Load PHI-related secrets from a secret manager, never from code

Related rules

From the same buckets as this rule.

• Critical

  Check consent and role-based authorization before returning ePHI

  Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

  compliance-hipaasecurity-hardening+2
• Critical

  Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

  Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

  compliance-hipaasecurity-hardening+2
• High

  De-identify analytics and block PHI egress to third parties

  Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

  compliance-hipaaprivacy-pii+2