HIPAA Compliance

This page covers considerations for deploying CRAFT in healthcare environments where Protected Health Information (PHI) may be processed. The platform’s security architecture provides the technical controls needed to support HIPAA compliance when properly configured.

HIPAA compliance is a shared responsibility. The platform provides technical safeguards, but organizations must implement administrative safeguards (policies, training, BAAs) and physical safeguards appropriate to their deployment model. Consult with your compliance team and legal counsel.

HIPAA Applicability

HIPAA may apply when CRAFT is used to:

Query healthcare databases containing patient records via Data Insights
Profile and govern healthcare data assets via Data Governance
Process data from Electronic Health Records (EHR) systems
Generate analytics or visualizations from clinical data

In these scenarios, the platform acts as a Business Associate processing PHI on behalf of the Covered Entity (healthcare organization).

HIPAA Safeguards Mapping

Technical Safeguards (45 CFR 164.312)

HIPAA Requirement	Section	Platform Control
Access control	164.312(a)(1)	Keycloak multi-realm authentication with OIDC; OpenFGA ReBAC with role-based permissions
Unique user identification	164.312(a)(2)(i)	UUID-based user identifiers in Keycloak; JWT `sub` claim for audit attribution
Emergency access procedure	164.312(a)(2)(ii)	Admin override capabilities; Keycloak emergency access accounts. Organizations must document emergency access procedures including: invocation criteria, authorization chain, mandatory post-use audit review, and account lifecycle controls
Automatic logoff	164.312(a)(2)(iii)	Session idle timeout and max duration configurable via Keycloak realm settings (Keycloak defaults: 30 min idle, 10 hr max). HIPAA deployments should configure per Minimum Viable HIPAA Configuration (15 min idle, 8 hr max recommended)
Encryption and decryption	164.312(a)(2)(iv)	AES-256 encryption at rest; TLS 1.3 for external, TLS 1.2 minimum for internal
Audit controls	164.312(b)	Immutable audit logs with ULID identifiers, configurable retention
Integrity controls	164.312(c)(1)	Parameterized SQL queries; schema validation; Pydantic request/response validation
Authentication	164.312(d)	Multi-factor authentication via Keycloak; SSO with enterprise IdPs
Transmission security	164.312(e)(1)	TLS 1.3 for all external communication; TLS 1.2 minimum for internal. mTLS available via service mesh

Administrative Safeguards (45 CFR 164.308)

These require organizational implementation supported by platform capabilities:

HIPAA Requirement	Section	Platform Support
Security management process	164.308(a)(1)	Audit logs for risk assessment; vulnerability scanning in CI/CD
Workforce security	164.308(a)(3)	OpenFGA role assignments; SCIM 2.0 deprovisioning; access reviews
Information access management	164.308(a)(4)	Project-level access isolation; role-based computed permissions
Security awareness training	164.308(a)(5)	Organization responsibility (not platform-provided)
Security incident procedures	164.308(a)(6)	OpenTelemetry trace correlation; SIEM integration via OpenTelemetry Collector
Contingency plan	164.308(a)(7)	Backup/restore procedures; disaster recovery checklist; multi-zone availability
Evaluation	164.308(a)(8)	Periodic access reviews; compliance reporting APIs
BAA with subcontractors	164.308(b)(1)	Required with cloud providers when using managed services

Physical Safeguards (45 CFR 164.310)

Physical safeguards are primarily the responsibility of the deployment environment:

HIPAA Requirement	Platform Relevance
Facility access controls	Cloud provider data center security (GCP, AWS, Azure SOC 2 reports)
Workstation use/security	Organization responsibility for client devices
Device and media controls	Encryption at rest; crypto-shredding for data disposal

PHI Data Flow Controls

When the platform processes PHI, apply these additional controls:

Data Connection Security

Restrict database access

Create a dedicated read-only database user for PHI data connections. Grant access only to the specific tables and schemas needed. Never grant write access unless explicitly required.

Enable encryption in transit

Set ssl_mode: verify-full on all data connections to PHI databases. This ensures encrypted connections with server identity verification.

Limit query scope

Use project-level isolation to restrict which teams can query PHI databases. Assign the viewer role to analytics users who should only read query results, and developer to those who configure data connections.

Enable audit logging

HIPAA requires 6-year retention for policies, procedures, and documentation (45 CFR 164.530(j)(2)). Audit log retention is a separate organizational decision based on risk assessment. Configure retention_years: 7 as a recommended default to cover both documentation and audit trail needs.

Data Minimization

Control	Implementation
Query result retention	Configure session TTL to minimize PHI retention in platform databases
Cache expiration	Set Redis TTL to the minimum needed for session continuity
Log redaction	Ensure PHI is not logged in operational logs; limit to tenant_id and actor
Profiling scope	When profiling PHI databases, limit profiling to metadata (schema, statistics) rather than raw values

Minimum Viable HIPAA Configuration

For healthcare deployments, apply these configuration overrides:

# Helm values for HIPAA-compliant deployment
security:
  tls:
    minVersion: "1.3"        # External traffic; internal defaults to 1.2 minimum
    enforceExternal: true
    # enforceInternal: true  # Requires service mesh for internal TLS 1.3

keycloak:
  sessions:
    idleTimeout: "15m"       # HIPAA automatic logoff (Keycloak default: 30m)
    maxLifespan: "8h"        # Keycloak default: 10h
  mfa:
    enabled: true
    policy: "required"       # Require MFA for all users

audit:
  retentionYears: 7          # Recommended: covers HIPAA 6-year documentation retention + buffer
  piiEncryption: true

# SIEM integration: configure OpenTelemetry Collector exporters per your SIEM provider
# otelCollector:
#   exporters:
#     syslog: { ... }       # Customer-configurable; not pre-configured

dataConnections:
  sslMode: "verify-full"     # Enforce verified SSL
  readOnly: true             # Default to read-only connections

Business Associate Agreement (BAA)

Critical for Data Insights deployments: If the platform sends PHI to a cloud-based LLM API (e.g., for natural-language analysis or metadata enrichment), a BAA with the LLM provider is required. This is a HIPAA violation without a BAA. Self-hosted LLMs (configurable via api_base) eliminate this requirement.

When using cloud-managed services with PHI, ensure BAAs are in place:

Service	BAA Required With	Notes
Cloud SQL / RDS / Azure DB	Cloud provider	Covers PHI stored in managed databases
Memorystore / ElastiCache	Cloud provider	If PHI is cached in Redis
GCS / S3 / Azure Blob	Cloud provider	If PHI-derived artifacts are stored
Secrets backend	Infisical or GCP Secret Manager	If using hosted secrets management
LLM providers	LLM vendor	Required if PHI is sent to LLM APIs for analysis. See warning above

Breach Notification

HIPAA requires notification to affected individuals within 60 calendar days of discovery of the breach (45 CFR 164.404(b)). Additionally, notification to the Secretary of HHS is required (45 CFR 164.408), and notification to prominent media outlets may be required for breaches affecting more than 500 residents of a state (45 CFR 164.406). The platform supports breach detection through:

Audit log analysis: Identify unauthorized access patterns via audit log queries
SIEM integration: Real-time forwarding of security events for anomaly detection
OpenTelemetry alerting: Configure alerts for unusual access patterns (high volume queries, off-hours access, privilege escalation)

Next Steps

GDPR Compliance

Review GDPR controls that complement HIPAA requirements.

SOC 2 Controls

See the full SOC 2 Trust Service Criteria mapping.

Data Classification

Understand data classification levels for PHI handling.

Authentication

Configure MFA and session management for HIPAA compliance.

Observability

Security

Compliance

Release Notes

HIPAA Compliance

HIPAA Compliance

HIPAA Applicability

HIPAA Safeguards Mapping

Technical Safeguards (45 CFR 164.312)

Administrative Safeguards (45 CFR 164.308)

Physical Safeguards (45 CFR 164.310)

PHI Data Flow Controls

Data Connection Security

Data Minimization

Minimum Viable HIPAA Configuration

Business Associate Agreement (BAA)

Breach Notification

Next Steps

GDPR Compliance

SOC 2 Controls

Data Classification

Authentication

Observability

Security

Compliance

Release Notes

Documentation Index

​HIPAA Compliance

​HIPAA Applicability

​HIPAA Safeguards Mapping

​Technical Safeguards (45 CFR 164.312)

​Administrative Safeguards (45 CFR 164.308)

​Physical Safeguards (45 CFR 164.310)

​PHI Data Flow Controls

​Data Connection Security

​Data Minimization

​Minimum Viable HIPAA Configuration

​Business Associate Agreement (BAA)

​Breach Notification

​Next Steps

GDPR Compliance

SOC 2 Controls

Data Classification

Authentication

HIPAA Compliance

HIPAA Applicability

HIPAA Safeguards Mapping

Technical Safeguards (45 CFR 164.312)

Administrative Safeguards (45 CFR 164.308)

Physical Safeguards (45 CFR 164.310)

PHI Data Flow Controls

Data Connection Security

Data Minimization

Minimum Viable HIPAA Configuration

Business Associate Agreement (BAA)

Breach Notification

Next Steps