Health System Administration

Technical guides for PIN administrators — managing users and permissions, configuring your site, connecting data sources, hardening security, and monitoring platform performance.

~22 min to read all guides
5 topics covered
Admin access required
User Management & Permissions
Invite, configure, and control access for your institution's users

As a Health System Administrator, you control which PIN members at your institution can access which modules, and at what level. All user changes are audit-logged with timestamps and your admin account ID.

Role reference
Role Registry Analytics Pharmacovigilance Admin panel
Admin Full Full Full Full
Clinician Own patients Read-only AE reporting
Researcher Consented cohort Full Signal query
PV Lead Read-only Safety views Full
Read-only View only View only

1
Open Admin → Users
Navigate to Admin Panel → Users in the Command Center. This lists all users associated with your institution, their current role, last login, and account status.
2
Invite a new user
Click + Invite User. Enter their institutional email address and select their role. The invitation email is sent immediately and expires after 72 hours. You can resend from the Users table if needed. New users must complete PIN's standard credential verification before their account is fully activated — your invitation grants institutional affiliation, not bypasses credential review.
3
Change a user's role
Click a user's name to open their profile, then use the Role dropdown to change their access tier. Changes take effect on their next page load — no sign-out required. A notification email is sent to the user informing them of the change.
4
Suspend or remove a user
To temporarily disable access, click Suspend — the user cannot log in but their data and records are preserved. To fully remove a user from your institution's PIN account, click Remove from Institution. This does not delete their PIN account or their patient data contributions — it removes their institutional affiliation and access. Use this when a clinician leaves your organisation.
5
Review the access audit log
Under Admin → Audit Log → User Access, view a timestamped record of all logins, role changes, data exports, and admin actions for your institution. Filterable by user, action type, and date range. Exportable as CSV for compliance reviews.
⚠️
Principle of least privilege Assign users the lowest role that meets their clinical or research need. Avoid assigning Admin role to users who only need to enter patient data — use Clinician instead. Admin accounts have unrestricted data export capability.
⚙️
System Configuration Guide
Tailor PIN to your institution's workflows and branding

System configuration lets you adapt PIN to your institution's structure — defining sites, configuring default workflows, setting data retention policies, and optionally adding your institution's branding to patient-facing communications.

1
Configure institution details
Navigate to Admin → Settings → Institution. Set your institution's legal name, country, primary contact, and IRB/ethics reference number. These details appear in PSUR exports and regulatory submission headers.
2
Add and manage clinical sites
If your institution has multiple sites (campuses, satellite clinics), add each under Admin → Sites → + New Site. Each site gets its own site code used in patient registration and reporting. Clinician users can be assigned to one or more sites to restrict their patient data view to their site's records.
3
Set default clinical forms
Under Admin → Settings → Clinical Forms, choose which data forms are enabled for your institution and set any institution-specific required fields. For example, you may require a local MRN field on every patient registration for cross-referencing with your EMR.
4
Configure patient portal branding
Upload your institution logo and set a display name under Admin → Settings → Patient Portal. The portal header will show your branding alongside PIN's — patients see a co-branded experience. Supported formats: PNG or SVG, max 200px height.
5
Set data retention policy
Under Admin → Settings → Data Retention, configure how long inactive patient records are retained before automatic archival. The minimum retention period is 7 years (required for clinical record compliance in most jurisdictions). Archived records remain retrievable but are removed from active analytics. Contact PIN support before reducing the retention period below your jurisdiction's legal minimum.
Configuration changes are versioned Every change to system settings is logged with the admin's account ID, timestamp, and previous value. You can review and roll back any configuration change under Admin → Audit Log → Configuration Changes.
Data Integration Setup
Connect PIN to your EMR, HL7 feeds, and FHIR endpoints

PIN supports bi-directional data integration with major EMR and EHR platforms via FHIR R4, HL7 v2, and REST API. Integrations reduce manual data entry by pulling patient demographics, medication lists, and lab results directly into the registry.

FHIR R4
Recommended for modern EMR platforms (Epic, Cerner, Meditech). Supports read and write for Patient, MedicationRequest, Observation, and Condition resources.
HL7 v2.x
ADT, ORM, and ORU message types supported. Used for legacy hospital information systems that don't yet expose FHIR endpoints.
REST API
PIN's full REST API for custom integrations. See the API documentation for full endpoint reference and authentication setup.
CSV Import
Bulk patient registration via structured CSV. Use for initial data migration from existing registries. Template available under Admin → Data Import → Download Template.

Setting up a FHIR R4 connection
1
Navigate to Admin → Integrations → + New Integration
Select FHIR R4 as the integration type. Give the integration a descriptive name (e.g. Epic FHIR — Main Campus).
2
Enter your FHIR base URL and authentication credentials
Paste your EMR's FHIR R4 base URL (e.g. https://fhir.yourhospital.org/api/FHIR/R4). Select the authentication method — Smart on FHIR (OAuth2), client credentials, or API key — and enter the relevant credentials. Credentials are encrypted at rest using AES-256.
3
Configure resource mapping
Map FHIR resource fields to PIN data fields. PIN provides a default mapping for common EMR configurations — review and adjust any fields that differ in your system's implementation. Pay particular attention to Patient.identifier — this must map to a unique, stable local patient ID.
4
Run the connection test
Click Test Connection. PIN attempts to read a single Patient resource and returns a pass/fail with the raw response for debugging. Common failures: incorrect base URL, expired credentials, or FHIR scope not granted in your EMR's app registration.
5
Set sync schedule and activate
Choose whether data syncs in real-time (on patient registration), on a nightly batch, or on-demand only. Click Activate Integration. The integration status dashboard at Admin → Integrations will show live sync counts and any errors.
ℹ️
Integration setup assistance PIN's technical onboarding team will join a call to assist with initial FHIR or HL7 integration configuration. Request this via your account manager or by contacting support with subject line Integration Setup Request.
Security Settings Management
Enforce authentication policies and protect patient data

PIN's security settings let you enforce institution-wide authentication policies, control session behaviour, configure SSO, and manage IP allowlisting — ensuring your deployment meets HIPAA, GDPR, and local clinical data governance requirements.

1
Configure password policy
Under Admin → Security → Password Policy, set minimum length (8+ recommended), complexity requirements (uppercase, number, symbol), and maximum password age before forced reset. These settings apply to all non-SSO users at your institution. PIN's default is 12 characters with complexity; you can strengthen but not weaken this.
2
Enable multi-factor authentication (MFA)
Under Admin → Security → MFA, toggle Require MFA for all users. Users will be prompted to enrol an authenticator app (TOTP) or SMS on their next login. You can also set MFA as optional (user-elected) or enforced only for Admin and PV Lead roles. Enforcing MFA for all users is strongly recommended for HIPAA compliance.
3
Configure SSO (SAML 2.0 or OIDC)
If your institution uses a central identity provider (Azure AD, Okta, Ping, Google Workspace), connect it under Admin → Security → Single Sign-On. Upload your IdP metadata XML (SAML) or enter your OIDC discovery URL. Once SSO is active, users authenticate through your IdP — PIN accounts require a matching email domain. SSO and MFA can coexist; your IdP's MFA policy takes precedence.
4
Set session timeout
Under Admin → Security → Sessions, configure the idle session timeout (15–480 minutes). The default is 60 minutes. Sessions on clinical workstations in shared environments should use shorter timeouts (15–30 minutes). Users receive a 2-minute warning before session expiry.
5
Set up IP allowlisting (optional)
To restrict access to your institution's network only, add your public IP ranges under Admin → Security → IP Allowlist. Users outside the allowlisted ranges will see an access-denied message when attempting to log in. Maintain a list of VPN exit IP addresses too, to avoid locking out remote workers.
SettingDefaultHIPAA recommendation
Min password length12 chars12+ chars
MFAOptionalEnforced for all users
Session timeout60 min15–30 min (shared workstations)
SSONot configuredRecommended for institutions with IdP
IP allowlistDisabledOptional — use if network-only access required
⚠️
Test SSO in a staging account before enforcing Misconfigured SSO can lock all users — including admins — out of the platform. Always validate your SSO configuration with a test user before enabling the "Require SSO" toggle that prevents password-based login.
Performance Monitoring
Track platform health, usage, and data quality metrics

The Admin performance dashboard gives you a real-time view of platform health at your institution — user activity, data entry rates, integration sync status, and data quality scores — without needing to contact PIN support to find out what's happening.

Platform Status
Live uptime and latency indicators for the Command Center, API, and patient portal. PIN's global status page is also available at status.pin-platform.com — bookmark it for incident monitoring independent of your admin login.
Active Users
Daily and monthly active user counts for your institution. Broken down by role. Useful for licence utilisation reviews and identifying inactive accounts to suspend.
Data Entry Rate
Registry entries per week per clinician. Low rates may indicate workflow friction — cross-reference with the incomplete drafts count to see if entries are being started but not submitted.
Data Quality Score
Percentage of patient records with all required fields complete, no validation warnings, and at least one follow-up entry. Network average shown as benchmark. A score below 70% warrants a staff training review.
Integration Sync
Last successful sync timestamp and error count for each active integration. A red indicator means the last sync failed — click to see the error log and troubleshoot the connection.

Setting up performance alerts
1
Navigate to Admin → Monitoring → Alerts
Click + New Alert to configure a threshold-based notification.
2
Choose a metric and threshold
Select the metric (e.g. integration sync failure, data quality score drop, unusual export volume) and the threshold that should trigger a notification. Recommended starting alerts: integration sync failure (immediate), data quality score below 70% (weekly digest), and 5+ failed login attempts from a single account (immediate).
3
Set recipients and delivery channel
Alerts can be sent by email to any Admin or PV Lead at your institution, or to a webhook endpoint (e.g. a Slack channel or PagerDuty integration). For critical alerts like sync failures, use both email and webhook to ensure visibility.
You're all set With users configured, the system tailored to your workflows, integrations connected, security hardened, and monitoring alerts in place, your PIN deployment is ready for full clinical use. For ongoing support, your institution's dedicated PIN account manager is your first point of contact for operational issues.