HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act) compliance requirements and implementation for Noumaris.

Overview

Noumaris handles Protected Health Information (PHI), making HIPAA compliance mandatory for US deployments. This document outlines technical and administrative safeguards implemented to meet HIPAA requirements.

Scope: Production deployments handling US patient data

Related: Security Practices

HIPAA Rules

Privacy Rule

• Controls how PHI can be used and disclosed
• Patient consent required for data collection
• Minimum necessary standard (only access what's needed)

Security Rule

• Requires administrative, physical, and technical safeguards
• Focus of this document

Breach Notification Rule

• Notify affected individuals within 60 days of breach discovery
• Report to HHS if >500 individuals affected

Technical Safeguards

1. Access Control (§164.312(a)(1))

Requirement: Implement technical policies and procedures for electronic information systems that maintain PHI to allow access only to authorized persons.

Unique User Identification

✅ Implementation:

• Keycloak manages all user identities
• Each user has unique UUID in database
• No shared accounts or credentials

# Every endpoint requires authenticated user
@router.get("/documents")
async def get_documents(current_user: User = Depends(get_current_user)):
    # current_user.id is unique UUID
    documents = session.query(Document).filter_by(user_id=current_user.id).all()

Emergency Access Procedure

✅ Implementation:

• Superadmin role can access system in emergencies
• All superadmin actions logged in PermissionChangeLog
• Database backups allow recovery

Automatic Logoff

✅ Implementation:

• JWT tokens expire after 30 minutes
• Frontend shows session timeout warning at 2 minutes before expiry
• User automatically logged out on token expiration

// AuthContext.jsx
const SESSION_TIMEOUT_WARNING = 2 * 60 * 1000; // 2 minutes

Encryption and Decryption

✅ Implementation:

• At Rest: Cloud SQL automatic encryption (AES-256)
• In Transit: TLS 1.3 for all API calls and WebSocket connections
• API keys stored in Secret Manager (encrypted)

2. Audit Controls (§164.312(b))

Requirement: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain PHI.

✅ Implementation:

Application-Level Logging

• All API requests logged with user ID and timestamp
• WebSocket connections logged with unique connection ID
• Permission changes logged in PermissionChangeLog table

# Example audit log entry
INFO: User 123 accessed /documents/abc-def-ghi at 2025-10-21 10:30:45
INFO: Superadmin 456 changed permissions for resident 789

Infrastructure Logging

• Google Cloud Logging captures all Cloud Run logs
• Retention: 30 days for compliance
• Searchable by user, endpoint, timestamp

# Query logs for specific user
gcloud logging read "jsonPayload.user_id='123'" --limit 100

Database Audit Log

• PermissionChangeLog table tracks:
  • Who made the change (changed_by_id)
  • What changed (old_value → new_value)
  • When (changed_at timestamp)
  • Why (change_reason)

3. Integrity (§164.312(c)(1))

Requirement: Implement policies and procedures to protect PHI from improper alteration or destruction.

✅ Implementation:

Data Integrity

• PostgreSQL ACID transactions ensure data consistency
• Foreign key constraints prevent orphaned records
• Database backups enable recovery

Version Control

• DocumentVersion table tracks all changes to clinical notes
• Original transcript preserved (never overwritten)
• Audit trail of who edited what and when

# Document versioning
class DocumentVersion(Base):
    id = Column(UUID, primary_key=True)
    document_id = Column(UUID, ForeignKey('clinical_documents.id'))
    version_number = Column(Integer)
    content = Column(Text)  # TipTap JSON
    created_at = Column(DateTime)
    created_by = Column(UUID, ForeignKey('users.id'))

Checksums (Future Enhancement)

• Consider SHA-256 hashes for documents to detect tampering

4. Person or Entity Authentication (§164.312(d))

Requirement: Implement procedures to verify that a person or entity seeking access to PHI is the one claimed.

✅ Implementation:

Multi-Factor Authentication

• Keycloak supports MFA (OTP, WebAuthn)
• Recommended for production deployments
• Configurable per realm

Password Policies

• Minimum 8 characters
• Complexity requirements (uppercase, lowercase, numbers)
• Password expiration (configurable)
• Account lockout after failed attempts

JWT Token Validation

• Every API request validates JWT signature against Keycloak public key
• Tokens include user ID, roles, expiration
• Backend rejects expired or invalid tokens

# JWT validation in every request
def get_current_user(token: str = Depends(oauth2_scheme)):
    payload = jwt.decode(token, keycloak_public_key, algorithms=["RS256"])
    user_id = payload.get("sub")
    # Verify user exists and is active

5. Transmission Security (§164.312(e)(1))

Requirement: Implement technical security measures to guard against unauthorized access to PHI being transmitted over an electronic communications network.

✅ Implementation:

TLS Encryption

• All production traffic over HTTPS/WSS
• TLS 1.3 (most secure version)
• Valid SSL certificates from Let's Encrypt

# Cloud Run automatic TLS
https://api.noumaris.com  # ✅ Encrypted
wss://api.noumaris.com/transcribe  # ✅ Encrypted WebSocket

API Communication

• Frontend → Backend: HTTPS with JWT in Authorization header
• Backend → Deepgram: WSS (encrypted WebSocket)
• Backend → Claude: HTTPS

Network Isolation

• Cloud SQL uses private IP (VPC)
• Backend connects via VPC connector (no public internet)
• Database not accessible from public internet

Frontend → [Internet] → Cloud Run → [VPC Connector] → Cloud SQL
                 ↑ TLS                        ↑ Private network

Administrative Safeguards

1. Security Management Process

✅ Implementation:

• Regular security reviews (quarterly)
• Incident response plan (see below)
• Risk assessment before major changes

2. Assigned Security Responsibility

Roles:

• Security Officer: Responsible for security policies and compliance
• Superadmin: Technical implementation and monitoring
• Institution Admin: Institution-level access control

3. Workforce Training

Required:

• HIPAA awareness training for all team members
• PHI handling procedures
• Incident reporting process

4. Contingency Plan

✅ Implementation:

Data Backup

• Cloud SQL automatic daily backups
• Retention: 7 days (configurable)
• Point-in-time recovery available

# Create on-demand backup
gcloud sql backups create --instance noumaris-production

# Restore from backup
gcloud sql backups restore BACKUP_ID --backup-instance noumaris-production

Disaster Recovery

• Multi-region deployment (Canada + US)
• Database replication for high availability
• Cloud Run auto-scaling handles traffic spikes

5. Access Authorization/Establishment

✅ Implementation:

• RBAC: 4 roles (superadmin, institution_admin, resident, user)
• Institution admins manage resident permissions
• Principle of least privilege (residents have restricted access)

Physical Safeguards

1. Facility Access Controls

✅ Implementation (Google Cloud):

• Google datacenters have physical security (badges, cameras, guards)
• SOC 2 Type II certified
• ISO 27001 certified

2. Workstation Use & Security

Policy:

• Developers must use encrypted laptops
• Lock screen when away from desk
• No PHI stored on local machines (only in production database)

3. Device and Media Controls

✅ Implementation:

• No removable media used in production
• Database exports encrypted before transmission
• Old backups securely deleted

Business Associate Agreements (BAAs)

Noumaris must have BAAs with all vendors that handle PHI:

Required BAAs

Vendor	Service	BAA Status
Google Cloud	Infrastructure (Cloud Run, Cloud SQL)	✅ Available (sign via console)
Anthropic	Claude AI (note generation)	✅ Available (enterprise plan)
Deepgram	Transcription	✅ Available (enterprise plan)

BAA Requirements

• Vendor agrees to safeguard PHI
• Report breaches to Noumaris within 24 hours
• Allow Noumaris to audit compliance
• Return or destroy PHI at contract termination

Action: Sign BAA with each vendor before processing production PHI

Data Encryption

At Rest

✅ Implementation:

• Database: Cloud SQL automatic encryption (AES-256)
• Backups: Encrypted automatically
• Secrets: Secret Manager encryption

Key Management:

• Google-managed encryption keys (default)
• Customer-managed keys (CMEK) available for enhanced control

In Transit

✅ Implementation:

• API calls: HTTPS (TLS 1.3)
• WebSocket: WSS (TLS 1.3)
• Database connection: Encrypted via VPC (private network)

Breach Notification Procedure

Detection

1. Monitor logs for suspicious activity
2. Alerts for failed login attempts, mass data access
3. Regular security audits

Assessment (within 24 hours)

1. Determine if breach occurred
2. Identify PHI affected
3. Estimate number of individuals impacted

Notification (within 60 days)

1. Individuals: Email notification with details
2. HHS: Report via HHS Breach Portal
3. Media: If >500 individuals, notify prominent media outlets

Documentation

• Log all breach incidents
• Document investigation and response
• Update security measures to prevent recurrence

Incident Response Plan

1. Identification

• Unusual API activity (mass data access)
• Failed authentication attempts
• Reports from users

2. Containment

• Revoke compromised JWT tokens
• Disable affected user accounts
• Isolate affected systems

3. Investigation

• Review audit logs
• Determine scope of access
• Identify root cause

4. Remediation

• Patch vulnerabilities
• Update security policies
• Re-deploy if needed

5. Communication

• Notify affected users
• Report to authorities if required
• Internal post-mortem

Compliance Checklist

Pre-Production

• [ ] Sign BAAs with Google Cloud, Anthropic, Deepgram
• [ ] Enable Cloud SQL encryption
• [ ] Configure TLS for all endpoints
• [ ] Set up audit logging (30-day retention)
• [ ] Implement JWT token expiration (30 min)
• [ ] Configure Keycloak password policies
• [ ] Test backup and restore procedures
• [ ] Document incident response plan
• [ ] Train team on HIPAA requirements

Ongoing (Monthly)

• [ ] Review audit logs for anomalies
• [ ] Check for security updates (Dependabot)
• [ ] Verify backups are working
• [ ] Test disaster recovery plan

Ongoing (Quarterly)

• [ ] Security risk assessment
• [ ] Review and update policies
• [ ] Access control audit (remove inactive users)
• [ ] BAA renewal check

Annual

• [ ] HIPAA compliance audit (consider third-party)
• [ ] Penetration testing
• [ ] Workforce HIPAA training
• [ ] Business continuity plan review

Compliance Gaps & Future Work

Current Limitations

1. MFA not enforced - Recommend enabling for production
2. No intrusion detection - Consider AWS GuardDuty equivalent for GCP
3. Limited data retention policies - Define retention periods for different data types
4. No PHI de-identification - Consider anonymization for analytics

Roadmap

Q1 2026:

• Enforce MFA for all users
• Implement automated security scanning (SAST/DAST)
• Data retention policy enforcement

Q2 2026:

• Third-party HIPAA audit
• Penetration testing
• SOC 2 Type II certification (Noumaris as organization)

Resources

• HIPAA Security Rule
• HIPAA Breach Notification Rule
• Google Cloud HIPAA Compliance
• Anthropic Security & Compliance

Next Steps

• Security Practices - Detailed security implementation
• Infrastructure Documentation - Technical architecture
• Deployment Guide - Production deployment procedures