01 / TRUST
Consent, purpose, audit, sign-off, and explainability are wired into the Curova substrate. Every event in Curova carries the metadata clinicians need to verify it, regulators need to inspect it, and patients need to revoke it.
02/POSTURE
Curova is health intelligence infrastructure. Clinical decisions are made by licensed clinicians.
Consent, purpose, and policy are checked at every read and write — not bolted on after the fact.
No clinical recommendation reaches a patient without a named clinician’s sign-off.
03/THE NINE PRIMITIVES
Each primitive is structural — implemented at the platform level, exposed through audited APIs, and surfaced in the product so the people accountable for care can see what is happening to the data.
Every access carries a receipt — patients can see, scope, and revoke who used their data, for what, and when.
Receipts are issued at the moment of consent and updated on every revocation. Each receipt carries the requesting party, the consented purpose, the data scope, the timeframe, and the cryptographic linkage back to the underlying audit event.
Data flows only for the purpose it was consented to. Read access is bound to a stated purpose at the call site, not the role.
The policy engine checks the declared purpose of every read. A clinician treating a patient and a researcher running a population study see different fields, even if they hold the same role.
An immutable log of who did what, when, and why. Cryptographically chained, queryable by patient, clinician, and regulator.
Audit events are append-only and chained. Patients can replay their own access history. Regulators can attest to integrity without seeing PHI.
AI assists. Clinicians decide. No clinical recommendation reaches a patient without a named clinician’s signature.
Sign-off is a first-class object. It records the clinician, the AI output reviewed, the modifications made, and the timestamp — and it travels with the resulting prescription, plan, or report.
Interoperable by default. Curova writes and reads FHIR R4 across the substrate — every event, every resource.
The substrate is FHIR R4 native. Profiles cover encounters, conditions, medications, observations, claims, and consent. Extensions are documented and versioned.
Patient-controlled identity, on India’s national rails. ABHA-linked accounts, ABDM-compliant consent flows, designed for portability.
Patients can link an existing ABHA account or create one in flow. Consent artefacts conform to ABDM specifications and remain portable across networks.
Rules of access encoded, not implied. Org, role, geography, purpose, and consent state evaluated at every read and write.
Policies are versioned, testable, and audited. Every decision is explainable: a denial returns the rule that fired, not a generic error.
Edge cases route to humans, fast. Defined triggers, named on-call clinicians, measured response.
Escalation triggers are encoded — red-flag symptoms, low-confidence outputs, contraindicated combinations — and routed to a named clinical responder with measured time-to-response.
Every recommendation carries its reasoning. Sources, model, confidence, and dissenting signals attached to the output, not the marketing.
An AI output is never a single string. It is a structured object: input context, retrieved sources, model identity, confidence band, dissenting signals, and clinician sign-off slot.
REGULATORS · CLINICAL LEADERS
We work with regulators, clinical leaders, and compliance teams who want to see how a governed substrate behaves under real workloads.