HIPAA Compliance Overview
HIPAA posture is baked into the code patterns + CI gates + harness hooks, not retrofit as a review checklist. Every change either conforms to the compliance model or is refused at the moment of authorship.
The 5 constitutional principles
Source: .specify/memory/constitution.md
17 Phase-4 hard rules
Each mapped to a T-id + compliance probe + path trigger. Full table at CLAUDE.md § Phase 4 hard rules.
See Phase-4 rules for the detailed list.
Enforcement layers
Key architectural features
- Envelope encryption at the repository boundary — every PHI write routes through
FieldEncryptionService.encryptField(). Directdb.collection.insertOne(plaintext)is impossible; the repo wrapper refuses. - Hash-chained audit by default — every request to a PHI route emits
AuditService.append()withseq + prevHash + eventHashvia JCS + SHA-256. - Fail-closed BAA registry — every outbound PHI-capable vendor lives in
apps/api/src/config/baa-registry.yml.BaaRegistry.assertCovered()at service start. Missing → refuse start in prod. @phi_repositorydecorator — consent-scope evaluated per-request at the repo boundary. No stale caches.- No-PHI-in-logs grep — CI gate fails on any log statement interpolating DTO/body fields associated with PHI.
Certifications + legal
- HIPAA Security Rule + Privacy Rule — enforced by code patterns (not review checklists)
- 21st Century Cures Act CDS exemption — every AI response carries
fda_cds_exemption_refmetadata + per-feature audit event - State privacy laws — per-deployment allowlists + configurable retention + right-to-erasure flows
- BAAs: 8+ vendors currently registered (MongoDB Atlas, Azure, OpenAI, Google Cloud, Epic, Google Workspace, NEJM, Slice 2d/2e publishers in
pending_complianceduring dev phase)
Subsections
- Phase-4 rules → — the 17 hard rules mapped to T-ids + probes
- Audit chain → — hash-chained tamper-evident audit (cross-refs the architecture doc)
- Consent model → — 5 consent paths + resolution order
- BAA registry → — vendor-by-vendor BAA status