Skip to main content

For operators

The architect's view of Conceptual Health.

Whether you're standing up your first clinic, federating an MSO across many sites, or evaluating CH as a replacement for your existing EHR + RCM + analytics stack — this is the operator-grade material. Architecture diagrams. Deployment models. Integration surfaces. Governance. SLAs. The numbers your security team is going to ask for, before they ask.

Schedule architecture review → Trust & security hub Read the whitepaper
If you are a

Clinic owner

Independent primary care, dental, optometry, vet, or pharmacy. CH replaces your EHR, billing, scheduling, payroll, and analytics — at $0 in software cost, in exchange for joining the network.

Deployment options →
If you are a

MSO / health system

Federate multiple clinics under unified clinical, operational, and financial governance. Multi-tenant, multi-region, with org-level analytics and roll-up.

MSO architecture →
If you are a

CMIO / IT director

You need to know what we replace, what we integrate with, what we expose, and what controls your auditors will see. Architecture decks, FHIR endpoints, identity model.

Integration surface →
If you are a

Compliance & legal

BAA, DPA, SOC 2, HITRUST, ISO 27001/27701, HIPAA, GDPR, state breach laws. The packet your reviewers want.

Compliance posture →

Deployment models

Three ways to run on us.

All three deployments use the same code, the same FHIR/OMOP surfaces, and the same trust controls. They differ in who operates the infrastructure, who holds the keys, and where data crosses your perimeter.

Model 01

Hosted on CH Cloud

Default for most clinics. CH operates the full stack — Vault, Ledger, Authority. You get a tenant in our multi-region production fabric.

  • Zero infrastructure on your side
  • Continuous updates, no maintenance window
  • Region pinning available
Operator burden: none Best for: single-clinic up through small MSO
Model 02 · Recommended for MSOs

Dedicated CH Cloud

Single-tenant deployment of the full CH stack inside a dedicated cloud account that we operate but you can audit live. Tenant-scoped KMS key under your control.

  • Single-tenant infra, multi-clinic logical
  • Real-time audit via SIEM connector
  • Customer-defined region + DR pairing
Operator burden: light (audit only) Best for: multi-site, regulated geographies
Model 03

Self-hosted (BYOC)

You operate the entire stack inside your own cloud account. CH ships signed Helm charts + Terraform modules; we provide L3 support against your infrastructure.

  • You hold all keys, all data, all logs
  • Air-gap mode supported (FedRAMP, defense path)
  • K8s 1.28+, Postgres 16+, your existing IdP
Operator burden: heavy (full ops) Best for: federal, defense, sovereign deployments

Time-to-live targets are published per deployment in your engagement plan. Each go-live moves through the compliance posture from Architected to Active when the per-surface BAA, security review, and customer acceptance are signed.

Architecture, top-down

Six layers. Every one of them swappable, observable, signed.

The full stack runs across six logical tiers. Tier 0 is the cryptographic root; you can verify every layer above it with a published signature. We treat the architecture as a public contract — the diagrams below are excerpts from the deck we send to your reviewers.

Tier 06 · Surface
React · TypeScript · WebSocket
Surfaces & clients

Patient hub (PWA), clinic stations, ops consoles, regulator portal, researcher exchange. All built on the same component kit; all three-tier-RBAC behind the same auth.

Tier 05 · API
FHIR R4 · OMOP CDM · GraphQL
API surface

FHIR R4 (USCDI v4) for clinical, OMOP for research, GraphQL for product, gRPC for system-to-system. Every call is HMAC-signed and logged to the Ledger.

Tier 04 · Service
Go · Rust · TypeScript
Domain services

Encounter, Scribe, Pharmacy, Labs, Imaging, Scheduling, Billing, Claims, Network, Authority. ~40 services total, each independently deployable.

Tier 03 · Master Equation
Python · Triton inference
Eight-axis scoring engine

Continuously scores every patient on the eight axes. Daily re-score; on-demand re-score on new encounter. Reference implementation locked by 50 golden vectors across JS + Python — CI fails on drift.

Tier 02 · Ledger
Postgres 16 + Merkle log
HCC Ledger & Authority

Append-only, Merkle-rooted, externally witnessed. Tracks issuance, settlement, redemption of HCC. The Authority sets the HCC reference rate per its published cadence.

Tier 01 · Vault
Sharded · KMS · HSM-rooted
DataVault

Encryption at rest with per-record DEK, per-tenant KEK, HSM-rooted master. k-anonymity ≥ 5 enforced before any export. Statistician-signed cohorts only.

Tier 00 · Trust root
Hardware · Shamir-split quorum
Cryptographic root + governance

Root key held under Shamir custody by named officers; quorum required for rotation. Recorded and witnessed by external auditor. Last rotation timestamp + signers published on the trust hub.

Integration surface

What we replace, what we integrate.

CH is not bolt-on — it is the EHR, the billing system, the scheduling system, the analytics stack, and the patient portal. Below is what we replace outright vs. what we integrate with, plus the standard interface for each.

System
How we relate
Interface
EHR
Full replacement. We are the chart-of-record. Migration tooling for the major incumbents — Epic, Cerner, athena, NextGen, Practice Fusion.
FHIR R4 · USCDI v4
Billing & RCM
Full replacement. We do not bill patients — but we bill payers if you opt in, with native 837P/837I/835 cycles.
X12 5010 · ANSI 837/835
Pharmacy
Full replacement at owned in-network pharmacies. Integrate with external dispensing pharmacies.
NCPDP SCRIPT 2017+
Lab systems (LIS)
Bidirectional integration to LabCorp, Quest, regional reference labs, and any HL7 v2.5+ LIS.
HL7 v2 · FHIR R4
PACS / imaging
Integrate. We don't store pixel data; we store FHIR ImagingStudy + signed reads. Pixel data stays in your PACS.
DICOMweb · FHIR R4
Identity (SSO)
Integrate. We are not your IdP. Bring SAML 2.0 or OIDC; we federate roles via SCIM.
SAML 2.0 · OIDC · SCIM
HIE / state registries
Integrate. Direct messaging, IHE XCA/XCPD, state immunization registries (IIS), syndromic surveillance.
IHE · Direct · HL7 v2
SIEM / observability
Integrate. Stream all admin actions, auth events, and ledger writes to your Splunk, Datadog, or syslog endpoint.
OpenTelemetry · syslog
Payroll / HRIS
Integrate. We compute clinician compensation against the network rate card; we don't run payroll.
SCIM · webhook · CSV
Analytics warehouse
Replace or integrate. We export to Snowflake / BigQuery / Databricks if you want a copy outside the Vault.
OMOP CDM v5.4

Onboarding timeline

From contract signed to first encounter, in roughly 30 days.

For a single clinic on Hosted CH Cloud. MSO and self-hosted timelines scale with clinic count and your security review cadence. The four-week shape is consistent.

Week 01

Contracts & security review

  • BAA + DPA signature
  • Diligence packet review
  • Architecture deep-dive
  • Tenant provisioning
Week 02

Identity & data migration

  • SAML/OIDC federation
  • Role mapping
  • EHR export → FHIR import
  • Patient consent campaign
Week 03

Clinical & operational config

  • Visit type catalog
  • Clinician schedules
  • Pharmacy formulary
  • Pricing & payer rules
Week 04

Pilot & training

  • Staff dry-run encounters
  • Scribe calibration
  • Master Equation seeding
  • Final acceptance test

Next step

Schedule an architecture review — we'll send the diligence packet ahead.

A 60-minute working session with the architecture team plus the compliance officer. We'll walk the six-layer stack against your environment, scope your deployment model, and surface every question your security review will ask. The diligence packet — BAA, DPA, SOC posture, breach SOP, model cards — lands in your inbox before the call.

Schedule architecture review → Compliance posture Trust hub