Tenancy Decision Matrix for National EHR Deployment

Context: Afghanistan national EHR with MoPH governance, public/private facilities, independent providers, pharmacies, laboratories, and radiology units.
Purpose: Decide between single-tenant, multi-tenant, or hybrid architecture while preserving privacy, patient safety, and operational scalability.

1) Decision Summary

Recommended default: Hybrid model

National shared platform services (MPI/identity governance, terminology baseline, policy baseline, audit federation)
Tenant-isolated operational domains (tenant_id boundaries for clinical operations, admin scope, and configuration)

This balances national continuity of care with stronger legal/operational isolation.

2) Option Definitions

Option A: Single-Tenant National Platform

One platform tenant for all organizations; MoPH at hierarchy root (HierarchyNode DAG); access controlled by node-scoped roles and policy evaluation.

Option B: Federated Multi-Tenant Platform

Each legal organization/group is a separate tenant; MoPH supervises via constrained cross-tenant governance services and reporting views.

Option C: Hybrid (Recommended)

Shared national platform services + tenant-isolated operational domains with controlled federation APIs.

3) Decision Matrix

Criterion	Single-Tenant	Multi-Tenant	Hybrid
National longitudinal patient continuity	High	Medium (needs federation)	High
Legal/contract isolation (public vs private)	Low	High	High
Security blast-radius reduction	Low	High	High
Operational simplicity	High	Medium	Medium
Policy flexibility per org class	Medium	High	High
MoPH central oversight	High	Medium (needs explicit governance APIs)	High
Data residency/cross-border controls	Medium	High	High
Implementation complexity	Low	Medium-High	High
Vendor/program onboarding flexibility	Medium	High	High
Recommended for Afghanistan scale	Conditional	Possible	Best fit

4) Architecture Decision Rules

Choose Single-Tenant if all are true:

MoPH is sole legal controller of all participating organizations.
Private sector accepts centralized policy and data stewardship.
National regulation does not require hard legal boundary segregation.
Program can tolerate larger blast radius under one security domain.

Choose Multi-Tenant if any are true:

Private/public entities require legal separation of operational data.
Different organizations require materially different retention/consent/residency controls.
Commercial contracts require strict per-entity administration and isolation.

Choose Hybrid if:

National continuity of patient identity is required and
Some entities require strong isolation and
MoPH needs central visibility with least-privilege access.

5) MoPH Root Access Policy Guidance

MoPH as root in the hierarchy DAG is acceptable, but root should mean governance authority, not unrestricted operational access.

Required controls:

Distinct MoPH roles: policy admin, epidemiology, compliance investigator, emergency responder
Default de-identified/aggregated access for oversight
Identified-record access only with purpose-of-use and legal basis
Break-glass with mandatory reason, bounded TTL, and post-event review
Full immutable audit and disclosure reporting

Implementation notes using existing platform terminology:

Enforce authorization through POST /internal/access/evaluate (Access Policy Service), not service-local role checks.
Keep JWT identity-only (sub, tenantId, userType) and resolve effective permissions via Access Context + policy evaluation.
Apply node-scoped role assignment at nodeId with ancestor inheritance from Hierarchy Service.
Keep module entitlement checks in Licensing Service as a mandatory gate before allow.

6) International Compliance Baseline (Government Health Context)

Regardless of jurisdiction, government EHR programs should enforce:

Lawful basis and purpose limitation
Data minimization and minimum necessary
Role/purpose-based access control (RBAC + ABAC)
Consent and exception handling where required
Tamper-evident audit + accounting of disclosures
Encryption in transit and at rest
MFA and privileged access management
Data residency and cross-border transfer controls
DPIA/PIA for high-risk processing
Incident response and breach notification obligations
Retention and defensible deletion/archival policies
Vendor/subprocessor governance and contracts

Typical legal references by region:

EU/EEA: GDPR (health data as special category)
US: HIPAA/HITECH (+ state laws)
UK: UK GDPR + Data Protection Act
Country-specific health/privacy laws in MENA/Asia/Africa (increasingly strict on health data and transfers)

7) Recommended Target State for Afghanistan Program

7.1 Shared Platform Layer (National)

National MPI / patient identity resolution
National terminology and coding services
National policy baseline and conformance rules (platform + tenant policy layering)
Federated audit index (with tenant-local detailed logs)
National provider/facility registry references

7.2 Operational Layer (Tenant-Isolated)

Clinical data stores segmented by tenant group
Per-tenant IAM/admin boundaries (Tenant Service + IAM Service scope)
Tenant-specific consent, retention, localization settings
Scoped integration adapters and data export controls

7.3 Federation Layer (Controlled Cross-Tenant)

Controlled cross-tenant query/exchange APIs
Purpose-of-use assertion and policy evaluation on each request (evaluate() + consent checks where configured)
Minimal dataset projection by default
Full traceability and disclosure logging

8) Phased Adoption Path

Phase 1 (Fastest)

Keep current multi-tenant model
Add explicit MoPH supervisory roles with least-privilege defaults
Introduce national MPI governance policies

Phase 2

Build federation APIs for cross-tenant continuity workflows
Add purpose-of-use + consent inputs to authorization decisions
Harden break-glass governance and review workflow

Phase 3

Implement hybrid control plane services
Move to policy simulation/explainability and continuous compliance checks

9) Final Recommendation

For your stated use case, tenancy is not mathematically mandatory, but it is strongly recommended in practice at national scale.

Best-fit approach: Hybrid architecture

Preserve national continuity and MoPH governance
Enforce strong isolation for public/private and independent actors
Minimize privacy and security risk while enabling countrywide care coordination

1) Decision Summary​

2) Option Definitions​

Option A: Single-Tenant National Platform​

Option B: Federated Multi-Tenant Platform​

Option C: Hybrid (Recommended)​

3) Decision Matrix​

4) Architecture Decision Rules​

5) MoPH Root Access Policy Guidance​

6) International Compliance Baseline (Government Health Context)​

7) Recommended Target State for Afghanistan Program​

7.1 Shared Platform Layer (National)​

7.2 Operational Layer (Tenant-Isolated)​

7.3 Federation Layer (Controlled Cross-Tenant)​

8) Phased Adoption Path​

Phase 1 (Fastest)​

Phase 2​

Phase 3​

9) Final Recommendation​