> ## Documentation Index
> Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# HIPAA Compliance

> HIPAA compliance considerations for deploying CRAFT in healthcare environments with PHI data handling requirements.

# HIPAA Compliance

This page covers considerations for deploying CRAFT in healthcare environments where **Protected Health Information (PHI)** may be processed. The platform's security architecture provides the technical controls needed to support HIPAA compliance when properly configured.

<Warning>
  HIPAA compliance is a shared responsibility. The platform provides technical safeguards, but organizations must implement administrative safeguards (policies, training, BAAs) and physical safeguards appropriate to their deployment model. Consult with your compliance team and legal counsel.
</Warning>

## HIPAA Applicability

HIPAA may apply when CRAFT is used to:

* Query healthcare databases containing patient records via Data Insights
* Profile and govern healthcare data assets via Data Governance
* Process data from Electronic Health Records (EHR) systems
* Generate analytics or visualizations from clinical data

In these scenarios, the platform acts as a **Business Associate** processing PHI on behalf of the Covered Entity (healthcare organization).

## HIPAA Safeguards Mapping

### Technical Safeguards (45 CFR 164.312)

| HIPAA Requirement              | Section            | Platform Control                                                                                                                                                                                                                              |
| ------------------------------ | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Access control**             | 164.312(a)(1)      | Keycloak multi-realm authentication with OIDC; OpenFGA ReBAC with role-based permissions                                                                                                                                                      |
| **Unique user identification** | 164.312(a)(2)(i)   | UUID-based user identifiers in Keycloak; JWT `sub` claim for audit attribution                                                                                                                                                                |
| **Emergency access procedure** | 164.312(a)(2)(ii)  | Admin override capabilities; Keycloak emergency access accounts. Organizations must document emergency access procedures including: invocation criteria, authorization chain, mandatory post-use audit review, and account lifecycle controls |
| **Automatic logoff**           | 164.312(a)(2)(iii) | Session idle timeout and max duration configurable via Keycloak realm settings (Keycloak defaults: 30 min idle, 10 hr max). HIPAA deployments should configure per Minimum Viable HIPAA Configuration (15 min idle, 8 hr max recommended)     |
| **Encryption and decryption**  | 164.312(a)(2)(iv)  | AES-256 encryption at rest; TLS 1.3 for external, TLS 1.2 minimum for internal                                                                                                                                                                |
| **Audit controls**             | 164.312(b)         | Immutable audit logs with ULID identifiers, configurable retention                                                                                                                                                                            |
| **Integrity controls**         | 164.312(c)(1)      | Parameterized SQL queries; schema validation; Pydantic request/response validation                                                                                                                                                            |
| **Authentication**             | 164.312(d)         | Multi-factor authentication via Keycloak; SSO with enterprise IdPs                                                                                                                                                                            |
| **Transmission security**      | 164.312(e)(1)      | TLS 1.3 for all external communication; TLS 1.2 minimum for internal. mTLS available via service mesh                                                                                                                                         |

### Administrative Safeguards (45 CFR 164.308)

These require organizational implementation supported by platform capabilities:

| HIPAA Requirement                 | Section       | Platform Support                                                                |
| --------------------------------- | ------------- | ------------------------------------------------------------------------------- |
| **Security management process**   | 164.308(a)(1) | Audit logs for risk assessment; vulnerability scanning in CI/CD                 |
| **Workforce security**            | 164.308(a)(3) | OpenFGA role assignments; SCIM 2.0 deprovisioning; access reviews               |
| **Information access management** | 164.308(a)(4) | Project-level access isolation; role-based computed permissions                 |
| **Security awareness training**   | 164.308(a)(5) | Organization responsibility (not platform-provided)                             |
| **Security incident procedures**  | 164.308(a)(6) | OpenTelemetry trace correlation; SIEM integration via OpenTelemetry Collector   |
| **Contingency plan**              | 164.308(a)(7) | Backup/restore procedures; disaster recovery checklist; multi-zone availability |
| **Evaluation**                    | 164.308(a)(8) | Periodic access reviews; compliance reporting APIs                              |
| **BAA with subcontractors**       | 164.308(b)(1) | Required with cloud providers when using managed services                       |

### Physical Safeguards (45 CFR 164.310)

Physical safeguards are primarily the responsibility of the deployment environment:

| HIPAA Requirement             | Platform Relevance                                                  |
| ----------------------------- | ------------------------------------------------------------------- |
| **Facility access controls**  | Cloud provider data center security (GCP, AWS, Azure SOC 2 reports) |
| **Workstation use/security**  | Organization responsibility for client devices                      |
| **Device and media controls** | Encryption at rest; crypto-shredding for data disposal              |

## PHI Data Flow Controls

When the platform processes PHI, apply these additional controls:

### Data Connection Security

<Steps>
  <Step title="Restrict database access">
    Create a dedicated read-only database user for PHI data connections. Grant access only to the specific tables and schemas needed. Never grant write access unless explicitly required.
  </Step>

  <Step title="Enable encryption in transit">
    Set `ssl_mode: verify-full` on all data connections to PHI databases. This ensures encrypted connections with server identity verification.
  </Step>

  <Step title="Limit query scope">
    Use project-level isolation to restrict which teams can query PHI databases. Assign the `viewer` role to analytics users who should only read query results, and `developer` to those who configure data connections.
  </Step>

  <Step title="Enable audit logging">
    HIPAA requires 6-year retention for policies, procedures, and documentation (45 CFR 164.530(j)(2)). Audit log retention is a separate organizational decision based on risk assessment. Configure `retention_years: 7` as a recommended default to cover both documentation and audit trail needs.
  </Step>
</Steps>

### Data Minimization

| Control                | Implementation                                                                                        |
| ---------------------- | ----------------------------------------------------------------------------------------------------- |
| Query result retention | Configure session TTL to minimize PHI retention in platform databases                                 |
| Cache expiration       | Set Redis TTL to the minimum needed for session continuity                                            |
| Log redaction          | Ensure PHI is not logged in operational logs; limit to tenant\_id and actor                           |
| Profiling scope        | When profiling PHI databases, limit profiling to metadata (schema, statistics) rather than raw values |

## Minimum Viable HIPAA Configuration

For healthcare deployments, apply these configuration overrides:

```yaml theme={null}
# Helm values for HIPAA-compliant deployment
security:
  tls:
    minVersion: "1.3"        # External traffic; internal defaults to 1.2 minimum
    enforceExternal: true
    # enforceInternal: true  # Requires service mesh for internal TLS 1.3

keycloak:
  sessions:
    idleTimeout: "15m"       # HIPAA automatic logoff (Keycloak default: 30m)
    maxLifespan: "8h"        # Keycloak default: 10h
  mfa:
    enabled: true
    policy: "required"       # Require MFA for all users

audit:
  retentionYears: 7          # Recommended: covers HIPAA 6-year documentation retention + buffer
  piiEncryption: true

# SIEM integration: configure OpenTelemetry Collector exporters per your SIEM provider
# otelCollector:
#   exporters:
#     syslog: { ... }       # Customer-configurable; not pre-configured

dataConnections:
  sslMode: "verify-full"     # Enforce verified SSL
  readOnly: true             # Default to read-only connections
```

## Business Associate Agreement (BAA)

<Warning>
  **Critical for Data Insights deployments:** If the platform sends PHI to a cloud-based LLM API (e.g., for natural-language analysis or metadata enrichment), a BAA with the LLM provider is **required**. This is a HIPAA violation without a BAA. Self-hosted LLMs (configurable via `api_base`) eliminate this requirement.
</Warning>

When using cloud-managed services with PHI, ensure BAAs are in place:

| Service                    | BAA Required With               | Notes                                                                   |
| -------------------------- | ------------------------------- | ----------------------------------------------------------------------- |
| Cloud SQL / RDS / Azure DB | Cloud provider                  | Covers PHI stored in managed databases                                  |
| Memorystore / ElastiCache  | Cloud provider                  | If PHI is cached in Redis                                               |
| GCS / S3 / Azure Blob      | Cloud provider                  | If PHI-derived artifacts are stored                                     |
| Secrets backend            | Infisical or GCP Secret Manager | If using hosted secrets management                                      |
| LLM providers              | LLM vendor                      | **Required** if PHI is sent to LLM APIs for analysis. See warning above |

## Breach Notification

HIPAA requires notification to affected individuals within 60 calendar days of **discovery** of the breach (45 CFR 164.404(b)). Additionally, notification to the Secretary of HHS is required (45 CFR 164.408), and notification to prominent media outlets may be required for breaches affecting more than 500 residents of a state (45 CFR 164.406). The platform supports breach detection through:

* **Audit log analysis**: Identify unauthorized access patterns via audit log queries
* **SIEM integration**: Real-time forwarding of security events for anomaly detection
* **OpenTelemetry alerting**: Configure alerts for unusual access patterns (high volume queries, off-hours access, privilege escalation)

## Next Steps

<CardGroup cols={2}>
  <Card title="GDPR Compliance" icon="scale-balanced" href="/security/compliance/gdpr">
    Review GDPR controls that complement HIPAA requirements.
  </Card>

  <Card title="SOC 2 Controls" icon="clipboard-check" href="/security/compliance/soc2">
    See the full SOC 2 Trust Service Criteria mapping.
  </Card>

  <Card title="Data Classification" icon="tags" href="/security/data-classification">
    Understand data classification levels for PHI handling.
  </Card>

  <Card title="Authentication" icon="lock" href="/security/authentication">
    Configure MFA and session management for HIPAA compliance.
  </Card>
</CardGroup>
