Overview

CHAMP is a multi-tenant, web-delivered platform that converts any cognitive test into a same-day care plan. This page is a self-contained blueprint for developers: architecture, data models, APIs, security, TMF retention, and operational guardrails.

Any-Test-In → Plan-Out HIPAA · SOC2 WORM TMF (20 years) De-ID Analytics Lake

Key principles and constraints we designed around.

Architecture

Any-Test-In → Plan-Out process

Who actually tests

Tenancy & Identity

Tenants: Individuals, Practices, Organizations (IDN/senior-care/associations) with hierarchical Sites and Care Teams. Identity via OIDC/SAML for staff and expiring magic links for patients/caregivers.

RBAC/ABAC: OrgAdmin, SiteAdmin, Clinician, MA/RN, CareManager, Patient, Caregiver — gated by tenant/site/patient/consent scopes.
Delegation: patients grant caregivers granular access (view PMP, plan, messages).
SSO/2FA: enterprise SSO + second factor for admins.

Data Domains & Personal TMF Vault

Clinical Domain Objects

PMPForm, DOTForm, Assessment (CHAMP/MoCA/MMSE/SLUMS/Mini-Cog/Clock/RBANS), Autonarrative, MedicationList (RxNorm+risk), Consent, Message.

TMF Vault (20-year WORM)

/{'{tenant}'}/{'{site}'}/{'{patient_uuid}'}/
  01_Identity_Consents/
  02_PMP/
  03_DOT/
  04_Tests/
  05_Reports/
  06_Comms/
  07_External/
  08_Audit/
  09_Retention/

Immutability: object versioning + SHA-256; exportable TMF bundle (PDF/JSON/CSV + manifest).

Core Workflows

A) Individual Self-Serve

Magic link → PMP (mobile) → submit
DOT + brief screen at visit
Scores ingested → same-day clinician brief & caregiver plan
Retest cadence suggested; nudges scheduled

B) Practice Intake (MA/RN-led)

Roster/EHR sync → PMP invites
DOT + screen at intake → scores logged
Plan delivered before checkout; referral packet if needed
TMF auto-files; de-ID dashboards update

C) Organization/Association Cohorts

White-label landing; cohort PMP links
De-ID dashboards: adoption, utility, expansion intent
Caregiver resource delivery; specialist coordination

API Catalog (v1)

Identity & Access

POST /v1/tenants/{{tenantId}}/patients
POST /v1/patients/{{id}}/magic-link
POST /v1/patients/{{id}}/caregivers

PMP & DOT

POST /v1/patients/{{id}}/pmp
GET  /v1/patients/{{id}}/pmp?version=latest
POST /v1/patients/{{id}}/dot
GET  /v1/patients/{{id}}/dot?date=YYYY-MM-DD

Assessments & Reports

POST /v1/patients/{{id}}/assessments
GET  /v1/patients/{{id}}/assessments?type=MoCA
POST /v1/patients/{{id}}/autonarratives
GET  /v1/patients/{{id}}/autonarratives

Medications & Drug Safety

POST /v1/patients/{{id}}/medications
GET  /v1/drug-check?rxnorm=...

TMF & Messaging

GET  /v1/tmf/{{patientUuid}}/manifest
POST /v1/tmf/{{patientUuid}}/export
POST /v1/messages
GET  /v1/messages?participant=patientId

De-Identified Analytics

GET  /v1/analytics/deid/pilot-kpis?tenant=...

Auth: OAuth2/OIDC bearer tokens; scopes by RBAC/ABAC; all writes log to Event Ledger.

Example Assessment Payload

{
  "type": "MoCA",
  "datetime": "2025-10-08T21:10:00Z",
  "admin_by_user": "user_abc",
  "subscores": { "visuospatial": 3, "naming": 3, "attention": 4, "language": 2, "abstraction": 2, "delayed_recall": 3, "orientation": 5 },
  "total": 22,
  "artifacts": [{ "kind": "image/png", "filename": "clock.png", "contentBase64": "..." }],
  "notes": "hearing aid off; reschedule for retest"
}

Security, Privacy & Compliance

Controls

TLS 1.2+; AES-256 at rest; per-tenant envelope keys (KMS/HSM)
VPC isolation; WAF; DDoS; no public DB endpoints
Least-privilege RBAC/ABAC; 2FA; IP allowlists (optional)
No PHI in email/SMS; expiring signed links only

Audit & Retention

Append-only Event Ledger (hash-chained); export to SIEM
TMF Vault: WORM policy; 20-year retention; legal holds
One-click TMF bundle export (PDF/JSON/CSV + manifest)

De-Identification & Analytics

Pipeline: tokenize PHI → k-anonymity + date shifting → irreversible pseudonyms
Catalog & lineage: column-level tags; job approvals; access by role
Pilot KPIs: %PMP, %DOT, %same-day plans, time-to-plan, expansion intent

Operations & Delivery

Environments & CI/CD

Dev → Staging (synthetic PHI) → Prod
IaC (Terraform), blue/green deploys, feature flags
Backups & DR: encrypted snapshots; cross-region; restore drills

Observability

Metrics: p95 latency, error %, queue depth, job SLA
Logs: structured JSON; PII scrubbing; retention policies
Alerts: SLO breaches, auth anomalies, WORM write failures