Viewing as
ONEHEALTH · FOR HEALTHCARE PROVIDERS

Time-limited access to records you actually need.

Request access to a patient's records, scoped and bounded. Read what was granted, write notes that auto-attach, end the session cleanly. Break-the-glass when the patient cannot consent — auto-flagged for DPO review within forty-eight hours.

Request accessRead the docs
OneHealth is the verified-clinician record platform — every access bound by a time-limited consent grant, every read in a hash-chained audit log, every emergency override visible to the DPO within forty-eight hours.
01 / 06

1 · Identify the patient

Sign in with FastLogin — your MDCN-verified clinical identity. Locate the patient by their FastLogin identifier or by the structured handoff from a Doorcta consultation. The patient identity carries the records; the hospital does not. You see only patients you have an active grant against, plus the search box for new requests.

Your records · 9 entriesAES-256-GCM · KMS-wrapped
AllConsultationLabMedicationImagingEpisodeGeneral
TitleTypeDateStatus
Annual physical · Dr. AdesinaConsultation note2026-04-22Active
Full blood countLab result2026-04-21Active
Amoxicillin 500mg · 7dPrescription2026-04-21Active
Chest X-ray · CRImaging report2026-03-14Active
Hep-B boosterImmunization2026-02-09Active
BP 128/82 · Pulse 74Vital signs2026-04-22Active
Ear-infection follow-upConsultation summary2025-11-30Archived
7 active2 archived7-year retention
Encrypted at rest
onehealth.fastclinic.xyz/records
02 / 06

2 · Request access

Submit a request naming the scope (record types or specific record IDs), the purpose in plain language, and a duration up to your role's maximum. Default duration is thirty days; emergency contexts may shorten it to hours. The request lands as a notification on the patient's phone. You wait. The audit chain records the request as a pending grant.

10:42MTN5G
Access request
Dr. Adesina · LUTH Lagos
Wants to read your Lab results · Imaging
lab_resultimaging_report
Purpose · annual physical follow-up
Approve
Deny
You can revoke any time · audit logged · NDPA §36
03 / 06

3 · Read what was granted

When the patient approves, you see the records in scope — and only the records in scope. The data is decrypted server-side after your access token validates against the JWKS that OneHealth caches from FastLogin for five minutes. Every read against a record emits an audit row tagged with the grant ID, your provider ID, the record ID, and the timestamp. There is no silent read; you cannot scroll past the scope.

Annual physical · Dr. AdesinaActive
Type
Consultation note
Created
2026-04-22 10:14 (Africa/Lagos)
Source
doorcta · consult #c3f2
Retention
7 years · NDPA §40
Open audit history
  1. 10:14record.created · doorcta · consult close
  2. 10:42record.read · grant g4f1 · provider Adesina
  3. yesterdayrecord.read · patient · self-view
Encrypted at rest
onehealth.fastclinic.xyz/records/0c9f8d2e
04 / 06

4 · Manage the session

A read session opens a FastCredits hold against your account at session start; the hold TTL is computed from the session lifetime plus a 120-second buffer rather than the FastCredits 10-minute default. The session timer counts down. Reads continue under the same session. End the session cleanly when you are done and the hold captures; if the patient revokes mid-session, the cascade releases the hold so you are not charged for the interrupted session.

Reading · Ada O. · annual physical
Time remaining
23h 47m
lab_resultimaging_report
Hold
FastCredits · 5 cr / hour
Audit
3 reads · hash-chained
End session
Session active
onehealth.fastclinic.xyz/sessions/s7c2
05 / 06

5 · Write notes

Notes you write during a Doorcta consultation auto-attach to the patient's OneHealth record. The note becomes a record of type consultation_note (or consultation_summary or consultation_report depending on length and structure) under your authorship. The audit chain records record.created with your provider ID. You do not have to copy-paste between systems; the integration is the path.

Your records · 9 entriesAES-256-GCM · KMS-wrapped
AllConsultationLabMedicationImagingEpisodeGeneral
TitleTypeDateStatus
Annual physical · Dr. AdesinaConsultation note2026-04-22Active
Full blood countLab result2026-04-21Active
Amoxicillin 500mg · 7dPrescription2026-04-21Active
Chest X-ray · CRImaging report2026-03-14Active
Hep-B boosterImmunization2026-02-09Active
BP 128/82 · Pulse 74Vital signs2026-04-22Active
Ear-infection follow-upConsultation summary2025-11-30Archived
7 active2 archived7-year retention
Encrypted at rest
onehealth.fastclinic.xyz/records
06 / 06

6 · Break-the-glass when you must

If the patient cannot consent — unconscious in an emergency department, for example — break-the-glass. Submit a reason between twenty and five hundred characters explaining why, name the record types you need (typically prescription and vital_signs), and proceed under DCM 110127 (Emergency Override Started) with purposeOfEvent ETREAT. Cost is zero in v1: the session ships pre-captured so no charge becomes a deterrent against legitimate use. The DPO is auto-paged within forty-eight hours by a worker running every five minutes; you will be asked for clinical context if the DPO needs it.

Emergency override · DCM 110127
Patient cannot consent · ETREAT
Your access will be auto-flagged for DPO review within 48 hours.
Scope
prescription · vital_signs
Duration
2 hours
Open emergency access
Provenance role=revision · purpose ETREAT · reviewed within 48 hours
Break-the-glass
onehealth.fastclinic.xyz/emergency/new
What you get

MDCN-verified identity, ecosystem-wide

FastLogin already did the licence check. OneHealth trusts it. You do not enrol again per hospital, per system, or per patient. The audit chain records which hospital you signed in to for each access; one identity, multiple employment contexts.

Scope-bound reads

Every read is bound to a grant. Every grant has a scope, a duration, and an audit row. The system makes it impossible to scroll past the scope; you cannot accidentally read out-of-scope records, and the audit cannot show you doing it.

Auto-attach consultation notes

Notes from Doorcta consultations land as records under your authorship without copy-paste. The record carries source_service=doorcta and source_record_id=<consult>; the patient sees both your note and the provenance.

Auditable emergency

Break-the-glass exists for the case where you must read without consent. It is loud by design: reason logged, DPO auto-flagged within forty-eight hours, audit chain recording every step. Cost-neutral in v1 so cost cannot deter legitimate use.

Capabilities

Records
  • 11 record types · 6 display categories
  • Envelope encryption · AES-256-GCM
  • AAD = UUIDv5 · two namespaces
  • Cursor pagination · keyset over (created_at, id)
  • Archive · 7y retention · NIST 800-88 crypto-erase
  • Document blobs · S3 · per-record DEK
Consent & access
  • Time-limited grants · 30-day default, 10y max
  • Scope-bound · record-type or record-ID lists
  • Patient-initiated revoke
  • Suspend-all · single atomic transaction
  • 5-min expirer · SKIP LOCKED claim
  • FastCredits hold · capture-on-end · release-on-revoke
Audit
  • Hash-chained · SHA-256 · canonical JSON
  • 7-year retention · WORM S3 · daily export
  • §9.7 metadata sanitiser · 25 forbidden keys
  • 35+ event constants · live emitter list
  • Africa/Lagos timezone · business-hours flag
  • Per-actor · per-IP · per-grant correlation
Emergency
  • DCM 110127 · ETREAT · Break-the-glass
  • 20–500 char reason · max 7-day duration
  • 48h DPO auto-flag · worker-driven
  • Cost-neutral · capture_state pre-set
  • Provenance role=revision on rectification
  • Capped at 500 records · truncated flag
DSAR & FHIR
  • FHIR R4 Bundle · type=collection
  • Patient · Observation · DocumentReference · Consent
  • Provenance · AuditEvent NDJSON sidecar
  • Manifest · Ed25519 signed · embedded pubkey
  • Per-export DEK · 30-day cool-off
  • NIST 800-88 crypto-erase on expiry
Compliance
  • NDPA 2023 §35, §36, §40, §65
  • African data residency · single region
  • Documented data-processing record
  • Safe-Harbor de-identification export
  • DPO endpoints live (UI ships 2026-H2)
  • Configurable key rotation · default 90 days

Integrations

Fastclinic
FastLogin

Every OneHealth API call carries a JWT access token issued by Hydra at fastlogin.fastclinic.xyz. OneHealth caches the JWKS for five minutes and refreshes through a singleflight group on unknown-kid lookups, so a FastLogin key rotation propagates ecosystem-wide in five minutes without thundering. Provider identity is the MDCN-verified FastLogin identity; OneHealth has no separate clinical login.

Fastclinic
FastCredits

Sessions place a FastCredits hold on session start and capture on session end. The hold TTL is computed from the session lifetime plus a 120-second buffer rather than relying on the FastCredits 10-minute default. Suspend-all and revoke cascade release the hold; the session reconciler (5-minute tick) recovers any hold that landed in pending or failed state.

Fastclinic
Doorcta

Doorcta consultation notes auto-attach to OneHealth records via POST /v1/records under the services:onehealth scope. The Doorcta migration is planned for 2026; until it ships, records continue to land via the partner-integration path with the same scope and audit semantics.

External
Vault Transit · AWS KMS

Both KMS providers are first-class. Vault Transit is the default for self-hosted deployments; AWS KMS is the default for AWS-native deployments. The wrapper interface in internal/crypto/kms.go is symmetric over both; the data-encryption key is wrapped per record and per key version.

External
S3 · WORM audit

Document blobs sit in S3 as envelope-encrypted ciphertext, never as plaintext. The audit chain exports daily to write-once-read-many S3 in the same African region; the seven-year retention satisfies NDPA 2023 records-of-processing obligations and the HIPAA §164.308 audit-log requirement.

External
FHIR R4 (HL7)

DSAR exports use FHIR R4 (Bundle, Patient, Observation, DocumentReference, Consent, Provenance, AuditEvent). The mapper anchors on LOINC where possible, with an opaque-JSON escape hatch for record types that do not have a clean LOINC mapping. Bundle entries use urn:uuid references so the bundle is self-contained.

Compliance & safety

NDPA 2023 — patient as controller, hospital as processor

OneHealth processes personal health data under NDPA 2023 §25 lawful bases — consent, contract, legal obligation, vital interest. The patient is the controller of their record; the hospital and the Fastclinic data controller (Fastclinic Limited, RC 1919428) operate as processors under written agreement. The data-processing record is updated alongside every release that touches a new dataset or a new processor.

NDPA 2023
Envelope encryption — AES-256-GCM, KMS-wrapped, AAD-bound

Every record's plaintext field is encrypted with a per-record data-encryption key. The DEK is wrapped by a KMS master key — Vault Transit or AWS KMS. The AEAD additional-authenticated-data tag is a UUIDv5 derived from a fixed namespace and the record ID, so tampering with the surrounding metadata breaks the AEAD tag and the read fails closed. Key rotation runs on a configurable cadence with a default of ninety days.

NIST SP 800-38D (GCM)
Hash-chained audit — 7-year retention, daily WORM export

Every record read, grant create, grant revoke, session start, session end, emergency invocation, and DSAR action is hashed into a Postgres-side chain. The verifier and writer share one canonical-hash function so the integrity check survives schema evolution. The chain exports daily to write-once-read-many S3 storage; the seven-year retention satisfies NDPA 2023 §40 and HIPAA §164.308(a)(1)(ii)(D).

HIPAA Security Rule
DSAR export — FHIR R4, Ed25519-signed, NIST 800-88 erase

Exports use the HL7 FHIR R4 Bundle format (type=collection). The manifest is signed with Ed25519 and the public key is embedded for offline verification. After a thirty-day cool-off post-download, the per-export data-encryption key is destroyed under NIST 800-88 crypto-erase semantics and the blob is scheduled for deletion. The export carries Patient, Observation, DocumentReference, Consent, Provenance, and AuditEvent resources.

FHIR R4 (HL7)
Break-the-glass — auditable emergency, 48-hour DPO review

Emergency access is recorded as a Provenance with DCM 110127 (Emergency Override Started) and purposeOfEvent ETREAT. Every emergency access is auto-flagged for DPO review within forty-eight hours by a worker that runs every five minutes. The reason text — between twenty and five hundred characters — is preserved in the audit chain. Break-the-glass in v1 is cost-neutral so cost cannot become a deterrent against legitimate use.

DICOM Audit Codes
African data residency — single region, named processors only

Records, documents, audit log, key wraps, and DSAR exports run in a Nigerian-region AWS account in normal operation. No cross-border transfer happens for OneHealth's normal read and write paths. The data-processing record names every processor; for OneHealth, the list is short.

Plain answers

Read the records you need. Audit the access you take.

Request access. Read in scope. Write notes that auto-attach. Break-the-glass when you must — visible to the DPO within forty-eight hours.

Request accessRead the docs