Security and Compliance Fundamentals

Dermi Atlas Professional is designed with data sovereignty as a foundational principle. Unlike cloud-based imaging systems where data is stored by a third party, Dermi Atlas Professional uses a self-hosted architecture. This ensures that sensitive patient data, including clinical photographs, medical notes, and personal information, remains entirely under the practice's control on its own infrastructure.

This article provides an overview of how Dermi Atlas Professional acts as a tool to support a practice's compliance with healthcare privacy regulations, including HIPAA (United States) and PIPEDA (Canada).

The Self-Hosted Model & Data Sovereignty

The core of Dermi's security model is local data custody. Because the software runs on the local network, Dermi Inc. does not have access to, nor does it store, patient health information.

Data Stored Locally (Practice Responsibility):

Patient photographs and clinical images
Patient demographic information and notes
Audit logs and activity records
User account data
System backups

Data Processed by Dermi (Vendor Responsibility):

License verification and subscription status
Software update checks
Account security metadata (e.g., 2FA or password reset initiation)

This separation ensures that Dermi does not function as a "Business Associate" (under HIPAA) or a "Health Information Custodian" (under Canadian law) regarding patient data. The practice retains full ownership and control.

Compliance Support Features

Dermi Atlas Professional provides technical features that allow practices to implement required administrative, technical, and physical safeguards.

Access Control

Individual Accounts: Supports unique user identification.
Strong Authentication: Enforces password complexity and supports Two-Factor Authentication (2FA).
Session Management: Lets users end all active sessions across devices in a single action.

Audit & Accountability

Activity Logging: Configurable logging levels track authentication, data access, and modifications.
Granular History: Logs include timestamps, user IDs, IP addresses, and specific actions (e.g., "Viewed Patient," "Exported Entry").
Local Storage: Audit logs are stored locally and included in the system backups.

Data Protection

Encryption in Transit: Supports TLS encryption for network communications via self-signed certificates.
Safe Deletion: Configurable deletion levels (Recoverable, Standard, and Permanent) let practices choose how deletions are handled. Recoverable and Standard retain deleted data and stored files for the configured retention period and support in-app recovery of patients, entries, and images (Recoverable also retains the associated activity logs; Standard removes them). Permanent immediately and permanently removes data with no recovery. All deletion operations require explicit confirmation.
Data Isolation: User accounts are isolated; users cannot view patient data belonging to other user accounts within the same deployment.

Consent Tools

Workflow Integration: Configurable settings to prompt for consent before image capture.
Documentation: Capabilities to record digital confirmation or verify external written consent.

Shared Responsibility Model

While Dermi provides the software tools, compliance is a shared responsibility.

Dermi's Responsibility:

Provide secure, stable software free of known vulnerabilities.
Deliver security updates and patches.
Secure the administrative infrastructure (billing, licensing).

Practice Responsibility:

Physical Security: Securing the computer running Dermi Atlas Professional.
Network Security: Configuring firewalls and securing the local network (Wi-Fi).
Access Management: Creating accounts, managing passwords, and disabling access for terminated staff.
Backup Strategy: Regularly running backups and storing them securely off-site.
Policy & Procedure: Establishing and enforcing internal privacy policies.

Disclaimer

Dermi Atlas Professional is a software tool that facilitates compliance; it does not ensure compliance by itself. Compliance depends on how the practice configures the software, secures the host environment, and enforces organizational policies. Dermi Inc. does not provide legal advice. Consult a compliance officer or legal counsel to ensure the deployment meets all applicable regulatory requirements.

The Self-Hosted Model & Data Sovereignty

The core of Dermi's security model is local data custody. Because the software runs on the local network, Dermi Inc. does not have access to, nor does it store, patient health information.

Data Stored Locally (Practice Responsibility):

Patient photographs and clinical images
Patient demographic information and notes
Audit logs and activity records
User account data
System backups

Data Processed by Dermi (Vendor Responsibility):

License verification and subscription status
Software update checks
Account security metadata (e.g., 2FA or password reset initiation)

Compliance Support Features

Dermi Atlas Professional provides technical features that allow practices to implement required administrative, technical, and physical safeguards.

Access Control

Individual Accounts: Supports unique user identification.
Strong Authentication: Enforces password complexity and supports Two-Factor Authentication (2FA).
Session Management: Lets users end all active sessions across devices in a single action.

Audit & Accountability

Activity Logging: Configurable logging levels track authentication, data access, and modifications.
Granular History: Logs include timestamps, user IDs, IP addresses, and specific actions (e.g., "Viewed Patient," "Exported Entry").
Local Storage: Audit logs are stored locally and included in the system backups.

Data Protection

Encryption in Transit: Supports TLS encryption for network communications via self-signed certificates.
Safe Deletion: Configurable deletion levels (Recoverable, Standard, and Permanent) let practices choose how deletions are handled. Recoverable and Standard retain deleted data and stored files for the configured retention period and support in-app recovery of patients, entries, and images (Recoverable also retains the associated activity logs; Standard removes them). Permanent immediately and permanently removes data with no recovery. All deletion operations require explicit confirmation.
Data Isolation: User accounts are isolated; users cannot view patient data belonging to other user accounts within the same deployment.

Consent Tools

Workflow Integration: Configurable settings to prompt for consent before image capture.
Documentation: Capabilities to record digital confirmation or verify external written consent.

Shared Responsibility Model

While Dermi provides the software tools, compliance is a shared responsibility.

Dermi's Responsibility:

Provide secure, stable software free of known vulnerabilities.
Deliver security updates and patches.
Secure the administrative infrastructure (billing, licensing).

Practice Responsibility:

Physical Security: Securing the computer running Dermi Atlas Professional.
Network Security: Configuring firewalls and securing the local network (Wi-Fi).
Access Management: Creating accounts, managing passwords, and disabling access for terminated staff.
Backup Strategy: Regularly running backups and storing them securely off-site.
Policy & Procedure: Establishing and enforcing internal privacy policies.

Security and Compliance Fundamentals

The Self-Hosted Model & Data Sovereignty

Compliance Support Features

Access Control

Audit & Accountability

Data Protection

Consent Tools

Shared Responsibility Model

Related Documentation

Disclaimer

Was this article helpful?

Still have questions?

Security and Compliance Fundamentals

The Self-Hosted Model & Data Sovereignty

Compliance Support Features

Access Control

Audit & Accountability

Data Protection

Consent Tools

Shared Responsibility Model

Related Documentation

Disclaimer

Was this article helpful?

Still have questions?