CriticalFile-scopeKotlin Plug & play

Check consent and role-based authorization before returning ePHI

Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

Add to Mesrai Open workspace

Why this matters

HIPAA requires access control and disclosure tracking to limit ePHI to authorized use.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

get("/patients/{id}") { call.respond(repo.find(call.parameters["id"])) }

Prefer

get("/patients/{id}") { val id = call.parameters["id"]!!; require(authz.canView(user, id, call.request.headers["Purpose-Of-Use"])) ; audit.write(ReadPhi(user.id,id)); call.respond(repo.findView(id)) }

More snippets

Bad

respond(patient) // no authz

Good

if (authz.canView(user,id,pou)) respond(view)

Related rules

From the same buckets as this rule.

Critical
Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys
Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.
compliance-hipaasecurity-hardening+2
High
De-identify analytics and block PHI egress to third parties
Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.
compliance-hipaaprivacy-pii+2
High
Do not log PHI; mask and drop sensitive fields
Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.
compliance-hipaaobservability-logging+2

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

get("/patients/{id}") { call.respond(repo.find(call.parameters["id"])) }

Prefer

get("/patients/{id}") { val id = call.parameters["id"]!!; require(authz.canView(user, id, call.request.headers["Purpose-Of-Use"])) ; audit.write(ReadPhi(user.id,id)); call.respond(repo.findView(id)) }

More snippets

Bad

respond(patient) // no authz

Good

if (authz.canView(user,id,pou)) respond(view)

Related rules

From the same buckets as this rule.

Critical

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

compliance-hipaasecurity-hardening+2

High

De-identify analytics and block PHI egress to third parties

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

compliance-hipaaprivacy-pii+2

High

Do not log PHI; mask and drop sensitive fields

Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.

compliance-hipaaobservability-logging+2