Developer Documentation

Technical Architecture

A comprehensive overview of QAPIShield's enterprise-grade backend infrastructure, designed for security, scalability, and HIPAA compliance.

HIPAA-Compliant Architecture

Two-System Model

QAPIShield operates alongside your existing EHR using a privacy-preserving two-system model. The EHR maintains patient identity and clinical documentation, while QAPIShield tracks risk predictions and QAPI analytics using de-identified Resident Reference IDs.

EHR System (PHI)

Stores patient names, DOB, SSN, addresses
Maintains clinical documentation and orders
Generates Medical Record Numbers (MRN)

QAPIShield (De-identified)

Uses only Resident Reference IDs (MRN/Census ID)
Generates risk predictions and care plans
Produces QAPI analytics and dashboards

System Components

Frontend UI

User-facing interface
Assessment forms
Dashboard views
QAPI report views

Backend API (Node.js)

REST/JSON API
Authentication & authorization
Risk scoring endpoints
Care plan generation endpoints

Database (PostgreSQL)

Multi-tenant architecture
Resident risk data
Assessment records
Risk scores & interventions
Care plans & QAPI reports
Audit logs

AI Layer

Care plan + intervention text generation
Uses de-identified clinical data only
Connects to HIPAA-supporting AI model

Background Workers

Scheduled QAPI report generation
Analytics aggregation

Security / HIPAA

Encrypted at rest + in transit
Role-based access controls
Audit logging
No PHI sent to third-party AI

Database Schema Overview

QAPIShield uses a relational PostgreSQL schema with multi-tenant isolation. All tables are designed for HIPAA compliance with no PHI stored.

Database Tables

facilities

SNF accounts

users

Staff at each facility

residents

Pseudonymous resident records (NO PHI)

conditions

Chronic conditions per resident

assessments

Clinical risk assessments

risk_scores

Fall/ulcer/infection/readmission scores

interventions

Suggested actions

care_plans

Generated care plan text

qapi_reports

Monthly QAPI outputs

audit_logs

HIPAA-compliant activity tracking

subscriptions

Facility billing

Key Relationships

facilities → 1:N → users, residents

residents → 1:N → assessments, conditions

assessments → 1:1 → risk_scores

risk_scores → 1:N → interventions, care_plans

API Endpoints

All endpoints require authentication and enforce facility-level isolation.

Method	Endpoint	Description	Auth
POST	`/assessments`	Submit resident clinical data	Required
POST	`/risk-score`	Return risk levels (low/mod/high)	Required
POST	`/care-plan`	Generate narrative care plan	Required
GET	`/dashboard`	Facility-level analytics	Required
GET	`/qapi-report`	Monthly overview	Required

Example Request

POST /api/risk-score
Authorization: Bearer <token>
Content-Type: application/json

{
  "resident_id": "res_123",
  "facility_id": "fac_456",
  "assessment_data": {
    "age_range": "75-84",
    "mobility_status": "limited",
    "fall_history": true,
    "skin_integrity": "at_risk"
  }
}

Risk Engine

QAPIShield's proprietary risk engine combines clinical rules with AI-powered analysis to produce consistent, survey-ready outputs.

Risk Scoring Components

Clinical Rules

Braden-like scoring, fall factors, vitals trends

Weighted Scoring System

Evidence-based factor weighting

Threshold-Based Alerts

Low / Moderate / High risk classification

AI-Generated Narratives

Survey-ready explanations and care plans

Risk Categories

Falls RiskMobility, History, Environment

Pressure Ulcer RiskBraden Scale Factors

Infection/Sepsis RiskVitals, Labs, Symptoms

Readmission RiskDiagnosis, LOS, Comorbidities

Low (0-33)

Moderate (34-66)

High (67-100)

HIPAA & Security Layer

PHI Stays Local

All PHI remains in the facility's secure environment

De-identified AI

Only de-identified data goes to AI models

Encryption

TLS 1.2+ in transit, AES-256 at rest

RBAC

Role-based access controls

Audit Logs

Full activity tracking for compliance

Deployment Architecture

Frontend UI

React SPA

Secure API

Node.js + Express

PostgreSQL DB

Multi-tenant

AI Engine

De-identified only

QAPI Reports

Survey-ready

Facility Authentication

JWT + Session Management

Background Job Runner

Scheduled Reports & Analytics

Audit Log Pipeline

HIPAA Compliance Tracking

QAPIShield's backend is designed for scalability, HIPAA support, multi-facility enterprise use, and seamless AI-driven risk prediction.

Technical Architecture

Two-System Model

EHR System (PHI)

QAPIShield (De-identified)

System Components

Frontend UI

Backend API (Node.js)

Database (PostgreSQL)

AI Layer

Background Workers

Security / HIPAA

Database Schema Overview

Database Tables

Key Relationships

API Endpoints

Risk Engine

Risk Scoring Components

Clinical Rules

Weighted Scoring System

Threshold-Based Alerts

AI-Generated Narratives

Risk Categories

HIPAA & Security Layer

PHI Stays Local

De-identified AI

Encryption

RBAC

Audit Logs

Deployment Architecture

Frontend UI

Secure API

PostgreSQL DB

AI Engine

QAPI Reports

Cookie Preferences