Governed data. Connected care.

The governance layer for healthcare data.

quovana makes health data trustworthy: governed at the source, provable for life. It's built for the clinical and quality teams who own the data, not just the FHIR engineers who move it.

The platform

One platform, governed end to end.

A FHIR-native governance platform built on one shared core: self-contained, ready to run on-premises, and isolated per customer.

Terminology Live

Author, govern, map and publish code systems, value sets and concept maps, with a managed FHIR terminology server built in. Every change moves through draft, review and approval before it publishes, and published versions stay immutable.

Audit Early access

Search, retain, monitor and prove your organisation's FHIR audit trail across the whole estate. Tamper-evident evidence that stands up to scrutiny and is ready to report.

Workflow Planned

FHIR task and care-flow orchestration across the estate, on the same governed and auditable foundation, extended to how work moves.

Why now

Regulation is forcing the timeline, starting in Europe.

The EU's EHDS Regulation (2025/327) mandates the EEHRxF for EHR systems placed on the EU market. Its technical specifications, adopted via implementing acts, are HL7 FHIR-based and use standardised terminologies such as SNOMED CT, LOINC and ICD. Conformity is a condition of market access. The same pressure is building beyond the EU, from the US 21st Century Cures Act and ONC HTI-1 rule to national FHIR mandates elsewhere.

2025

EHDS Regulation enters into force

2027

EHDS applies; EEHRxF specs expected

2029

First categories: patient summaries, e-prescriptions

2031

Imaging, lab results, discharge reports

Governments give away terminology servers, but leave map ownership, quality and lifecycle open. quovana is that layer.

quovana Terminology · Live

The codes your care depends on, finally under governance.

Where your local codes, value sets and concept maps become governed, versioned, FHIR-published assets. Built for the clinical, quality and terminology teams who own the meaning of the data, and the EHR and LIS vendors who have to prove that meaning holds.

Your maps live in a spreadsheet nobody approved.

Local lab and diagnosis codes get mapped to SNOMED CT, LOINC and ICD in a spreadsheet with no version history, no reviewer, and no record of who changed what. When a code shifts, results flow on a mapping no one owns.

With quovana

A mapping goes live because an independent reviewer approved that version, and approval is publication. Every change moves through draft, review and approval, and published versions stay immutable. Editing later creates a new version, back through review. Nothing changes silently.

The people who know the codes can't touch the system.

The staff closest to the local codes, the lab lead, the quality manager, work in Excel, not FHIR. Authoring bottlenecks on a handful of engineers while the domain experts are reduced to sending spreadsheets.

With quovana

A spreadsheet becomes a governed draft in one paste, with every row classed new, duplicate or invalid before anything is created. A restricted Contributor role lets partner sites and non-FHIR staff propose codes; a central reviewer still approves. Authorship is recorded as FHIR Provenance, so every contribution carries who made it.

Bound to SNOMED, LOINC and ICD, without hosting them all.

EHDS drives EHR systems toward FHIR specifications built on standardised terminologies. Governments give away terminology servers but leave map ownership, quality and lifecycle open, and hosting licensed editions across every silo is a burden most teams cannot carry.

With quovana

quovana is that layer. Connect your own terminology server and map straight against the live SNOMED edition, storing only the chosen code. Bring in just the slice your reporting needs as a governed, versioned value set, and reference shared standards once instead of hosting many copies. Your affiliate relationship, and your certification, remain yours.

"Who approved this code?" and no answer.

An accreditation body wants the full lifecycle of a published mapping: who submitted it, who requested changes, who approved it, and when. Assembling that by hand is slow and rarely provable.

With quovana

Every action, create, submit, approve, publish, is a FHIR AuditEvent in a readable who-what-when feed. A governance report generates the full review trail per published map, with the independent-review indicator and any self-approval exceptions, exportable for an auditor. A managed FHIR terminology server is built in, so published content is ready for machines and registries to consume under the same governance.

From ungoverned spreadsheets to governed, versioned, FHIR-native assets your whole estate can trust.

quovana Audit · Early access

Logs record activity. Evidence survives scrutiny.

The FHIR-native evidence layer for your whole health-data estate. One place for compliance leads, quality managers, DPOs and CISOs to search, monitor, retain and prove who did what to which record, and whether that proof can itself be trusted. In design-partner pilots now.

"We have logs, so we're covered."

A system log tells you what happened inside one system. It scatters across servers, rotates after 30 days, and was never built to answer what a regulator asks: who accessed which patient or specimen, when, and whether it was authorised.

With quovana

quovana Audit reads the FHIR AuditEvent and Provenance records across your estate into one org-wide Explorer. Every access becomes attributable evidence you can filter by actor, patient, object, action and outcome, and follow as a single record's chain of custody, read from the source of truth rather than reconstructed from raw logs.

Could an administrator erase the evidence without you knowing?

That is the real test of an audit trail, and most fail it. If a privileged operator can rotate, overwrite or quietly edit the record, you have a log, not defensible evidence. An auditor's threat model includes the insider with database access.

With quovana

An administrator with database access still can't rewrite history without being caught. Every event is cryptographically sealed into an append-only record, signed with a key held outside the application, and can be committed to immutable, write-once storage where required. Any tampering breaks the seal. We proved it live: a database-privileged tamper test altered the audit record, and verification caught it, and an auditor can run that check independently.

AI now helps make the diagnosis. Who checked it, and can you prove it?

When an algorithm screens a slide before a report is signed, accountability gets hard. Which model and version ran, on which object, and did a human assess the result before it reached the report? Existing audit standards were built for data access, not the AI-inference trail, so generic access-audit and SIEM tools can't model it.

With quovana

The AI Inference Trace reconstructs each AI episode as evidence: the model, its version and device, the object it ran on, and the human assessment, or a flagged gap where none exists, before sign-out. Unassessed results and failed inferences surface as findings. This supports EU AI Act record-keeping (Art 12) and human-oversight (Art 26) duties. An early capability: the trail's completeness depends on models being registered, and it describes what the trail captures today, not a compliance guarantee.

Proving it shouldn't take three weeks of screenshots.

When a regulator, accreditation body or data-subject request arrives, evidence assembled by hand is slow, contestable, and only as trustworthy as whoever compiled it. Most teams have no defensible answer for how long evidence is kept, or how it is disposed of.

With quovana

Findings for break-glass, denied access, bulk export and unassessed AI open automatically for triage. Integrity-verified reports freeze a self-hashed snapshot with evidence targets for EHDS, ISO 15189, the EU AI Act and GDPR duties (Art 5(2), 32, 15), exportable as PDF or CSV. Retention runs to a defined window with legal hold, and disposal is designed to be provable: a purged record verifies as retention-expired rather than silently vanishing.

Not a log you hope holds up, but a governed, tamper-evident record you can stake your name on. FHIR-native, over your own data.

Built for trust

Precise, sovereign, provable.

FHIR-native

Governance, audit and publishing speak FHIR end to end. Existing FHIR sources normalised at the boundary.

EU-sovereign

Self-contained and ready to run on-premises by default, with no hard dependency on external cloud.

Provably tamper-evident

Cryptographically sealed and externally signed. We proved it live: a database-privileged tamper test altered the audit record, and verification caught it. Even retention disposal is designed to be provable: a purged record verifies as expired by policy rather than silently vanishing.

Standards-aligned

Evidence targets: EHDS, ISO 15189, GDPR, EU AI Act. Certification always remains yours.

Validated live against tx.fhir.org and NHS Ontoserver  ·  IHE ATNA-aligned audit  ·  Self-contained, runs on-premises

Get started

Start with one real use case.

A fixed-fee pilot on one real mapping or audit need, governed end to end, with the trail to show for it.

Scope your pilot

We exist to make health data trustworthy: governed at the source, and provable for life.