> ## Documentation Index
> Fetch the complete documentation index at: https://docs.veridianhp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data model & privacy

> What data Veridian Health collects, how it flows between kiosk and dashboard, and how privacy is enforced.

# Data model & privacy

<Note>
  **Early-stage documentation.** Field names, schema details, and retention
  policies may be refined before production launch. This page describes
  current product intent.
</Note>

Veridian Health handles **Protected Health Information (PHI)** in a custody
context. This page documents the core data entities, how they flow between
the inmate kiosk and provider dashboard, and the privacy controls applied at
each layer.

For organization-wide security posture, see also [Security overview](/security/overview) and [HIPAA](/security/hipaa).

## Core entities

| Entity                  | Description                                                               | Created by             |
| ----------------------- | ------------------------------------------------------------------------- | ---------------------- |
| **Organization (Jail)** | A purchasing facility with its own users, devices, and provider approvals | Veridian admin         |
| **Referral**            | A medical staff request to assess a specific inmate                       | Facility medical staff |
| **Kiosk session**       | An inmate intake instance — photos, questionnaire, metadata               | Inmate kiosk           |
| **Case**                | A kiosk session linked to referral, ready for provider review             | Platform (on submit)   |
| **Recommendation**      | PT-authored clinical output attached to a case                            | Provider dashboard     |
| **Provider**            | A licensed PT enrolled in Veridian's network                              | Veridian credentialing |
| **Audit event**         | Immutable log entry for access and state changes                          | Platform               |

## Data flow

```
Referral ──► Kiosk Session ──► Case ──► Recommendation
   │              │               │            │
   │              │               │            └──► Facility medical staff
   │              │               └──► Provider dashboard
   │              └──► 4 photos + questionnaire (PHI)
   └──► Inmate identifier + clinical context
```

### Referral data

Minimum fields required to initiate a kiosk session:

* Inmate identifier (per jail convention)
* Chief complaint / reason for referral
* Referring staff identifier
* Urgency and facility constraints (optional)

Referrals do **not** require full medical records or external EHR exports.

### Kiosk session data

| Field group          | Examples                                   | Classification              |
| -------------------- | ------------------------------------------ | --------------------------- |
| **Images**           | Front, back, left, right photos            | PHI                         |
| **Questionnaire**    | Pain location, severity, history, mobility | PHI                         |
| **Session metadata** | Timestamps, device ID, completion status   | PHI (when linked to inmate) |
| **Exception flags**  | Skipped photos, timeout events             | PHI (when linked to inmate) |

Images are encrypted in transit and at rest immediately upon capture.

### Case and recommendation data

| Field group                 | Examples                                      | Classification            |
| --------------------------- | --------------------------------------------- | ------------------------- |
| **AI analysis output**      | Preliminary MSK patterns, red-flag scores     | PHI                       |
| **Provider recommendation** | Assessment, exercises, precautions, follow-up | PHI                       |
| **Provider actions**        | Review timestamps, sign-off events            | Audit (may reference PHI) |

## Access control model

Access follows **least privilege** by role and jail boundary:

| Role                    | Kiosk data          | Cases                 | Recommendations   | Admin    |
| ----------------------- | ------------------- | --------------------- | ----------------- | -------- |
| **Jail administrator**  | Config only         | All (own jail)        | All (own jail)    | Yes      |
| **Medical staff**       | Initiate sessions   | Read (own jail)       | Read (own jail)   | No       |
| **Custody staff**       | Initiate (optional) | Logistics only        | No                | No       |
| **Provider (approved)** | No direct access    | Read (approved jails) | Write             | No       |
| **Veridian ops**        | Break-glass only    | Break-glass only      | No routine access | Internal |

Providers cannot access cases from jails that have not approved them.
Cross-jail data isolation is enforced at the platform level.

## Privacy principles

### Minimum necessary

Veridian Health collects only what the MSK triage workflow requires. We do
not ingest criminal history, disciplinary records, or unrelated clinical
data unless a jail explicitly provides clinically relevant context in a
referral field.

### Facility control

* Jails own referral and access decisions
* Jails approve which providers participate
* Assessment devices remain facility-controlled

### No inmate-facing clinical output (MVP)

Recommendations are delivered to authorized facility staff and provider
records — not displayed on the kiosk to the inmate by default.

### Audit trail

Every read and write on PHI-linked entities produces an audit event:
who, what, when, and from which role. Logs are exportable by jail
administrators for compliance review.

## Retention and deletion

| Data type                              | Default retention                           |
| -------------------------------------- | ------------------------------------------- |
| Kiosk sessions, cases, recommendations | Duration of jail relationship + 6 years     |
| Assessment images                      | Same as case record                         |
| Audit logs                             | 7 years                                     |
| Provider credentialing                 | Duration of provider relationship + 6 years |

Upon contract termination, jails receive a **30-day export window**, followed
by cryptographic erasure of PHI from active systems within 90 days. See
[Data handling](/security/data-handling) for full deletion procedures.

## Sub-processors

PHI may be processed by Veridian sub-processors (hosting, AI analysis
infrastructure) under signed BAAs. The current sub-processor list is
available to jail partners on request.

## Patient rights

Inmate HIPAA rights (access, amendment, accounting of disclosures) are
exercised through the jail as covered entity. Veridian supplies data to
authorized facility staff to fulfill requests.

## What's next

<CardGroup cols={2}>
  <Card title="HIPAA" icon="file-shield" href="/security/hipaa">
    Business Associate obligations in detail.
  </Card>

  <Card title="Data handling" icon="database" href="/security/data-handling">
    Retention, export, and deletion procedures.
  </Card>

  <Card title="Incident response" icon="bell" href="/security/incident-response">
    What happens if something goes wrong.
  </Card>
</CardGroup>
