Georgia VA Technical Architecture

The EMR-Agnostic Bridge: End-to-End Data Flow

A detailed view of how clinical data travels from any Georgia community EMR — Epic, Oracle Health, athenahealth, or eClinicalWorks — through the KaiCare platform, across GaHIN, and into the VA Federal Electronic Health Record at Atlanta, Augusta, and Dublin.

Georgia Community EMR

Epic (Emory/Piedmont) / Oracle / athena / eCW

FHIR R4 + HL7 v2

C-CDA, ADT, ORU, SIU

KaiCare Ingestion

Parse, Validate, De-duplicate

USCDI v3 Normalizer

US Core FHIR Profiles

GaHIN / Carequality

Georgia's State HIE

Federal EHR

VistA/CPRS → Oracle Health

Compliance

HIPAA-First Design, VA-Ready

Security and privacy are the foundation the Georgia VA deployment is built on — not an afterthought bolted on before an ATO package.

Multi-Tenant Isolation

Every database query enforces organizationId filtering per HIPAA 164.312(a)(1). Data belonging to an Atlanta community practice is never accessible to an Augusta or Dublin tenant — and VA tenant data is isolated from commercial tenants.

  • Row-level isolation via Prisma middleware
  • Separate Cognito user pools per portal type and geography
  • Network isolation with VPC and private subnets in AWS us-east-1
  • Encryption at rest (AES-256) and in transit (TLS 1.3)

Comprehensive Audit Trails

Every data mutation (create, update, delete) writes an AuditLog entry with userId, timestamp, action, and affected resource — required for VA ATO, 38 CFR alignment, and HIPAA 164.312(b).

  • Immutable audit log stored in Aurora PostgreSQL
  • CloudTrail integration for infrastructure-level events
  • Automatic PHI access logging per 164.312(b)
  • Configurable retention policies (7-year default)

PHI Protection

Protected Health Information is never logged to CloudWatch, console output, or error reporting services — a hard rule enforced in code review and via Prisma logging configuration.

  • Prisma logging restricted to errors only
  • Structured error responses strip PHI before transmission
  • S3 objects encrypted with AWS KMS customer-managed keys
  • Phone numbers normalized to E.164 and stored encrypted

Access Control

Invitation-only authentication with MFA required for all provider-facing portals — designed for the named-MA care model where one person owns the veteran relationship.

  • TOTP MFA for providers and MAs, SMS MFA for veterans
  • 1-hour token expiry, 24-hour max session, 30-min idle timeout
  • JWT verification on every API request
  • Role-scoped data access (Doctor, MA, CPA, Admin, Participant)

Standards

Interoperability Standards — USCDI v3 and GaHIN

Full alignment with USCDI v3 and US Core FHIR profiles — the federal standard for health data exchange — and integration with GaHIN, Georgia's state-designated HIE, for statewide provider reach.

USCDI v3 Data Classes (19 Classes Supported)

Allergies and Intolerances
Assessment and Plan of Treatment
Care Team Members
Clinical Notes
Clinical Tests
Diagnostic Imaging
Encounter Information
Goals
Health Concerns
Health Insurance Information
Immunizations
Laboratory
Medications
Patient Demographics
Problems (Conditions)
Procedures
Provenance
Vital Signs
Unique Device Identifiers

FHIR US Core Profile Mapping

FHIR ResourceUS Core ProfileData Exchanged
PatientUS Core PatientDemographics, identifiers, contact information
ConditionUS Core ConditionActive diagnoses, problem list entries
ObservationUS Core Vital Signs / Lab ResultVitals, lab values, social history
MedicationRequestUS Core MedicationRequestActive prescriptions and medication orders
AllergyIntoleranceUS Core AllergyIntoleranceDrug and food allergies with severity
ProcedureUS Core ProcedureSurgical and diagnostic procedures
EncounterUS Core EncounterVisit records, admission/discharge
DocumentReferenceUS Core DocumentReferenceC-CDA documents, clinical notes, imaging reports
DiagnosticReportUS Core DiagnosticReportLab panels, pathology, radiology reports
CarePlanUS Core CarePlanCare coordination plans and goals

Georgia Data Destinations

Atlanta VAHCS

Station 508

Joseph Maxwell Cleland AVAMC, Decatur — 50-county catchment, 183,918 enrollees

Augusta

Station 509

Charlie Norwood VAMC — SCI center, Women Veterans Health Clinic, Eastern GA / Western SC

Dublin

Station 557

Carl Vinson VAMC — 40,000 veterans across 49 middle/south GA counties

Data arrives at each facility via GaHIN + Carequality — bidirectional, normalized, validated.

Federal Readiness

AWS GovCloud Alignment

A 1:1 mapping between our commercial AWS services and their GovCloud equivalents — no architectural changes required to take the Georgia deployment through FedRAMP.

CategoryCommercial AWSGovCloud EquivalentStatus
Identity & AccessAmazon CognitoAmazon Cognito (GovCloud)Available
Relational DatabaseAurora Serverless v2 (PostgreSQL)Aurora Serverless v2 (GovCloud)Available
ComputeAWS App RunnerAWS App Runner (GovCloud)Available
Object StorageAmazon S3 (KMS-SSE)Amazon S3 (GovCloud)Available
AI / LLMAmazon Bedrock (Claude)Amazon Bedrock (GovCloud)Available
Contact CenterAmazon ConnectAmazon Connect (GovCloud)Available
EmailAmazon SESAmazon SES (GovCloud)Available
MessagingAmazon Pinpoint / SNSAmazon SNS (GovCloud)Available
IaC / DeploymentAWS CDK / CloudFormationAWS CDK / CloudFormation (GovCloud)Available
SecretsAWS Secrets ManagerAWS Secrets Manager (GovCloud)Available

10 out of 10 AWS services used by KaiCare are available in GovCloud. Migration requires updating account configuration and endpoint references — the application code, database schema, and CDK infrastructure definitions remain identical. The Georgia deployment can be promoted to GovCloud without rewriting a single line of application logic.

Discuss GovCloud Migration