The first moment of risk is not storage. It is the handoff: a patient types health data, uploads a file, scans a QR code, or signs an intake form. ChiroVault should treat that moment as a controlled legal and cryptographic boundary.
Every PHI object gets a purpose, legal basis, tenant, owner, retention date, audit chain, and rights state. If one of those fields is missing, the object is not shipped to production for clinical processing.
For US clinics, ChiroVault should treat the clinic as the covered entity and ChiroVault as the business associate when a BAA applies. HIPAA does not set a general medical-record retention period; the architecture keeps HIPAA documentation evidence for six years while the actual patient chart retention follows state medical-record law or clinic policy.
Before US PHI flows, the clinic has the covered-entity lane, BAA status, and Notice of Privacy Practices mapped.
164.504(e), 164.520PHI is used for treatment, payment, operations, or explicit authorization with scoped fields and purpose tags.
164.502, 164.506, 164.508Administrative, physical, and technical safeguards cover risk analysis, workstation control, access, audit, integrity, and transmission.
164.308, 164.310, 164.312Care record, billing, insurance, support, and QA workflows keep PHI inside the permitted TPO boundary.
164.506, 164.514(d)Patient access runs on the 30-day clock; amendment requests route to a controlled clinician/legal review lane.
164.524, 164.526Unsecured PHI breach workflows prepare individual, Secretary, and business-associate notices without unreasonable delay.
164.400-414HIPAA policies, procedures, notices, BAAs, training, decisions, and audit evidence retain for six years; chart retention follows state law.
164.530(j)Disclosures outside normal TPO get purpose, recipient, time, and proof so the patient can receive an accounting.
164.528Symptoms, history, consent, images, documents, and contact details enter through intake, kiosk, app, or secure message.
Art. 12-14 noticePurpose is attached before processing: care delivery, billing, legal record, support, or patient-rights request.
Art. 5, 6, 9TLS, client-side envelope, tenant key, server validation, malware/file-type checks, and no PHI in logs.
Art. 25, 32Fields are classified as clinical, identity, billing, operational, audit, or message data with retention rules.
Art. 5(1)(c/e)Clinician reviews the data, signs SOAP or treatment notes, and keeps AI output behind an explicit approval gate.
WGBO care recordGP, insurer, specialist, lab, or patient export only leaves via a logged, identity-verified channel.
Art. 28, NTA 7516Every read, write, export, correction, AI review, and access grant is appended to a tamper-evident log.
NEN 7513Access, rectification, portability, restriction, and deletion requests route through a measured DSAR workflow.
Art. 15-20If confidentiality, integrity, or availability is impacted, the controller notification workflow starts immediately.
Art. 33-34Clinical records stay under the WGBO 20-year baseline unless a lawful extension, shorter destruction request, or legal hold applies.
WGBO + Art. 17| Time window | PHI event | Required control | Articles / standards | ChiroVault evidence |
|---|---|---|---|---|
| T-0 before capture | Patient is informed before typing PHI. The clinic and processor roles are known. | Plain-language privacy notice, DPA/BAA status, purpose list, subprocessor notice, language match. | GDPR Art. 12-14, Art. 28; WGBO treatment relationship. | legal_packet_version, tenant_legal_status, locale-specific notice hash. |
| 0-5 min | Intake, kiosk, photo, document, or message is submitted. | Data minimization, required fields only, explicit purpose, file validation, session timeout. | GDPR Art. 5(1)(b/c), Art. 6, Art. 9; NEN 7510. | intake_submission_id, field manifest, validation result, source device. |
| 5-15 min | Transport and server ingress. Data crosses from patient device into ChiroVault. | TLS, envelope encryption, tenant key binding, no PHI in analytics/logs, malware/file checks. | GDPR Art. 25, Art. 32; NEN 7510; HIPAA 45 CFR 164.312 when US PHI applies. | encryption_envelope_v, tenant_key_id, ingress audit event, log redaction test. |
| Same day | Clinician reviews and turns PHI into a care record. | Role-based access, AGB/provider verification, human review for AI drafts, signed note version. | WGBO dossier duty; GDPR Art. 9; GDPR Art. 22 for AI boundary; NEN 7513 logging. | provider_agb, note_version_id, ai_review_decision, audit chain hash. |
| 0-30 days | Patient asks to inspect, correct, export, restrict, or delete. | Identity verification, DSAR queue, clinician correction review, export via secure channel. | GDPR Art. 15-20; WGBO access and correction context; NTA 7516 for secure message delivery. | dsar_id, deadline clock, export bundle checksum, delivery receipt. |
| 0-72h incident | Potential data breach or availability/integrity event. | Incident register, risk assessment, processor-to-controller notice, DPA notification when required. | GDPR Art. 33-34; NIS2 if in scope; NEN 7510 incident process. | incident_id, severity, containment status, 72h deadline, notification packet. |
| 0-20 years | Medical record remains available and protected. | Retention timer, encrypted backups, access reviews, key rotation, audit-log preservation. | WGBO 20-year medical file retention; GDPR Art. 5(1)(e), Art. 32; NEN 7513. | retention_until, backup proof, key-rotation record, access-review snapshot. |
| 20y+ review | Retention expires or is extended. | Destroy, anonymize, or extend only with lawful reason: good care, third-party interest, other law, patient request, or legal hold. | WGBO exceptions; GDPR Art. 17(3), Art. 5(1)(e). | retention_decision, purge_job_id, crypto-shred proof, extension reason. |
| Time window | HIPAA patient event | Required ChiroVault control | HIPAA section met | Evidence artifact |
|---|---|---|---|---|
| T-0 before PHI | Clinic is identified as covered entity and ChiroVault as business associate where applicable. | BAA status, Notice of Privacy Practices surface, permitted-use map, subcontractor list. | 45 CFR 164.504(e), 164.520, 164.506. | baa_status, npp_version, permitted_use_manifest. |
| 0-15 min | Patient enters PHI through intake, kiosk, portal, document upload, or secure message. | Minimum-necessary fields, role scope, TLS, encryption, malware validation, PHI log denylist. | 164.502(b), 164.308(a)(1), 164.312(a/b/c/e). | field_manifest, tenant_key_id, ingress_audit_id, log-redaction proof. |
| Same day | PHI becomes part of the designated record set or a care-adjacent operational record. | Treatment/payment/operations purpose, clinician review, workforce access role, audit reason. | 164.506, 164.514(d), 164.524, 164.530. | record_set_id, purpose=tpo, actor_role, access_reason. |
| 30 days | Patient asks for access to PHI in the designated record set. | Identity verification, access queue, export packet, denial/escalation logic when applicable. | 164.524. | access_request_id, deadline timestamp, export checksum, delivery receipt. |
| 60 days | Patient requests amendment, or unsecured PHI breach notification is required. | Amendment review workflow; breach register with individual, HHS Secretary, and BA notice paths. | 164.526; 164.400-414, 164.404, 164.408, 164.410. | amendment_case_id, breach_case_id, notice packet, containment log. |
| 0-6 years | HIPAA compliance evidence is retained. Medical chart retention follows state medical-record law, not HIPAA itself. | Policies, procedures, BAAs, training records, privacy notices, sanctions, decisions, and audit evidence retained for six years. | 164.530(j); 164.316(b)(2)(i) for Security Rule documentation. | policy_version, training_record, baa_archive, audit_export. |
| 6 years+ | Disclosure accounting and legal holds are resolved. | Accounting of disclosures, state-law retention resolver, legal hold, purge/anonymize decision. | 164.528, 164.530(j); state medical-record retention law. | disclosure_accounting_id, state_retention_rule, legal_hold, purge proof. |
| PHI object | Classification | Processing rule | Retention rule | Audit requirement |
|---|---|---|---|---|
| Intake answers | Clinical PHI / health data | Process only for care intake, triage, and clinician review. | Attach to medical file when used for treatment; WGBO 20-year baseline from last dossier change. | Create, read, clinician review, correction, export, delete/extend. |
| SOAP notes | Medical record | Clinician-authored or clinician-approved. AI draft never becomes record without approval. | Medical file retention baseline; extension if required for good care or legal defense. | Version chain, signer, edit reason, patient access event. |
| Uploaded image/PDF | Document PHI | Malware scan, OCR/redaction decision, linked purpose, viewer permissions. | Same as linked record unless classified as operational non-record. | Upload, scan result, view, link/unlink, export, purge. |
| Messages | Ad-hoc health communication | Secure channel, sender identity, delivery receipt, no PHI to unsupported channel. | Clinical content promoted to record; operational copies follow channel retention policy. | Send, receive, delivery, revoke, attachment access. |
| Billing and insurance data | Financial + care-adjacent personal data | Use clinic AGB and treating provider AGB where required for invoice and claim context. | Accounting/tax retention may differ from medical record retention; keep separate purpose tags. | Create invoice, submit claim, payment status, correction. |
| Audit logs | Security evidence | Append-only, tamper-evident, minimum required context, no clinical text. | Preserve for evidence window aligned to clinical and security obligations. | Hash chain, actor, timestamp, object id, action, previous hash. |
| Control family | Every article / standard met by the flow | Implementation checkpoint | Go-live evidence |
|---|---|---|---|
| Lawful processing | GDPR Art. 5(1)(b), 5(1)(c), 5(1)(e), 5(2), 6, 9, 12, 13, 14; WGBO treatment context. | Purpose, legal basis, transparency notice, language, and controller/processor role are recorded before PHI is accepted. | Privacy notice hash, processing manifest, DPA/BAA status, intake source. |
| Processor governance | GDPR Art. 28, 30; subprocessor transparency; DPA/BAA eligibility gate. | Tenant cannot process live PHI until DPA/BAA and subprocessor list are approved where required. | ROPA row, subprocessor version, agreement status, PHI-enabled flag. |
| Privacy by design | GDPR Art. 25, 32; NEN 7510; HIPAA 45 CFR 164.312 when US PHI applies. | Encryption, role-based access, key isolation, log redaction, session controls, and secure transport are default. | Key-present proof, auth policy export, RLS tests, log review, encryption envelope sample. |
| Clinical and AI boundary | GDPR Art. 9, 22; WGBO dossier duty; AGB/BIG/UZI identity checks; NEN 7513. | Clinician signs the care record, AI stays draft-only, provider identity is attached to notes and invoices. | Signed note version, provider AGB, AI review decision, audit chain hash. |
| Patient rights | GDPR Art. 12, 15, 16, 17, 17(3), 18, 20; WGBO access context. | DSAR queue with clocks, secure export, correction workflow, restriction state, and retention-aware deletion. | DSAR sample, export checksum, delivery receipt, refusal/approval reason. |
| Sharing and secure delivery | GDPR Art. 28, 30, 32; NTA 7516; eIDAS where e-signature is used. | External PHI only leaves via verified recipient, signed export link, secure message, or legally approved processor. | Recipient record, delivery receipt, export checksum, subprocessor status. |
| Security incidents | GDPR Art. 33, 34; NEN 7510 incident process; NIS2 if in scope. | Incident register starts 72-hour timer and produces controller/DPA/patient notification packets. | Incident drill record, template, containment checklist, deadline timestamp. |
| DPIA and high-risk review | GDPR Art. 35; Art. 36 prior consultation when residual high risk remains. | AI, imaging, PHI intake, secure messaging, and new processor workflows get DPIA review before production use. | DPIA record, risk treatment, AP consultation reference if needed. |
| Auditability | NEN 7513; GDPR Art. 5(2), 30; ISO 27001 logging evidence. | Every access/export/change has actor, timestamp, object id, reason, and hash-chain continuity. | Verifier output, sample chain, audit export. |
| Retention | WGBO 20-year baseline; GDPR Art. 5(1)(e), 17, 17(3), 18, 30. | Record-level retention clock plus lawful extension, restriction, destruction, anonymization, or legal-hold decision at expiry. | Retention policy, purge dry-run, crypto-shred proof, extension reason. |
Operational compliance workflows
Four native workflow views use the same operational box type as the architecture cards. Standard pills are generated from the active platform jurisdiction, so Spanish shows EU + Spain, Dutch shows EU + Netherlands, US shows HIPAA/SOC/FIPS, and no unrelated country law is mixed in.
Identity, clinic, intake source, locale, and required clinical fields are accepted as one governed handoff.
Store + verifyNational identifiers and health data are encrypted, role-masked, and kept out of URLs, logs, and analytics.
ProtectThe first write creates the audit spine: actor, patient, purpose, action, timestamp, and hash-chain anchor.
TrackConsent is versioned by purpose, data category, and recipient class before sharing or AI-assisted drafting.
ProveEvery view, write, print, export, and AI action is checked server-side against role and care relationship.
ProtectThe clinician-approved note is written with immutable created time, version history, and retention recalculation.
StoreExternal sharing checks consent, recipient identity, secure channel, delivery proof, and patient notification rules.
Protect + trackAccess, correction, portability, restriction, and deletion requests receive deadlines, outcomes, and evidence.
ProveAt expiry, ChiroVault routes to lawful extension, legal hold, anonymization, or cryptographic deletion proof.
SystemRequired clinical, identity, consent, and purpose metadata are attached before the record can become live.
Consent moves through a state machine. Withdrawal is a new event, not an overwrite.
Each treatment write resets the clinical retention clock and appends a tamper-evident edit event.
Inspection, correction, access log, export, restriction, and erasure requests use visible deadlines.
Practice owner and DPO receive review tasks before expiry, including legal hold and exception checks.
Data is crypto-shredded or lawfully extended, while the deletion proof remains in the audit chain.
MFA, care relationship, role, reason, clinical data, and audit event are checked together.
Administrative staff see scheduling and billing data, with clinical notes denied and identifier fields masked.
The patient can inspect the file, download exports, see access logs, and submit rights requests.
Billing data is separated from clinical content. Any clinical disclosure must match consent and minimum-necessary scope.
GP, specialist, or physio receives only consented data through a verified, signed, encrypted channel.
Admins manage infrastructure, logs, and deployments without patient-record read access.
Incident case, severity, affected-object snapshot, DPO notification, and regulatory clocks start immediately.
System calculates affected patients, data classes, services, containment state, and likely risk.
Notification template is pre-filled with nature, categories, count, consequences, measures, and DPO contact.
Practice owner, legal counsel, and patient-notification review are escalated before deadlines become fragile.
Authority notice and high-risk patient notices are sent, signed, delivered, and linked to the incident audit trail.
Root cause, remediation, lessons learned, ROPA/DPIA updates, and closure proof are preserved.
| Article | Requirement | ChiroVault implementation |
|---|---|---|
| Art. 5(1)(c) | Data minimisation | Email-only identifier. No DOB or clinic-ID as primary key. Minimum fields per form. |
| Art. 5(1)(e) | Storage limitation | Per-record retention_until timestamp. Cron-purge on expiry. Crypto-shred destroys key, not just row. |
| Art. 6 | Lawful basis | Processing manifest records care delivery, billing, legal obligation, patient-rights, or support purpose before PHI processing. |
| Art. 9 | Special-category health data | Health-data processing is isolated to treatment, healthcare operations, and explicit legal/contractual workflows. |
| Art. 12 | Transparent communication | 14 languages incl. Arabic RTL. Plain-language patient summaries after every visit. |
| Art. 15 | Right of access (DSAR) | Patient self-service export. Step-up auth required. Time-limited signed URL. Audit-logged. |
| Art. 16 | Right to rectification | Patient correction request → clinician review → approve/refuse with reason → audit chain entry. |
| Art. 17 | Right to erasure | Two-tier: immediate erase of non-clinical fields; retention-bound on clinical. Confirmation email itemises both. |
| Art. 20 | Data portability | Structured JSON export per record type. Published schema. Audit-chain entry on every export. |
| Art. 22 | No automated decision-making | Lotte AI drafts only; clinician must approve before any content enters the record. |
| Art. 25 | Data protection by design and default | Default PHI path is encrypted, tenant-scoped, minimal, role-gated, and audit-logged. |
| Art. 28 | Processor obligations | Pre-templated DPA via DocuSign on signup; sub-processor list versioned + change-notification. |
| Art. 30 | Records of processing | ROPA rows map each PHI object type to purpose, basis, category, recipient, retention, and transfer status. |
| Art. 32 | Security of processing | Client-side PQ hybrid encryption + per-tenant KMS + Postgres RLS. All three independent gates. |
| Art. 33-34 | Breach notification | Incident register starts 72-hour clock, controller/DPA notification packet, and patient notification where high risk applies. |
| Art. 35 | DPIA for high-risk processing | DPIA register tracks AI, imaging, PHI intake, secure messaging, and new subprocessor workflows. |
| Art. 44+ | Transfers outside EU | EU-only hosting (Supabase EU, CF EU, Hostinger NL). No transatlantic transfer of PHI or transactional email. |
| Article | Requirement | ChiroVault implementation |
|---|---|---|
| Art. 7:448 | Informed consent | Intake form includes explicit consent block per treatment plan. Language-native copy. |
| Art. 7:454 | 20-year record retention | Per-record retention timer = now + 20 years for NL clinics. Auto-purge after window + grace. |
| Art. 7:456 | Patient access to record | DSAR flow covers WGBO access right in addition to GDPR Art. 15. |
| Art. 7:457 | Confidentiality | Per-tenant encryption. Only the clinic's key can decrypt. ChiroVault infra is cryptographically blind. |
| Section | Requirement | ChiroVault implementation |
|---|---|---|
| §164.308 | Administrative safeguards | Role-based access enforced server-side via Postgres RLS, not just UI. Minimum-necessary design. |
| §164.312(a)(2)(iv) | Encryption / decryption | AES-256-GCM + per-tenant KEK. Client-side encrypt before transit. |
| §164.312(b) | Audit controls | NEN-7513 hash-chained audit log. Tamper-evident. SHA-256 prevHash + ML-DSA-65 per-entry signature. |
| §164.312(d) | Authentication | Email-OTP + passkey (WebAuthn) + TOTP 2FA + step-up for privileged ops. |
| §164.504(e) | BAA requirement | Pre-templated BAA via DocuSign on US-clinic signup, region-routed automatically. |
| §164.526 | Amendment of PHI | Patient correction request flow with clinician approval, maps to GDPR Art. 16 implementation. |
| Standard | Requirement | ChiroVault implementation |
|---|---|---|
| NEN-7510 §10 | Cryptography policy | Per-tenant KEK in KMS. 90-day rotation. X25519 + ML-KEM-768 hybrid envelope. |
| NEN-7510 §A.9 | Access control | Passkey + TOTP 2FA. Postgres RLS. Cloudflare Access perimeter. Step-up for privileged ops. |
| NEN-7513 | Hash-chained audit log | SHA-256 prevHash. ML-DSA-65 (FIPS 204) per-entry signature. Append-only D1 SQLite. Public verifier offline. |