Ensure HIPAA compliance when handling PHI (Protected Health Information). Use when writing code that accesses user health data, check-ins, journal entries, or any sensitive information. Activates for audit logging, data access, security events, and compliance questions.
This skill helps you maintain HIPAA compliance when developing features that handle Protected Health Information (PHI).
| Data Type | PHI Status | Handling |
|---|---|---|
| Check-in mood/cravings | PHI | Audit all access |
| Journal entries | PHI | Audit all access |
| Chat conversations | PHI | Audit all access |
| User profile (name, email) | PHI | Audit modifications |
| Sobriety date | PHI | Audit access |
| Emergency contacts | PHI | Audit access |
| Usage analytics (aggregated) | NOT PHI | No audit needed |
| Page views (no content) | NOT PHI |
| No audit needed |
Always log these operations:
Use the audit logging utilities in src/lib/hipaa/audit.ts:
import {
logPHIAccess,
logPHIModification,
logSecurityEvent,
logAdminAction
} from '@/lib/hipaa/audit';
// Viewing PHI
await logPHIAccess(
userId,
'checkin', // targetType
checkinId, // targetId
AuditAction.PHI_VIEW
);
// Modifying PHI
await logPHIModification(
userId,
'journal',
journalId,
AuditAction.PHI_UPDATE,
{ field: 'content' } // Never include actual content!
);
// Security event
await logSecurityEvent(
userId,
AuditAction.RATE_LIMIT,
{ path: '/api/chat', attempts: 60 }
);
// Admin action
await logAdminAction(
adminId,
AuditAction.ADMIN_USER_VIEW,
'user',
targetUserId
);
The audit system automatically sanitizes, but be explicit:
// BAD - Contains PHI
await logPHIAccess(userId, 'journal', id, action, {
content: journalEntry.content // NEVER DO THIS
});
// GOOD - Only metadata
await logPHIAccess(userId, 'journal', id, action, {
wordCount: journalEntry.content.length,
hasAttachments: false
});
password, token, secret, keyauthorization, cookie, sessioncredential, content, message, notesFrom src/lib/auth.ts:
import { getSession, requireAuth } from '@/lib/auth';
import { logPHIAccess } from '@/lib/hipaa/audit';
export async function GET(request: Request) {
const session = await getSession();
if (!session) {
return Response.json({ error: 'Unauthorized' }, { status: 401 });
}
// Fetch the data
const data = await fetchUserData(session.userId);
// Log the access
await logPHIAccess(
session.userId,
'userdata',
session.userId,
AuditAction.PHI_VIEW
);
return Response.json(data);
}
'use client';
import { useEffect } from 'react';
export function JournalViewer({ entryId }: { entryId: string }) {
useEffect(() => {
// Log view on mount (server-side preferred, but client backup)
fetch('/api/audit/log', {
method: 'POST',
body: JSON.stringify({
action: 'PHI_VIEW',
targetType: 'journal',
targetId: entryId
})
});
}, [entryId]);
// ... render
}
Before shipping any feature that touches PHI:
audit_log table in databaseFor emergency situations, use break-glass access:
import { requestBreakGlassAccess } from '@/lib/hipaa/break-glass';
// This creates enhanced audit trail
const access = await requestBreakGlassAccess(
adminId,
targetUserId,
'Emergency support required - user reported crisis'
);
Break glass access:
docs/INCIDENT-RESPONSE-PLAN.mddocs/SECURITY-HARDENING.md