Technical Architecture

The EMR-Agnostic Bridge: End-to-End Data Flow

A detailed view of how clinical data travels from any community EMR through the KaiCare platform into the VA Federal Electronic Health Record.

Community EMR

Epic / Cerner / athena / Custom

FHIR R4 + HL7 v2

C-CDA, ADT, ORU, SIU

KaiCare Ingestion

Parse, Validate, De-duplicate

USCDI v3 Normalizer

US Core FHIR Profiles

Joint HIE Layer

CareQuality / CommonWell

Federal EHR

Oracle Health (Cerner)

Compliance

HIPAA-First Design

Security and privacy are not afterthoughts — they are the foundation on which every feature is built.

Multi-Tenant Isolation

Every database query enforces organizationId filtering per HIPAA 164.312(a)(1). Data belonging to one practice is never accessible to another.

Row-level security via Prisma middleware
Separate Cognito user pools per portal type
Network isolation with VPC and private subnets
Encryption at rest (AES-256) and in transit (TLS 1.3)

Comprehensive Audit Trails

Every data mutation (create, update, delete) writes an AuditLog entry with userId, timestamp, action, and affected resource.

Immutable audit log stored in Aurora PostgreSQL
CloudTrail integration for infrastructure-level events
Automatic PHI access logging per 164.312(b)
Configurable retention policies (7-year default)

PHI Protection

Protected Health Information is never logged to CloudWatch, console output, or error reporting services.

Prisma logging restricted to errors only
Structured error responses strip PHI before transmission
S3 objects encrypted with AWS KMS customer-managed keys
Phone numbers normalized to E.164 and stored encrypted

Access Control

Invitation-only authentication with MFA required for all provider-facing portals and role-based access control.

TOTP MFA for providers, SMS MFA for patients
1-hour token expiry, 24-hour max session, 30-min idle timeout
JWT verification on every API request
Role-scoped data access (Doctor, MA, CPA, Admin, Participant)

Standards

Interoperability Standards

Full alignment with USCDI v3 and US Core FHIR profiles — the federal standard for health data exchange.

USCDI v3 Data Classes (19 Classes Supported)

Allergies and Intolerances

Assessment and Plan of Treatment

Care Team Members

Clinical Notes

Clinical Tests

Diagnostic Imaging

Encounter Information

Goals

Health Concerns

Health Insurance Information

Immunizations

Laboratory

Medications

Patient Demographics

Problems (Conditions)

Procedures

Provenance

Vital Signs

Unique Device Identifiers

FHIR US Core Profile Mapping

FHIR Resource	US Core Profile	Data Exchanged
Patient	US Core Patient	Demographics, identifiers, contact information
Condition	US Core Condition	Active diagnoses, problem list entries
Observation	US Core Vital Signs / Lab Result	Vitals, lab values, social history
MedicationRequest	US Core MedicationRequest	Active prescriptions and medication orders
AllergyIntolerance	US Core AllergyIntolerance	Drug and food allergies with severity
Procedure	US Core Procedure	Surgical and diagnostic procedures
Encounter	US Core Encounter	Visit records, admission/discharge
DocumentReference	US Core DocumentReference	C-CDA documents, clinical notes, imaging reports
DiagnosticReport	US Core DiagnosticReport	Lab panels, pathology, radiology reports
CarePlan	US Core CarePlan	Care coordination plans and goals

Federal Readiness

AWS GovCloud Alignment

A 1:1 mapping between our commercial AWS services and their GovCloud equivalents — no architectural changes required.

Category	Commercial AWS	GovCloud Equivalent	Status
Identity & Access	Amazon Cognito	Amazon Cognito (GovCloud)	Available
Relational Database	Aurora Serverless v2 (PostgreSQL)	Aurora Serverless v2 (GovCloud)	Available
Compute	AWS App Runner	AWS App Runner (GovCloud)	Available
Object Storage	Amazon S3 (KMS-SSE)	Amazon S3 (GovCloud)	Available
AI / LLM	Amazon Bedrock (Claude)	Amazon Bedrock (GovCloud)	Available
Contact Center	Amazon Connect	Amazon Connect (GovCloud)	Available
Email	Amazon SES	Amazon SES (GovCloud)	Available
Messaging	Amazon Pinpoint / SNS	Amazon SNS (GovCloud)	Available
IaC / Deployment	AWS CDK / CloudFormation	AWS CDK / CloudFormation (GovCloud)	Available
Secrets	AWS Secrets Manager	AWS Secrets Manager (GovCloud)	Available

10 out of 10 AWS services used by KaiCare are available in GovCloud. Migration requires updating account configuration and endpoint references — the application code, database schema, and CDK infrastructure definitions remain identical.

Discuss GovCloud Migration