Built to be approved by a GME office.
The narrow design is the adoptable design: ClearShifts captures a supervisor's rating of an observed behavior — never patient data — and enforces that boundary in the software itself.
Where the data lives, and who can see it.
| Data residency | Managed, access-controlled cloud (PostgreSQL), hosted in a United States region; an isolated environment per program. |
|---|---|
| Access model | Role-restricted, enforced row by row at the database layer: fellows read their own records; preceptors their own entries; the director the program views. |
| Audit trail | Append-only. Ratings, self-assessments, and sign-outs are permanent — corrected by adding a new entry with a note, never silently edited or deleted. |
| Protected health information | None collected. No patient information enters the system; the only encounter-related data is a preceptor’s structured rating and short note. |
| No hidden signal | A flag invisible to its fellow cannot be stored — the database rejects it. Policy as a physical constraint. |
| Backups | Daily, through the program year. |
| Sponsor access | ClearShifts holds no account with routine access to fellow-level data; maintenance is a logged break-glass procedure only. |
| Withdrawal | A documented procedure removes a fellow’s data from the research dataset on request. |
The design laws, restated for compliance.
Formative only
Surfaces strengths and growth edges; never certifies competence, never triggers remediation machinery.
No blending
Self-assessment, entrustment, and committee determination stay distinct — never averaged into one number.
Blind rating path
No knowledge signal on the path to an entrustment rating; observation captured free of anchoring.
No hidden signal
Anything the director sees about a fellow, the fellow can see — enforced by the database, not policy.
Two questions every compliance office asks.
- HIPAA. No PHI is collected, transcribed, or stored. The product does not record real patient encounters — a settled design principle. Because no PHI is handled, a BAA is typically not required; a template is kept ready where an institution's policy requires one regardless.
- FERPA. Assessment data are educational records that the program owns; access, retention, and the fellow's rights follow program policy and any consent obtained for research use.
- Small cohorts. With small fellow cohorts, every comparison is an identification: no cross-fellow comparison, ranking, or leaderboard appears anywhere, and individual results never leave the program.
A document your compliance office can read in one sitting.
Design laws, data-governance summary, no-PHI determination, FERPA notes, small-cohort protections, and our claims and embargo posture — delivered with every engagement, and available to your security and legal teams on request.
ClearShifts is educational workflow training. It does not replace clinical judgment, supervision, or institutional policy. It makes no clinical-outcome claims, and confers no accreditation. All examples are synthetic.