OrderIQ

Privacy is foundational. Not an afterthought.

OrderIQ was designed from the ground up for PHIPA compliance and Canadian healthcare data governance. Every architectural decision was made with patient privacy and institutional accountability in mind.

Compliance Architecture

Built for Ontario health information custodians

PHIPA-Ready Architecture

Designed to meet Ontario's Personal Health Information Protection Act requirements. Data governance controls are built into the platform, not configured after the fact.

On-Premise Deployment

OrderIQ runs entirely on your hospital network. Patient data never leaves your environment. For cloud-assisted features, Canadian data residency (GCP Montreal/Toronto) is enforced.

Complete Audit Trail

Every access, every modification, every approval, and every export is logged with user identity, timestamp, and IP address. Full governance visibility for your privacy officer.

Encryption at Rest

AES-256-GCM PDF Encryption

Every ingested PDF is encrypted on disk using AES-256-GCM with PBKDF2 key derivation. Files are automatically decrypted when served to authorized users and re-encrypted when returned to storage. Plaintext data never persists on disk.

  • AES-256-GCM with 100K PBKDF2 iterations
  • Auto-detect: encrypted files handled transparently
  • Encryption key never stored alongside data
  • Lifecycle: encrypt on ingest → decrypt on serve → purge
// File format
RFLOW01\0
↳ magic header
salt [16 bytes]
nonce [12 bytes]
ciphertext [N bytes]
AES-256-GCM · PBKDF2 · 100K iterations

Role Permissions

Action Admin Radiologist Tech Viewer
View worklist
Import / ingest
Approve / protocol
Control panel
Delete / purge
Authentication & RBAC

Role-based access control

Four distinct roles — admin, radiologist, technologist, and viewer — each with a precisely scoped permission set. Sessions are backed by Redis with an 8-hour expiry (one hospital shift). Secure, HttpOnly cookies prevent session hijacking.

  • Redis-backed sessions, 8-hour shift expiry
  • bcrypt password hashing with per-user salts
  • HttpOnly + SameSite session cookies
  • No self-registration — accounts are admin-provisioned
Audit Logging

Every action. Every user. Every time.

The audit middleware captures every PHI access, clinical modification, and administrative action. Logs are stored indefinitely and exportable to CSV for privacy officer review or regulatory reporting.

  • AUTH · PHI · MODIFY · ADMIN · SYSTEM categories
  • User, role, IP, action, resource ID, status code
  • CSV export via admin-only endpoint
  • Stored indefinitely per PHIPA retention guidance
// Audit log entry
{
"timestamp": "2026-03-30T14:22:11Z",
"user": "[email protected]",
"role": "radiologist",
"category": "PHI",
"action": "VIEW_ORDER",
"resource_id": "ord_7f3a...",
"ip": "10.0.0.45",
"status": 200
}
Data Residency

Patient data stays where it belongs

🏥 On-Premise (Recommended)

Core system — database, Redis, FHIR server, PDFs — runs entirely on hospital infrastructure. Zero patient data leaves the network. AI processing uses locally deployed models.

🇨🇦 Cloud-Assisted (Canadian)

When cloud AI is used, processing is restricted to Google Cloud Montreal (northamerica-northeast1) or Toronto (northamerica-northeast2) with a signed PHIPA Data Processing Agreement.