HighFile-scopeJavaScript / TypeScript Plug & play

Write immutable audit logs for all ePHI access

For any handler that reads or writes ePHI, write an append-only audit record with user id, patient id, action (READ_PHI/WRITE_PHI), purpose-of-use, timestamp, and request id. Prevent deletion or mutation of audit entries.

Add to Mesrai Open workspace

Why this matters

HIPAA requires traceability of PHI access; robust audit trails support detection and incident response.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

app.get('/patients/:id', async (req,res)=>{ const p=await repo.find(req.params.id); res.json(p); })

Prefer

app.get('/patients/:id', async (req,res)=>{ const p=await repo.findMinimal(req.params.id); await auditLog.write({action:'READ_PHI', user:req.user.sub, patient:req.params.id, pou:req.get('Purpose-Of-Use'), rid:req.id}); res.json(p); })

More snippets

Bad

return repo.find(id) // no audit

Good

await auditLog.write({action:'READ_PHI',user:sub,patient:id})

Related rules

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys
Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.
compliance-hipaasecurity-hardening+2
High
De-identify analytics and block PHI egress to third parties
Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.
compliance-hipaaprivacy-pii+2

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

app.get('/patients/:id', async (req,res)=>{ const p=await repo.find(req.params.id); res.json(p); })

Prefer

app.get('/patients/:id', async (req,res)=>{ const p=await repo.findMinimal(req.params.id); await auditLog.write({action:'READ_PHI', user:req.user.sub, patient:req.params.id, pou:req.get('Purpose-Of-Use'), rid:req.id}); res.json(p); })

More snippets

Bad

return repo.find(id) // no audit

Good

await auditLog.write({action:'READ_PHI',user:sub,patient:id})

Related rules

From the same buckets as this rule.

Critical

Check consent and role-based authorization before returning ePHI

Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

compliance-hipaasecurity-hardening+2

Critical

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

compliance-hipaasecurity-hardening+2

High

De-identify analytics and block PHI egress to third parties

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

compliance-hipaaprivacy-pii+2