Dermi Atlas Professional is designed with data sovereignty as a foundational principle. Unlike cloud-based imaging systems where data is stored by a third party, Dermi Atlas Professional uses a self-hosted architecture. This ensures that sensitive patient data, including clinical photographs, medical notes, and personal information, remains entirely within your control on your own infrastructure.
This article provides an overview of how Dermi Atlas Professional acts as a tool to support your practice's compliance with healthcare privacy regulations, including HIPAA (United States) and PIPEDA (Canada).
The Self-Hosted Model & Data Sovereignty
The core of Dermi’s security model is local data custody. Because the software runs on your local network, Dermi Inc. does not have access to, nor does it store, your patient health information.
Data Stored Locally (Your Responsibility):
- Patient photographs and clinical images
- Patient demographic information and notes
- Audit logs and activity records
- User account data
- System backups
Data Processed by Dermi (Vendor Responsibility):
- License verification and subscription status
- Software update checks
- Account security metadata (e.g., 2FA configuration, password reset initiation)
This separation ensures that Dermi does not function as a "Business Associate" (under HIPAA) or a "Health Information Custodian" (under Canadian law) regarding your patient data. Your practice retains full ownership and control.
Compliance Support Features
Dermi Atlas Professional provides technical features that allow practices to implement required administrative, technical, and physical safeguards.
Access Control
- Individual Accounts: Supports unique user identification.
- Strong Authentication: Enforces password complexity and supports Two-Factor Authentication (2FA).
- Session Management: Allows users to manage active sessions and remotely log out.
Audit & Accountability
- Activity Logging: Configurable logging levels track authentication, data access, and modifications.
- Granular History: Logs include timestamps, user IDs, IP addresses, and specific actions (e.g., "Viewed Patient," "Exported Entry").
- Local Storage: Audit logs are stored locally and included in your system backups.
Data Protection
- Encryption in Transit: Supports TLS encryption for network communications via self-signed certificates.
- Safe Deletion: Critical data removal requires explicit confirmation steps to prevent accidental loss.
- Data Isolation: User accounts are isolated; users cannot view patient data belonging to other user accounts within the same deployment.
Consent Tools
- Workflow Integration: Configurable settings to prompt for consent before image capture.
- Documentation: Capabilities to record digital confirmation or verify external written consent.
Shared Responsibility Model
While Dermi provides the software tools, compliance is a shared responsibility.
Dermi's Responsibility:
- Provide secure, stable software free of known vulnerabilities.
- Deliver security updates and patches.
- Secure the administrative infrastructure (billing, licensing).
Your Practice's Responsibility:
- Physical Security: Securing the computer running Dermi Atlas Professional.
- Network Security: Configuring firewalls and securing your local network (Wi-Fi).
- Access Management: Creating accounts, managing passwords, and disabling access for terminated staff.
- Backup Strategy: Regularly running backups and storing them securely off-site.
- Policy & Procedure: Establishing and enforcing internal privacy policies.
Related Documentation
- Data Security Architecture: Technical details on encryption and ports.
- Audit Logging Configuration: How to configure and view activity logs.
- HIPAA Compliance Guide: Mapping features to US regulations.
- PIPEDA Compliance Guide: Mapping features to Canadian regulations.
- Configuring Data Retention for Deleted Records: Managing retention periods for compliance.
Disclaimer
Dermi Atlas Professional is a software tool that facilitates compliance; it does not ensure compliance by itself. Compliance depends on how your practice configures the software, secures the host environment, and enforces organizational policies. Dermi Inc. does not provide legal advice. Please consult with your compliance officer or legal counsel to ensure your deployment meets all applicable regulatory requirements.