The governance layer for healthcare data.
quovana makes health data trustworthy: governed at the source, provable for life. It's built for the clinical and quality teams who own the data, not just the FHIR engineers who move it.
One platform, governed end to end.
A FHIR-native governance platform built on one shared core: self-contained, ready to run on-premises, and isolated per customer.
Terminology Live
Author, govern, map and publish code systems, value sets and concept maps, with a managed FHIR terminology server built in. Every change moves through draft, review and approval before it publishes, and published versions stay immutable.
Audit Early access
Search, retain, monitor and prove your organisation's FHIR audit trail across the whole estate. Tamper-evident evidence that stands up to scrutiny and is ready to report.
Workflow Planned
FHIR task and care-flow orchestration across the estate, on the same governed and auditable foundation, extended to how work moves.
Regulation is forcing the timeline, starting in Europe.
The EU's EHDS Regulation (2025/327) mandates the EEHRxF for EHR systems placed on the EU market. Its technical specifications, adopted via implementing acts, are HL7 FHIR-based and use standardised terminologies such as SNOMED CT, LOINC and ICD. Conformity is a condition of market access. The same pressure is building beyond the EU, from the US 21st Century Cures Act and ONC HTI-1 rule to national FHIR mandates elsewhere.
EHDS Regulation enters into force
EHDS applies; EEHRxF specs expected
First categories: patient summaries, e-prescriptions
Imaging, lab results, discharge reports
Governments give away terminology servers, but leave map ownership, quality and lifecycle open. quovana is that layer.
The codes your care depends on, finally under governance.
Where your local codes, value sets and concept maps become governed, versioned, FHIR-published assets. Built for the clinical, quality and terminology teams who own the meaning of the data, and the EHR and LIS vendors who have to prove that meaning holds.
Your maps live in a spreadsheet nobody approved.
Local lab and diagnosis codes get mapped to SNOMED CT, LOINC and ICD in a spreadsheet with no version history, no reviewer, and no record of who changed what. When a code shifts, results flow on a mapping no one owns.
A mapping goes live because an independent reviewer approved that version, and approval is publication. Every change moves through draft, review and approval, and published versions stay immutable. Editing later creates a new version, back through review. Nothing changes silently.
The people who know the codes can't touch the system.
The staff closest to the local codes, the lab lead, the quality manager, work in Excel, not FHIR. Authoring bottlenecks on a handful of engineers while the domain experts are reduced to sending spreadsheets.
A spreadsheet becomes a governed draft in one paste, with every row classed new, duplicate or invalid before anything is created. A restricted Contributor role lets partner sites and non-FHIR staff propose codes; a central reviewer still approves. Authorship is recorded as FHIR Provenance, so every contribution carries who made it.
Bound to SNOMED, LOINC and ICD, without hosting them all.
EHDS drives EHR systems toward FHIR specifications built on standardised terminologies. Governments give away terminology servers but leave map ownership, quality and lifecycle open, and hosting licensed editions across every silo is a burden most teams cannot carry.
quovana is that layer. Connect your own terminology server and map straight against the live SNOMED edition, storing only the chosen code. Bring in just the slice your reporting needs as a governed, versioned value set, and reference shared standards once instead of hosting many copies. Your affiliate relationship, and your certification, remain yours.
"Who approved this code?" and no answer.
An accreditation body wants the full lifecycle of a published mapping: who submitted it, who requested changes, who approved it, and when. Assembling that by hand is slow and rarely provable.
Every action, create, submit, approve, publish, is a FHIR AuditEvent in a readable who-what-when feed. A governance report generates the full review trail per published map, with the independent-review indicator and any self-approval exceptions, exportable for an auditor. A managed FHIR terminology server is built in, so published content is ready for machines and registries to consume under the same governance.
From ungoverned spreadsheets to governed, versioned, FHIR-native assets your whole estate can trust.
Logs record activity. Evidence survives scrutiny.
The FHIR-native evidence layer for your whole health-data estate. One place for compliance leads, quality managers, DPOs and CISOs to search, monitor, retain and prove who did what to which record, and whether that proof can itself be trusted. In design-partner pilots now.
"We have logs, so we're covered."
A system log tells you what happened inside one system. It scatters across servers, rotates after 30 days, and was never built to answer what a regulator asks: who accessed which patient or specimen, when, and whether it was authorised.
quovana Audit reads the FHIR AuditEvent and Provenance records across your estate into one org-wide Explorer. Every access becomes attributable evidence you can filter by actor, patient, object, action and outcome, and follow as a single record's chain of custody, read from the source of truth rather than reconstructed from raw logs.
Could an administrator erase the evidence without you knowing?
That is the real test of an audit trail, and most fail it. If a privileged operator can rotate, overwrite or quietly edit the record, you have a log, not defensible evidence. An auditor's threat model includes the insider with database access.
An administrator with database access still can't rewrite history without being caught. Every event is cryptographically sealed into an append-only record, signed with a key held outside the application, and can be committed to immutable, write-once storage where required. Any tampering breaks the seal. We proved it live: a database-privileged tamper test altered the audit record, and verification caught it, and an auditor can run that check independently.
AI now helps make the diagnosis. Who checked it, and can you prove it?
When an algorithm screens a slide before a report is signed, accountability gets hard. Which model and version ran, on which object, and did a human assess the result before it reached the report? We're not aware of an IHE or HL7 audit standard that yet defines this AI-inference trail, so generic access-audit and SIEM tools cannot model it.
The AI Inference Trace reconstructs each AI episode as evidence: the model, its version and device, the object it ran on, and the human assessment, or a flagged gap where none exists, before sign-out. Unassessed results and failed inferences surface as findings. This supports EU AI Act record-keeping (Art 12) and human-oversight (Art 26) duties. An early capability: the trail's completeness depends on models being registered, and it describes what the trail captures today, not a compliance guarantee.
Proving it shouldn't take three weeks of screenshots.
When a regulator, accreditation body or data-subject request arrives, evidence assembled by hand is slow, contestable, and only as trustworthy as whoever compiled it. Most teams have no defensible answer for how long evidence is kept, or how it is disposed of.
Findings for break-glass, denied access, bulk export and unassessed AI open automatically for triage. Integrity-verified reports freeze a self-hashed snapshot with evidence targets for EHDS, ISO 15189, the EU AI Act and GDPR duties (Art 5(2), 32, 15), exportable as PDF or CSV. Retention runs to a defined window with legal hold, and disposal is designed to be provable: a purged record verifies as retention-expired rather than silently vanishing.
Not a log you hope holds up, but a governed, tamper-evident record you can stake your name on. FHIR-native, over your own data.
Precise, sovereign, provable.
FHIR-native
Governance, audit and publishing speak FHIR end to end. Existing FHIR sources normalised at the boundary.
EU-sovereign
Self-contained and ready to run on-premises by default, with no hard dependency on external cloud.
Provably tamper-evident
Cryptographically sealed and externally signed. We proved it live: a database-privileged tamper test altered the audit record, and verification caught it. Even retention disposal is designed to be provable: a purged record verifies as expired by policy rather than silently vanishing.
Standards-aligned
Evidence targets: EHDS, ISO 15189, GDPR, EU AI Act. Certification always remains yours.
Validated live against tx.fhir.org and NHS Ontoserver · IHE ATNA-aligned audit · Self-contained, runs on-premises
Start with one real use case.
A fixed-fee pilot on one real mapping or audit need, governed end to end, with the trail to show for it.
Scope your pilotWe exist to make health data trustworthy: governed at the source, and provable for life.