Privacy architecture
OHPAH is architecturally designed so individual records never reach department leadership or insurance. You own your record. Leadership sees aggregate data only. This is not a policy. It is how the system is built.
The guarantees
No supervisor, chief, or officer can open your individual record. Leadership only ever receives department-level aggregates — never a name, never a number tied to you.
Your Fire Exposure Score, Sleep Debt Index, biometrics, and call history are not shared with insurers. Your record is yours to bring forward if and when you choose to.
Department views are limited to grouped trends held to a minimum cohort size, so no individual can be reverse-engineered out of an aggregate.
It follows the firefighter, not the department. You can carry it across stations and across a career — because it was always yours.
Why it holds
A privacy policy is a promise — and a promise can be rewritten. OHPAH does not ask you to trust a promise. Individual records live behind a boundary that leadership and insurance systems simply cannot reach into; the only thing that ever crosses it is an aggregate.
That means the guarantee doesn’t depend on who is running the department, what a future policy says, or whether anyone remembers to keep their word. The data can’t flow where it isn’t built to flow. Restraint is the design.
You own your record. Always.
Request access