in v1 is cost-neutral so cost cannot become a deterrent against legitimate use.

DICOM Audit Codes
African data residency — single region, named processors only

Records, documents, audit log, key wraps, and DSAR exports run in a Nigerian-region AWS account in normal operation. No cross-border transfer happens for OneHealth's normal read and write paths. The data-processing record names every processor; for OneHealth, the list is short.

Plain answers

Take ownership of your health record.

One encrypted record. Every access on your terms. Every read on a hash-chained log you can scroll through. FHIR R4 export when you want a copy.

Request demoRead the docs