{ "name": "hipaa-v1", "version": "2.0.0", "description": "Comprehensive HIPAA Privacy & Security Rule compliance for healthcare AI agents - 76 constraints including 2025 Security Rule updates, AI governance, BAA requirements, telehealth, and special protections (42 CFR Part 2, GINA)", "constraints": [ { "id": "PHI_NAME_DISCLOSURE", "category": "PHI Detection", "description": "Patient name must not be disclosed to unauthorized recipients", "formula_readable": "¬(has_patient_name ∧ ¬recipient_authorized)", "formula": { "or": [ {"==": ["has_patient_name", false]}, {"==": ["recipient_authorized", true]} ] }, "variables": [ {"name": "has_patient_name", "type": "bool"}, {"name": "recipient_authorized", "type": "bool"} ], "error_message": "Patient name disclosed without authorization", "citation": "HIPAA §164.502(a)(1)" }, { "id": "PHI_DOB_DISCLOSURE", "category": "PHI Detection", "description": "Date of birth must be de-identified or authorized", "formula_readable": "¬(has_dob ∧ ¬is_deidentified)", "formula": { "or": [ {"==": ["has_dob", false]}, {"==": ["is_deidentified", true]} ] }, "variables": [ {"name": "has_dob", "type": "bool"}, {"name": "is_deidentified", "type": "bool"} ], "error_message": "Date of birth disclosed without de-identification", "citation": "HIPAA §164.514(b)" }, { "id": "PHI_ADDRESS_DISCLOSURE", "category": "PHI Detection", "description": "Street address must not be disclosed", "formula_readable": "¬has_street_address", "formula": {"==": ["has_street_address", false]}, "variables": [ {"name": "has_street_address", "type": "bool"} ], "error_message": "Street address disclosed - HIPAA violation", "citation": "HIPAA §164.514(b)(2)(i)(B)" }, { "id": "PHI_PHONE_DISCLOSURE", "category": "PHI Detection", "description": "Phone numbers must not be disclosed", "formula_readable": "¬has_phone_number", "formula": {"==": ["has_phone_number", false]}, "variables": [ {"name": "has_phone_number", "type": "bool"} ], "error_message": "Phone number disclosed - HIPAA violation", "citation": "HIPAA §164.514(b)(2)(i)(D)" }, { "id": "PHI_SSN_ZERO_TOLERANCE", "category": "PHI Detection", "description": "Social Security Numbers are strictly prohibited", "formula_readable": "¬has_ssn", "formula": {"==": ["has_ssn", false]}, "variables": [ {"name": "has_ssn", "type": "bool"} ], "error_message": "SSN disclosed - Critical HIPAA violation", "citation": "HIPAA §164.514(b)(2)(i)(L)" }, { "id": "PHI_MRN_ZERO_TOLERANCE", "category": "PHI Detection", "description": "Medical Record Numbers must not be disclosed externally", "formula_readable": "¬(has_mrn ∧ recipient_external)", "formula": { "or": [ {"==": ["has_mrn", false]}, {"==": ["recipient_external", false]} ] }, "variables": [ {"name": "has_mrn", "type": "bool"}, {"name": "recipient_external", "type": "bool"} ], "error_message": "Medical Record Number disclosed to external party", "citation": "HIPAA §164.514(b)(2)(i)(N)" }, { "id": "PHI_EMAIL_DISCLOSURE", "category": "PHI Detection", "description": "Email addresses must not be disclosed", "formula_readable": "¬has_email", "formula": {"==": ["has_email", false]}, "variables": [ {"name": "has_email", "type": "bool"} ], "error_message": "Email address disclosed - HIPAA violation", "citation": "HIPAA §164.514(b)(2)(i)(E)" }, { "id": "PHI_DEVICE_ID_DISCLOSURE", "category": "PHI Detection", "description": "Device identifiers must not be disclosed", "formula_readable": "¬has_device_id", "formula": {"==": ["has_device_id", false]}, "variables": [ {"name": "has_device_id", "type": "bool"} ], "error_message": "Device identifier disclosed", "citation": "HIPAA §164.514(b)(2)(i)(P)" }, { "id": "PHI_URL_DISCLOSURE", "category": "PHI Detection", "description": "URLs containing patient identifiers prohibited", "formula_readable": "¬has_patient_url", "formula": {"==": ["has_patient_url", false]}, "variables": [ {"name": "has_patient_url", "type": "bool"} ], "error_message": "Patient-identifying URL disclosed", "citation": "HIPAA §164.514(b)(2)(i)(O)" }, { "id": "PHI_IP_ADDRESS_DISCLOSURE", "category": "PHI Detection", "description": "IP addresses must not be disclosed", "formula_readable": "¬has_ip_address", "formula": {"==": ["has_ip_address", false]}, "variables": [ {"name": "has_ip_address", "type": "bool"} ], "error_message": "IP address disclosed", "citation": "HIPAA §164.514(b)(2)(i)(O)" }, { "id": "PHI_BIOMETRIC_DISCLOSURE", "category": "PHI Detection", "description": "Biometric identifiers prohibited", "formula_readable": "¬has_biometric", "formula": {"==": ["has_biometric", false]}, "variables": [ {"name": "has_biometric", "type": "bool"} ], "error_message": "Biometric identifier disclosed", "citation": "HIPAA §164.514(b)(2)(i)(Q)" }, { "id": "PHI_PHOTO_DISCLOSURE", "category": "PHI Detection", "description": "Full-face photographs prohibited", "formula_readable": "¬has_photo_reference", "formula": {"==": ["has_photo_reference", false]}, "variables": [ {"name": "has_photo_reference", "type": "bool"} ], "error_message": "Photo reference disclosed", "citation": "HIPAA §164.514(b)(2)(i)(R)" }, { "id": "PHI_VEHICLE_ID_DISCLOSURE", "category": "PHI Detection", "description": "Vehicle identifiers prohibited", "formula_readable": "¬has_vehicle_id", "formula": {"==": ["has_vehicle_id", false]}, "variables": [ {"name": "has_vehicle_id", "type": "bool"} ], "error_message": "Vehicle identifier disclosed", "citation": "HIPAA §164.514(b)(2)(i)(M)" }, { "id": "PHI_ACCOUNT_NUMBER_DISCLOSURE", "category": "PHI Detection", "description": "Account numbers must not be disclosed", "formula_readable": "¬has_account_number", "formula": {"==": ["has_account_number", false]}, "variables": [ {"name": "has_account_number", "type": "bool"} ], "error_message": "Account number disclosed", "citation": "HIPAA §164.514(b)(2)(i)(J)" }, { "id": "PHI_LICENSE_NUMBER_DISCLOSURE", "category": "PHI Detection", "description": "License numbers must not be disclosed", "formula_readable": "¬has_license_number", "formula": {"==": ["has_license_number", false]}, "variables": [ {"name": "has_license_number", "type": "bool"} ], "error_message": "License number disclosed", "citation": "HIPAA §164.514(b)(2)(i)(K)" }, { "id": "DEIDENTIFY_ALL_18", "category": "De-Identification", "description": "All 18 HIPAA identifiers must be removed for Safe Harbor", "formula_readable": "is_deidentified → phi_count = 0", "formula": { "implies": [ {"==": ["is_deidentified", true]}, {"==": ["phi_count", 0]} ] }, "variables": [ {"name": "is_deidentified", "type": "bool"}, {"name": "phi_count", "type": "int"} ], "error_message": "Claims de-identification but PHI elements remain", "citation": "HIPAA §164.514(b)(2)" }, { "id": "DEIDENTIFY_DATES_GENERALIZED", "category": "De-Identification", "description": "Dates must be generalized to year only", "formula_readable": "has_specific_date → is_deidentified", "formula": { "or": [ {"==": ["has_specific_date", false]}, {"==": ["is_deidentified", true]} ] }, "variables": [ {"name": "has_specific_date", "type": "bool"}, {"name": "is_deidentified", "type": "bool"} ], "error_message": "Specific dates present without de-identification claim", "citation": "HIPAA §164.514(b)(2)(i)(C)" }, { "id": "DEIDENTIFY_AGE_THRESHOLD", "category": "De-Identification", "description": "Ages over 89 must be aggregated", "formula_readable": "patient_age > 89 → age_aggregated", "formula": { "or": [ {"<=": ["patient_age", 89]}, {"==": ["age_aggregated", true]} ] }, "variables": [ {"name": "patient_age", "type": "int"}, {"name": "age_aggregated", "type": "bool"} ], "error_message": "Patient age over 89 not aggregated", "citation": "HIPAA §164.514(b)(2)(i)(C)" }, { "id": "DEIDENTIFY_RARE_CONDITIONS", "category": "De-Identification", "description": "Rare conditions (prevalence <5%) should be suppressed", "formula_readable": "has_rare_condition → condition_generalized", "formula": { "or": [ {"==": ["has_rare_condition", false]}, {"==": ["condition_generalized", true]} ] }, "variables": [ {"name": "has_rare_condition", "type": "bool"}, {"name": "condition_generalized", "type": "bool"} ], "error_message": "Rare condition disclosed without generalization", "citation": "HIPAA §164.514(b)(1)" }, { "id": "DEIDENTIFY_GEOGRAPHIC", "category": "De-Identification", "description": "Geographic data must be limited to state or larger", "formula_readable": "¬(has_city ∧ ¬is_deidentified)", "formula": { "or": [ {"==": ["has_city", false]}, {"==": ["is_deidentified", true]} ] }, "variables": [ {"name": "has_city", "type": "bool"}, {"name": "is_deidentified", "type": "bool"} ], "error_message": "City-level geographic data disclosed", "citation": "HIPAA §164.514(b)(2)(i)(B)" }, { "id": "DEIDENTIFY_ZIP_CODE", "category": "De-Identification", "description": "ZIP codes must be truncated to first 3 digits", "formula_readable": "¬has_full_zip", "formula": {"==": ["has_full_zip", false]}, "variables": [ {"name": "has_full_zip", "type": "bool"} ], "error_message": "Full ZIP code disclosed", "citation": "HIPAA §164.514(b)(2)(i)(B)" }, { "id": "DEIDENTIFY_SAFE_HARBOR", "category": "De-Identification", "description": "Safe Harbor method requires removal of all identifiers", "formula_readable": "claims_safe_harbor → (phi_count = 0 ∧ has_safeguard_mention)", "formula": { "implies": [ {"==": ["claims_safe_harbor", true]}, { "and": [ {"==": ["phi_count", 0]}, {"==": ["has_safeguard_mention", true]} ] } ] }, "variables": [ {"name": "claims_safe_harbor", "type": "bool"}, {"name": "phi_count", "type": "int"}, {"name": "has_safeguard_mention", "type": "bool"} ], "error_message": "Claims Safe Harbor but requirements not met", "citation": "HIPAA §164.514(b)(2)" }, { "id": "DEIDENTIFY_EXPERT_DETERMINATION", "category": "De-Identification", "description": "Expert determination requires statistical evidence", "formula_readable": "claims_expert_determination → has_statistical_mention", "formula": { "implies": [ {"==": ["claims_expert_determination", true]}, {"==": ["has_statistical_mention", true]} ] }, "variables": [ {"name": "claims_expert_determination", "type": "bool"}, {"name": "has_statistical_mention", "type": "bool"} ], "error_message": "Claims Expert Determination without statistical basis", "citation": "HIPAA §164.514(b)(1)" }, { "id": "DEIDENTIFY_NO_DERIVED_DATA", "category": "De-Identification", "description": "No data that could derive identifiers", "formula_readable": "is_deidentified → ¬has_derived_identifier", "formula": { "implies": [ {"==": ["is_deidentified", true]}, {"==": ["has_derived_identifier", false]} ] }, "variables": [ {"name": "is_deidentified", "type": "bool"}, {"name": "has_derived_identifier", "type": "bool"} ], "error_message": "De-identified data contains derivable identifier", "citation": "HIPAA §164.514(b)(2)(ii)" }, { "id": "ACCESS_RECIPIENT_AUTHORIZED", "category": "Access Control", "description": "Recipients must be authorized healthcare workers", "formula_readable": "has_phi → recipient_authorized", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["recipient_authorized", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "recipient_authorized", "type": "bool"} ], "error_message": "PHI disclosed to unauthorized recipient", "citation": "HIPAA §164.502(a)" }, { "id": "ACCESS_ROLE_PHYSICIAN", "category": "Access Control", "description": "Treatment details require physician-level access", "formula_readable": "has_treatment_details → (recipient_role_physician ∨ is_deidentified)", "formula": { "implies": [ {"==": ["has_treatment_details", true]}, { "or": [ {"==": ["recipient_role_physician", true]}, {"==": ["is_deidentified", true]} ] } ] }, "variables": [ {"name": "has_treatment_details", "type": "bool"}, {"name": "recipient_role_physician", "type": "bool"}, {"name": "is_deidentified", "type": "bool"} ], "error_message": "Treatment details disclosed to non-physician", "citation": "HIPAA §164.502(b)" }, { "id": "ACCESS_MINIMUM_NECESSARY", "category": "Access Control", "description": "Only minimum necessary information disclosed", "formula_readable": "phi_count ≤ minimum_necessary_threshold", "formula": {"<=": ["phi_count", {"var": "minimum_necessary_threshold"}]}, "variables": [ {"name": "phi_count", "type": "int"}, {"name": "minimum_necessary_threshold", "type": "int"} ], "error_message": "Exceeds minimum necessary standard", "citation": "HIPAA §164.502(b)(1)" }, { "id": "ACCESS_EXTERNAL_ENCRYPTION", "category": "Access Control", "description": "External disclosures require encryption mention", "formula_readable": "recipient_external → has_encryption_mention", "formula": { "implies": [ {"==": ["recipient_external", true]}, {"==": ["has_encryption_mention", true]} ] }, "variables": [ {"name": "recipient_external", "type": "bool"}, {"name": "has_encryption_mention", "type": "bool"} ], "error_message": "External disclosure without encryption safeguard", "citation": "HIPAA §164.312(a)(2)(iv)" }, { "id": "ACCESS_AUDIT_TIMESTAMP", "category": "Access Control", "description": "All outputs must include timestamp for audit", "formula_readable": "has_timestamp", "formula": {"==": ["has_timestamp", true]}, "variables": [ {"name": "has_timestamp", "type": "bool"} ], "error_message": "Missing timestamp for audit trail", "citation": "HIPAA §164.312(b)" }, { "id": "ACCESS_AUDIT_USER_ID", "category": "Access Control", "description": "Outputs must identify requesting user", "formula_readable": "has_user_identification", "formula": {"==": ["has_user_identification", true]}, "variables": [ {"name": "has_user_identification", "type": "bool"} ], "error_message": "Missing user identification for audit", "citation": "HIPAA §164.312(b)" }, { "id": "ACCESS_SESSION_VALID", "category": "Access Control", "description": "Must verify session validity", "formula_readable": "has_session_reference → session_valid", "formula": { "implies": [ {"==": ["has_session_reference", true]}, {"==": ["session_valid", true]} ] }, "variables": [ {"name": "has_session_reference", "type": "bool"}, {"name": "session_valid", "type": "bool"} ], "error_message": "Invalid or expired session reference", "citation": "HIPAA §164.312(d)" }, { "id": "ACCESS_LEAST_PRIVILEGE", "category": "Access Control", "description": "Role-based access must follow least privilege", "formula_readable": "recipient_role_admin → ¬has_treatment_details", "formula": { "implies": [ {"==": ["recipient_role_admin", true]}, {"==": ["has_treatment_details", false]} ] }, "variables": [ {"name": "recipient_role_admin", "type": "bool"}, {"name": "has_treatment_details", "type": "bool"} ], "error_message": "Admin role accessing treatment details violates least privilege", "citation": "HIPAA §164.312(a)(1)" }, { "id": "SAFEGUARD_INTERNAL_USE", "category": "Safeguards", "description": "Must mention internal use restriction", "formula_readable": "has_phi → has_internal_use_mention", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["has_internal_use_mention", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_internal_use_mention", "type": "bool"} ], "error_message": "Missing 'internal use only' safeguard statement", "citation": "HIPAA §164.530(c)" }, { "id": "SAFEGUARD_PHI_REDACTED", "category": "Safeguards", "description": "Must acknowledge PHI handling", "formula_readable": "has_safeguard_mention", "formula": {"==": ["has_safeguard_mention", true]}, "variables": [ {"name": "has_safeguard_mention", "type": "bool"} ], "error_message": "Missing PHI safeguard acknowledgment", "citation": "HIPAA §164.530(c)" }, { "id": "SAFEGUARD_RISK_SCORE", "category": "Safeguards", "description": "Risk score must be acceptable", "formula_readable": "risk_score ≤ 5", "formula": {"<=": ["risk_score", 5]}, "variables": [ {"name": "risk_score", "type": "int"} ], "error_message": "Risk score exceeds acceptable threshold", "citation": "HIPAA §164.308(a)(1)(ii)(A)" }, { "id": "SAFEGUARD_ENCRYPTION_PHI", "category": "Safeguards", "description": "PHI transmission must mention encryption", "formula_readable": "has_phi → has_encryption_mention", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["has_encryption_mention", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_encryption_mention", "type": "bool"} ], "error_message": "PHI present without encryption safeguard", "citation": "HIPAA §164.312(e)(2)(ii)" }, { "id": "SAFEGUARD_NO_PRINT_MENTION", "category": "Safeguards", "description": "No printing instructions for PHI", "formula_readable": "¬(has_phi ∧ has_print_instruction)", "formula": { "not": { "and": [ {"==": ["has_phi", true]}, {"==": ["has_print_instruction", true]} ] } }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_print_instruction", "type": "bool"} ], "error_message": "Print instruction with PHI present", "citation": "HIPAA §164.310(d)(1)" }, { "id": "SAFEGUARD_HIPAA_COMPLIANT", "category": "Safeguards", "description": "Output should reference HIPAA compliance", "formula_readable": "has_phi → has_hipaa_mention", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["has_hipaa_mention", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_hipaa_mention", "type": "bool"} ], "error_message": "PHI present without HIPAA compliance mention", "citation": "HIPAA §164.530(b)" }, { "id": "SAFEGUARD_ACCESS_LOG", "category": "Safeguards", "description": "Must mention access logging", "formula_readable": "has_treatment_details → has_audit_mention", "formula": { "implies": [ {"==": ["has_treatment_details", true]}, {"==": ["has_audit_mention", true]} ] }, "variables": [ {"name": "has_treatment_details", "type": "bool"}, {"name": "has_audit_mention", "type": "bool"} ], "error_message": "Treatment details without audit trail mention", "citation": "HIPAA §164.312(b)" }, { "id": "SAFEGUARD_POLICY_REFERENCE", "category": "Safeguards", "description": "Should reference applicable policies", "formula_readable": "has_sensitive_diagnosis → has_policy_reference", "formula": { "implies": [ {"==": ["has_sensitive_diagnosis", true]}, {"==": ["has_policy_reference", true]} ] }, "variables": [ {"name": "has_sensitive_diagnosis", "type": "bool"}, {"name": "has_policy_reference", "type": "bool"} ], "error_message": "Sensitive diagnosis without policy reference", "citation": "HIPAA §164.530(i)" }, { "id": "BREACH_UNAUTHORIZED_DISCLOSURE", "category": "Breach Notification", "description": "Unauthorized PHI disclosure triggers breach protocol", "formula_readable": "¬(has_phi ∧ ¬recipient_authorized)", "formula": { "not": { "and": [ {"==": ["has_phi", true]}, {"==": ["recipient_authorized", false]} ] } }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "recipient_authorized", "type": "bool"} ], "error_message": "BREACH: Unauthorized PHI disclosure detected", "citation": "HIPAA §164.402" }, { "id": "BREACH_SENSITIVE_DATA", "category": "Breach Notification", "description": "Sensitive data breach requires immediate notification", "formula_readable": "¬(has_sensitive_diagnosis ∧ ¬is_deidentified ∧ ¬recipient_authorized)", "formula": { "not": { "and": [ {"==": ["has_sensitive_diagnosis", true]}, {"==": ["is_deidentified", false]}, {"==": ["recipient_authorized", false]} ] } }, "variables": [ {"name": "has_sensitive_diagnosis", "type": "bool"}, {"name": "is_deidentified", "type": "bool"}, {"name": "recipient_authorized", "type": "bool"} ], "error_message": "BREACH: Sensitive medical data exposed", "citation": "HIPAA §164.404" }, { "id": "BREACH_NO_SAFEGUARDS", "category": "Breach Notification", "description": "PHI without safeguards is reportable breach", "formula_readable": "¬(has_phi ∧ ¬has_safeguard_mention)", "formula": { "not": { "and": [ {"==": ["has_phi", true]}, {"==": ["has_safeguard_mention", false]} ] } }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_safeguard_mention", "type": "bool"} ], "error_message": "BREACH: PHI disclosed without safeguards", "citation": "HIPAA §164.402(1)" }, { "id": "BREACH_ESCALATION", "category": "Breach Notification", "description": "Multiple violations require escalation", "formula_readable": "violation_count ≤ 2", "formula": {"<=": ["violation_count", 2]}, "variables": [ {"name": "violation_count", "type": "int"} ], "error_message": "ESCALATE: Multiple violations require CISO notification", "citation": "HIPAA §164.308(a)(6)" }, { "id": "AUDIT_PROOF_CERTIFICATE", "category": "Audit", "description": "All verifications must generate proof", "formula_readable": "verification_complete → has_proof", "formula": { "implies": [ {"==": ["verification_complete", true]}, {"==": ["has_proof", true]} ] }, "variables": [ {"name": "verification_complete", "type": "bool"}, {"name": "has_proof", "type": "bool"} ], "error_message": "Verification without proof certificate", "citation": "HIPAA §164.530(j)" }, { "id": "AUDIT_RULE_IDENTIFICATION", "category": "Audit", "description": "Violations must cite specific rule", "formula_readable": "has_violation → has_rule_citation", "formula": { "implies": [ {"==": ["has_violation", true]}, {"==": ["has_rule_citation", true]} ] }, "variables": [ {"name": "has_violation", "type": "bool"}, {"name": "has_rule_citation", "type": "bool"} ], "error_message": "Violation without rule identification", "citation": "HIPAA §164.530(j)(2)" }, { "id": "AUDIT_RETENTION", "category": "Audit", "description": "Records must be retained 6 years", "formula_readable": "has_retention_policy", "formula": {"==": ["has_retention_policy", true]}, "variables": [ {"name": "has_retention_policy", "type": "bool"} ], "error_message": "Missing retention policy compliance", "citation": "HIPAA §164.530(j)(2)" }, { "id": "AUDIT_IMMUTABILITY", "category": "Audit", "description": "Audit records must be immutable", "formula_readable": "has_audit_mention → audit_immutable", "formula": { "implies": [ {"==": ["has_audit_mention", true]}, {"==": ["audit_immutable", true]} ] }, "variables": [ {"name": "has_audit_mention", "type": "bool"}, {"name": "audit_immutable", "type": "bool"} ], "error_message": "Audit trail not immutable", "citation": "HIPAA §164.312(c)(1)" }, { "id": "AUDIT_CHAIN_OF_CUSTODY", "category": "Audit", "description": "Must maintain chain of custody", "formula_readable": "has_phi → has_chain_of_custody", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["has_chain_of_custody", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "has_chain_of_custody", "type": "bool"} ], "error_message": "PHI without chain of custody documentation", "citation": "HIPAA §164.530(j)(1)" }, { "id": "TREATMENT_ALLERGY_DISCLOSURE", "category": "Clinical Safety", "description": "Allergy info to external requires authorization", "formula_readable": "¬(has_allergy_info ∧ recipient_external ∧ ¬recipient_authorized)", "formula": { "not": { "and": [ {"==": ["has_allergy_info", true]}, {"==": ["recipient_external", true]}, {"==": ["recipient_authorized", false]} ] } }, "variables": [ {"name": "has_allergy_info", "type": "bool"}, {"name": "recipient_external", "type": "bool"}, {"name": "recipient_authorized", "type": "bool"} ], "error_message": "Allergy information disclosed externally without authorization", "citation": "HIPAA §164.506" }, { "id": "AI_TRAINING_DATA_CONSENT", "category": "AI Governance", "description": "PHI used for AI/ML training requires explicit patient consent", "formula_readable": "¬(mentions_ai_training ∧ has_phi ∧ ¬has_consent_mention)", "formula": { "not": { "and": [ {"==": ["mentions_ai_training", true]}, {"==": ["has_phi", true]}, {"==": ["has_consent_mention", false]} ] } }, "variables": [ {"name": "mentions_ai_training", "type": "bool"}, {"name": "has_phi", "type": "bool"}, {"name": "has_consent_mention", "type": "bool"} ], "error_message": "PHI used for AI training without documented consent", "citation": "OCR AI Guidance Dec 2024" }, { "id": "AI_MODEL_BIAS_DISCLOSURE", "category": "AI Governance", "description": "AI-generated clinical recommendations must disclose model limitations", "formula_readable": "ai_generated_recommendation → has_limitation_disclosure", "formula": { "implies": [ {"==": ["ai_generated_recommendation", true]}, {"==": ["has_limitation_disclosure", true]} ] }, "variables": [ {"name": "ai_generated_recommendation", "type": "bool"}, {"name": "has_limitation_disclosure", "type": "bool"} ], "error_message": "AI recommendation without model limitation disclosure", "citation": "HHS AI Governance Framework 2024" }, { "id": "AI_HUMAN_REVIEW", "category": "AI Governance", "description": "AI outputs affecting treatment require qualified human review", "formula_readable": "ai_clinical_decision → has_human_review_mention", "formula": { "implies": [ {"==": ["ai_clinical_decision", true]}, {"==": ["has_human_review_mention", true]} ] }, "variables": [ {"name": "ai_clinical_decision", "type": "bool"}, {"name": "has_human_review_mention", "type": "bool"} ], "error_message": "AI clinical decision without human review attestation", "citation": "OCR Section 1557 Guidance Dec 2024" }, { "id": "AI_ALGORITHM_TRANSPARENCY", "category": "AI Governance", "description": "AI-assisted decisions must reference algorithm source", "formula_readable": "ai_generated_recommendation → has_algorithm_reference", "formula": { "implies": [ {"==": ["ai_generated_recommendation", true]}, {"==": ["has_algorithm_reference", true]} ] }, "variables": [ {"name": "ai_generated_recommendation", "type": "bool"}, {"name": "has_algorithm_reference", "type": "bool"} ], "error_message": "AI recommendation without algorithm transparency", "citation": "HHS AI Framework 2024" }, { "id": "AI_VENDOR_BAA", "category": "AI Governance", "description": "AI vendors processing PHI must have Business Associate Agreement", "formula_readable": "uses_external_ai → has_baa_mention", "formula": { "implies": [ {"==": ["uses_external_ai", true]}, {"==": ["has_baa_mention", true]} ] }, "variables": [ {"name": "uses_external_ai", "type": "bool"}, {"name": "has_baa_mention", "type": "bool"} ], "error_message": "External AI vendor used without BAA reference", "citation": "HIPAA §164.502(e)" }, { "id": "AI_RISK_ASSESSMENT", "category": "AI Governance", "description": "AI systems processing PHI require documented risk assessment", "formula_readable": "uses_ai_system → has_risk_assessment_mention", "formula": { "implies": [ {"==": ["uses_ai_system", true]}, {"==": ["has_risk_assessment_mention", true]} ] }, "variables": [ {"name": "uses_ai_system", "type": "bool"}, {"name": "has_risk_assessment_mention", "type": "bool"} ], "error_message": "AI system used without risk assessment documentation", "citation": "2025 HIPAA Security Rule Proposed §164.308(a)(1)" }, { "id": "SECURITY_MFA_REQUIRED", "category": "2025 Security Rule", "description": "Multi-factor authentication required for PHI access", "formula_readable": "accesses_phi → has_mfa_mention", "formula": { "implies": [ {"==": ["accesses_phi", true]}, {"==": ["has_mfa_mention", true]} ] }, "variables": [ {"name": "accesses_phi", "type": "bool"}, {"name": "has_mfa_mention", "type": "bool"} ], "error_message": "PHI access without MFA authentication reference", "citation": "2025 HIPAA Security Rule CPG-1" }, { "id": "SECURITY_ENCRYPTION_AT_REST", "category": "2025 Security Rule", "description": "PHI must be encrypted at rest per 2025 requirements", "formula_readable": "stores_phi → has_encryption_at_rest", "formula": { "implies": [ {"==": ["stores_phi", true]}, {"==": ["has_encryption_at_rest", true]} ] }, "variables": [ {"name": "stores_phi", "type": "bool"}, {"name": "has_encryption_at_rest", "type": "bool"} ], "error_message": "PHI storage without encryption at rest", "citation": "2025 HIPAA Security Rule §164.312(a)(2)(iv)" }, { "id": "SECURITY_ASSET_INVENTORY", "category": "2025 Security Rule", "description": "Systems with PHI must be in documented asset inventory", "formula_readable": "has_phi → asset_inventoried", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["asset_inventoried", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "asset_inventoried", "type": "bool"} ], "error_message": "PHI system not documented in asset inventory", "citation": "2025 HIPAA Security Rule Proposed Updates" }, { "id": "SECURITY_VULN_SCAN", "category": "2025 Security Rule", "description": "Systems must reference vulnerability scanning compliance", "formula_readable": "has_phi → vuln_scan_compliant", "formula": { "implies": [ {"==": ["has_phi", true]}, {"==": ["vuln_scan_compliant", true]} ] }, "variables": [ {"name": "has_phi", "type": "bool"}, {"name": "vuln_scan_compliant", "type": "bool"} ], "error_message": "Missing vulnerability scanning attestation", "citation": "2025 HIPAA Security Rule - 6-month scan requirement" }, { "id": "SECURITY_72HR_RECOVERY", "category": "2025 Security Rule", "description": "Critical systems must have 72-hour recovery plan", "formula_readable": "is_critical_system → has_recovery_plan", "formula": { "implies": [ {"==": ["is_critical_system", true]}, {"==": ["has_recovery_plan", true]} ] }, "variables": [ {"name": "is_critical_system", "type": "bool"}, {"name": "has_recovery_plan", "type": "bool"} ], "error_message": "Critical system without 72-hour recovery plan reference", "citation": "2025 HIPAA Security Rule - Disaster Recovery" }, { "id": "SECURITY_NETWORK_MAP", "category": "2025 Security Rule", "description": "PHI data flows must be documented in network map", "formula_readable": "has_phi_transmission → network_mapped", "formula": { "implies": [ {"==": ["has_phi_transmission", true]}, {"==": ["network_mapped", true]} ] }, "variables": [ {"name": "has_phi_transmission", "type": "bool"}, {"name": "network_mapped", "type": "bool"} ], "error_message": "PHI transmission not in documented network map", "citation": "2025 HIPAA Security Rule Proposed Updates" }, { "id": "BAA_THIRD_PARTY", "category": "Business Associate", "description": "Third-party PHI access requires BAA", "formula_readable": "third_party_access → has_baa_mention", "formula": { "implies": [ {"==": ["third_party_access", true]}, {"==": ["has_baa_mention", true]} ] }, "variables": [ {"name": "third_party_access", "type": "bool"}, {"name": "has_baa_mention", "type": "bool"} ], "error_message": "Third-party PHI access without BAA", "citation": "HIPAA §164.502(e)(1)" }, { "id": "BAA_SUBCONTRACTOR", "category": "Business Associate", "description": "Subcontractors with PHI access require BAA chain", "formula_readable": "has_subcontractor → baa_chain_documented", "formula": { "implies": [ {"==": ["has_subcontractor", true]}, {"==": ["baa_chain_documented", true]} ] }, "variables": [ {"name": "has_subcontractor", "type": "bool"}, {"name": "baa_chain_documented", "type": "bool"} ], "error_message": "Subcontractor access without BAA chain documentation", "citation": "HIPAA §164.504(e)(2)(ii)(D)" }, { "id": "BAA_CLOUD_PROVIDER", "category": "Business Associate", "description": "Cloud services storing PHI require BAA", "formula_readable": "uses_cloud_storage → cloud_baa_confirmed", "formula": { "implies": [ {"==": ["uses_cloud_storage", true]}, {"==": ["cloud_baa_confirmed", true]} ] }, "variables": [ {"name": "uses_cloud_storage", "type": "bool"}, {"name": "cloud_baa_confirmed", "type": "bool"} ], "error_message": "Cloud PHI storage without BAA confirmation", "citation": "OCR Cloud Computing Guidance" }, { "id": "INCIDENT_72HR_NOTIFICATION", "category": "Incident Response", "description": "Breaches affecting 500+ individuals require 72-hour notification", "formula_readable": "large_breach → notification_initiated", "formula": { "implies": [ {"==": ["large_breach", true]}, {"==": ["notification_initiated", true]} ] }, "variables": [ {"name": "large_breach", "type": "bool"}, {"name": "notification_initiated", "type": "bool"} ], "error_message": "Large breach without 72-hour notification mention", "citation": "HIPAA §164.408" }, { "id": "INCIDENT_DOCUMENTATION", "category": "Incident Response", "description": "Security incidents must be documented", "formula_readable": "has_security_incident → incident_documented", "formula": { "implies": [ {"==": ["has_security_incident", true]}, {"==": ["incident_documented", true]} ] }, "variables": [ {"name": "has_security_incident", "type": "bool"}, {"name": "incident_documented", "type": "bool"} ], "error_message": "Security incident without documentation", "citation": "HIPAA §164.308(a)(6)(ii)" }, { "id": "PATIENT_RIGHT_ACCESS", "category": "Patient Rights", "description": "Patients have right to access their PHI", "formula_readable": "patient_access_request → access_provided", "formula": { "implies": [ {"==": ["patient_access_request", true]}, {"==": ["access_provided", true]} ] }, "variables": [ {"name": "patient_access_request", "type": "bool"}, {"name": "access_provided", "type": "bool"} ], "error_message": "Patient access request without confirmation of access", "citation": "HIPAA §164.524" }, { "id": "PATIENT_RIGHT_AMENDMENT", "category": "Patient Rights", "description": "Patient amendment requests must be addressed", "formula_readable": "patient_amendment_request → amendment_addressed", "formula": { "implies": [ {"==": ["patient_amendment_request", true]}, {"==": ["amendment_addressed", true]} ] }, "variables": [ {"name": "patient_amendment_request", "type": "bool"}, {"name": "amendment_addressed", "type": "bool"} ], "error_message": "Patient amendment request not addressed", "citation": "HIPAA §164.526" }, { "id": "TELEHEALTH_ENCRYPTION", "category": "Telehealth", "description": "Telehealth sessions must use encrypted communications", "formula_readable": "is_telehealth → has_encryption_mention", "formula": { "implies": [ {"==": ["is_telehealth", true]}, {"==": ["has_encryption_mention", true]} ] }, "variables": [ {"name": "is_telehealth", "type": "bool"}, {"name": "has_encryption_mention", "type": "bool"} ], "error_message": "Telehealth session without encryption confirmation", "citation": "OCR Telehealth Guidance" }, { "id": "TELEHEALTH_PLATFORM_APPROVED", "category": "Telehealth", "description": "Telehealth platforms must be HIPAA-compliant", "formula_readable": "is_telehealth → platform_hipaa_compliant", "formula": { "implies": [ {"==": ["is_telehealth", true]}, {"==": ["platform_hipaa_compliant", true]} ] }, "variables": [ {"name": "is_telehealth", "type": "bool"}, {"name": "platform_hipaa_compliant", "type": "bool"} ], "error_message": "Telehealth on non-approved platform", "citation": "OCR Telehealth HIPAA Flexibilities" }, { "id": "MENTAL_HEALTH_PSYCHOTHERAPY", "category": "Special Protections", "description": "Psychotherapy notes require separate authorization", "formula_readable": "has_psychotherapy_notes → has_special_authorization", "formula": { "implies": [ {"==": ["has_psychotherapy_notes", true]}, {"==": ["has_special_authorization", true]} ] }, "variables": [ {"name": "has_psychotherapy_notes", "type": "bool"}, {"name": "has_special_authorization", "type": "bool"} ], "error_message": "Psychotherapy notes disclosed without special authorization", "citation": "HIPAA §164.508(a)(2)" }, { "id": "SUBSTANCE_ABUSE_42CFR", "category": "Special Protections", "description": "Substance abuse records require 42 CFR Part 2 compliance", "formula_readable": "has_substance_abuse_record → has_42cfr_compliance", "formula": { "implies": [ {"==": ["has_substance_abuse_record", true]}, {"==": ["has_42cfr_compliance", true]} ] }, "variables": [ {"name": "has_substance_abuse_record", "type": "bool"}, {"name": "has_42cfr_compliance", "type": "bool"} ], "error_message": "Substance abuse record without 42 CFR Part 2 compliance", "citation": "42 CFR Part 2" }, { "id": "GENETIC_GINA_COMPLIANCE", "category": "Special Protections", "description": "Genetic information requires GINA compliance", "formula_readable": "has_genetic_info → gina_compliant", "formula": { "implies": [ {"==": ["has_genetic_info", true]}, {"==": ["gina_compliant", true]} ] }, "variables": [ {"name": "has_genetic_info", "type": "bool"}, {"name": "gina_compliant", "type": "bool"} ], "error_message": "Genetic information disclosed without GINA compliance", "citation": "GINA §§201-213" }, { "id": "RESEARCH_IRB_APPROVAL", "category": "Research", "description": "PHI used for research requires IRB approval or waiver", "formula_readable": "uses_phi_for_research → has_irb_approval", "formula": { "implies": [ {"==": ["uses_phi_for_research", true]}, {"==": ["has_irb_approval", true]} ] }, "variables": [ {"name": "uses_phi_for_research", "type": "bool"}, {"name": "has_irb_approval", "type": "bool"} ], "error_message": "Research use of PHI without IRB approval reference", "citation": "HIPAA §164.512(i)" }, { "id": "RESEARCH_LIMITED_DATA_SET", "category": "Research", "description": "Limited data sets require data use agreement", "formula_readable": "uses_limited_data_set → has_data_use_agreement", "formula": { "implies": [ {"==": ["uses_limited_data_set", true]}, {"==": ["has_data_use_agreement", true]} ] }, "variables": [ {"name": "uses_limited_data_set", "type": "bool"}, {"name": "has_data_use_agreement", "type": "bool"} ], "error_message": "Limited data set without data use agreement", "citation": "HIPAA §164.514(e)" } ], "extractors": { "has_patient_name": { "type": "boolean", "keywords": ["jane doe", "john doe", "patient name", "mr.", "mrs.", "ms."], "negation_words": ["de-identified", "redacted", "removed", "anonymized", "patient #"] }, "has_dob": { "type": "boolean", "keywords": ["dob:", "date of birth", "born", "1985-", "1990-", "1970-", "1960-", "1995-", "/19", "-19"], "negation_words": ["redacted", "removed"] }, "has_street_address": { "type": "boolean", "keywords": ["main st", " street,", " street ", "avenue", " ave,", " ave ", "boulevard", " blvd,", " blvd ", " road,", " road ", " rd,", " lane,", " lane ", " ln,", " drive,", " drive ", "123 main", "456 oak", "789 elm"], "negation_words": ["redacted", "removed"] }, "has_phone_number": { "type": "boolean", "keywords": ["555-", "phone", "tel:", "call ", "-0123", "-1234", "-5678"], "negation_words": ["redacted"] }, "has_ssn": { "type": "boolean", "keywords": ["ssn", "social security", "xxx-xx-"] }, "has_mrn": { "type": "boolean", "keywords": ["mrn:", "medical record number", "patient id:", "id: 12345", "record #"] }, "has_email": { "type": "boolean", "keywords": ["@gmail", "@yahoo", "@hotmail", "@hospital", ".com", ".org", "email:"] }, "has_full_zip": { "type": "boolean", "pattern": "(?:,\\s*[A-Z]{2}\\s+|zip(?:code)?[:\\s]+)(\\d{5}(?:-\\d{4})?)", "negation_words": [] }, "has_city": { "type": "boolean", "keywords": ["anytown", "new york", "los angeles", "chicago", "houston", ", ca", ", ny", ", tx"] }, "has_specific_date": { "type": "boolean", "keywords": ["dob:", "date of birth", "admission date", "discharge date", "admitted:", "discharged:", "born:", "service date", "visit date", "procedure date"], "negation_words": ["report generated", "generated:", "timestamp:", "created:"] }, "is_deidentified": { "type": "boolean", "keywords": ["de-identified", "deidentified", "de identified", "anonymized", "phi removed", "hipaa §164.514", "safe harbor", "identifiers removed"] }, "recipient_authorized": { "type": "boolean", "keywords": ["dr.", "doctor", "physician", "attending", "clinician", "nurse", "authorized", "internal use only", "clinical staff"] }, "recipient_external": { "type": "boolean", "keywords": ["external", "vendor", "third party", "outside", "partner", "contractor"] }, "recipient_role_physician": { "type": "boolean", "keywords": ["dr.", "doctor", "physician", "attending physician", "md", "m.d."] }, "recipient_role_admin": { "type": "boolean", "keywords": ["role: admin", "role:admin", "administrator", "billing department", "billing staff", "receptionist", "front desk"] }, "has_treatment_details": { "type": "boolean", "keywords": ["insulin", "medication", "treatment", "therapy", "dose", "dosage", "mg", "units", "regimen", "prescription"] }, "has_diagnosis": { "type": "boolean", "keywords": ["diagnosis", "diagnosed", "icd-10", "icd-", "condition", "diabetes", "hypertension"] }, "has_sensitive_diagnosis": { "type": "boolean", "keywords": ["hiv", "aids", "mental health", "psychiatric", "substance abuse", "addiction", "std", "genetic"] }, "has_allergy_info": { "type": "boolean", "keywords": ["allergy", "allergies", "allergic", "penicillin", "sulfa", "latex"] }, "has_safeguard_mention": { "type": "boolean", "keywords": ["safeguard", "phi removed", "redacted", "de-identified", "hipaa", "protected", "compliant", "privacy"] }, "has_internal_use_mention": { "type": "boolean", "keywords": ["internal use only", "internal use", "authorized internal", "internal review", "not for distribution"] }, "has_encryption_mention": { "type": "boolean", "keywords": ["encrypted", "encryption", "secure", "tls", "ssl", "https"] }, "has_hipaa_mention": { "type": "boolean", "keywords": ["hipaa", "§164", "164.5", "privacy rule", "security rule"] }, "has_timestamp": { "type": "boolean", "keywords": ["generated:", "timestamp:", "date:", "2025-", "report generated", "created:"] }, "has_user_identification": { "type": "boolean", "keywords": ["clinician:", "dr.", "user:", "requested by", "physician:", "prepared for", "attending:"] }, "has_audit_mention": { "type": "boolean", "keywords": ["audit", "logged", "tracked", "recorded", "trail"] }, "has_print_instruction": { "type": "boolean", "keywords": ["print", "printer", "hardcopy", "hard copy", "fax"] }, "has_policy_reference": { "type": "boolean", "keywords": ["policy", "protocol", "procedure", "guideline", "per policy"] }, "has_rare_condition": { "type": "boolean", "keywords": ["rare", "orphan disease", "genetic disorder", "1 in ", "prevalence"] }, "condition_generalized": { "type": "boolean", "keywords": ["condition type", "category", "class of", "generalized"] }, "has_device_id": { "type": "boolean", "keywords": ["device id", "serial number", "imei", "mac address", "device identifier"], "negation_words": ["redacted"] }, "has_patient_url": { "type": "boolean", "keywords": ["patient portal", "myhealth", "patient/", "/patient?id=", "patientid="], "negation_words": [] }, "has_ip_address": { "type": "boolean", "pattern": "\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b", "negation_words": [] }, "has_biometric": { "type": "boolean", "keywords": ["fingerprint", "retinal", "iris scan", "voice print", "biometric"], "negation_words": [] }, "has_photo_reference": { "type": "boolean", "keywords": ["photo attached", "photograph", "image of patient", "patient photo", "face photo"], "negation_words": [] }, "has_vehicle_id": { "type": "boolean", "keywords": ["vin:", "vehicle id", "license plate", "plate number"], "negation_words": [] }, "has_account_number": { "type": "boolean", "keywords": ["account number", "acct #", "account #", "bank account", "insurance id"], "negation_words": ["redacted"] }, "has_license_number": { "type": "boolean", "keywords": ["license number", "driver's license", "license #", "dln:"], "negation_words": ["redacted"] }, "patient_age": { "type": "int", "pattern": "(?:age[:\\s]+|(?:is|was)\\s+)(\\d{1,3})(?:\\s*(?:years?|yrs?))?", "default": 0 }, "age_aggregated": { "type": "boolean", "keywords": ["90+", "90 or older", "over 89", "90 years or older", "age 90+"], "default": false }, "has_session_reference": { "type": "boolean", "keywords": ["session:", "session id", "token:", "session token"], "default": false }, "has_violation": { "type": "boolean", "keywords": ["violation", "non-compliant", "breach", "failed verification"], "default": false }, "has_statistical_mention": { "type": "boolean", "keywords": ["statistical", "probability", "k-anonymity", "l-diversity", "re-identification risk"], "default": false }, "claims_safe_harbor": { "type": "boolean", "keywords": ["safe harbor", "§164.514(b)(2)", "safe-harbor"], "default": false }, "claims_expert_determination": { "type": "boolean", "keywords": ["expert determination", "§164.514(b)(1)", "statistical determination"], "default": false }, "has_derived_identifier": { "type": "boolean", "keywords": ["derived from", "calculated from", "based on patient", "linked to"], "negation_words": ["de-identified"], "default": false }, "phi_count": { "type": "computed", "formula": { "count_true": [ "has_patient_name", "has_dob", "has_street_address", "has_phone_number", "has_ssn", "has_mrn", "has_email", "has_full_zip", "has_city", "has_device_id", "has_ip_address", "has_biometric", "has_photo_reference", "has_vehicle_id", "has_account_number", "has_license_number" ] }, "default": 0 }, "has_phi": { "type": "computed", "formula": { "any": [ "has_patient_name", "has_dob", "has_street_address", "has_phone_number", "has_ssn", "has_mrn", "has_email", "has_full_zip", "has_city", "has_device_id", "has_ip_address", "has_biometric", "has_photo_reference", "has_vehicle_id", "has_account_number", "has_license_number" ] }, "default": false }, "risk_score": { "type": "computed", "formula": { "add": [ {"mul": ["phi_count", 2]}, {"if": ["has_sensitive_diagnosis", 3, 0]}, {"if": [{"all": ["has_treatment_details", {"not": "is_deidentified"}]}, 2, 0]} ] }, "default": 0 }, "minimum_necessary_threshold": { "type": "computed", "default": 3 }, "verification_complete": { "type": "computed", "default": true }, "has_proof": { "type": "computed", "default": true }, "has_rule_citation": { "type": "computed", "default": true }, "has_retention_policy": { "type": "computed", "default": true }, "audit_immutable": { "type": "computed", "default": true }, "has_chain_of_custody": { "type": "computed", "default": true }, "session_valid": { "type": "computed", "default": true }, "violation_count": { "type": "computed", "default": 0 }, "mentions_ai_training": { "type": "boolean", "keywords": ["training data", "model training", "machine learning", "ai training", "ml training", "train the model", "training set"], "default": false }, "has_consent_mention": { "type": "boolean", "keywords": ["consent", "authorized", "patient agreed", "permission granted", "opted in", "consented"], "default": false }, "ai_generated_recommendation": { "type": "boolean", "keywords": ["ai recommends", "model suggests", "algorithm indicates", "ai-generated", "machine learning", "model output", "ai assistant", "llm", "gpt", "claude"], "default": false }, "has_limitation_disclosure": { "type": "boolean", "keywords": ["limitations", "not a substitute", "consult physician", "professional judgment", "may not be accurate", "verify with", "clinical judgment required"], "default": false }, "ai_clinical_decision": { "type": "boolean", "keywords": ["ai diagnosis", "model recommends treatment", "algorithm suggests", "ai clinical", "clinical decision support"], "default": false }, "has_human_review_mention": { "type": "boolean", "keywords": ["reviewed by", "physician reviewed", "clinician approved", "human review", "verified by doctor", "provider confirmed"], "default": false }, "has_algorithm_reference": { "type": "boolean", "keywords": ["algorithm version", "model version", "v1.", "v2.", "version:", "model:", "algorithm:", "trained on"], "default": false }, "uses_external_ai": { "type": "boolean", "keywords": ["openai", "anthropic", "google ai", "azure ai", "aws bedrock", "third-party ai", "external ai", "chatgpt", "claude", "gemini"], "default": false }, "has_baa_mention": { "type": "boolean", "keywords": ["baa", "business associate agreement", "business associate", "covered under baa", "baa signed", "hipaa agreement"], "default": false }, "uses_ai_system": { "type": "boolean", "keywords": ["ai system", "artificial intelligence", "machine learning", "ml model", "neural network", "deep learning", "nlp", "llm"], "default": false }, "has_risk_assessment_mention": { "type": "boolean", "keywords": ["risk assessment", "risk analysis", "security assessment", "privacy impact", "risk evaluated", "assessed risk"], "default": false }, "accesses_phi": { "type": "boolean", "keywords": ["accessing patient", "patient record", "medical record", "phi access", "health information"], "default": false }, "has_mfa_mention": { "type": "boolean", "keywords": ["mfa", "multi-factor", "two-factor", "2fa", "multifactor", "authentication verified", "identity verified"], "default": false }, "stores_phi": { "type": "boolean", "keywords": ["stored in", "database", "repository", "data store", "persisted", "saved to", "archived"], "default": false }, "has_encryption_at_rest": { "type": "boolean", "keywords": ["encrypted at rest", "aes-256", "encryption at rest", "encrypted storage", "encrypted database"], "default": false }, "asset_inventoried": { "type": "boolean", "keywords": ["asset inventory", "asset id", "system inventory", "inventoried", "asset management"], "default": true }, "vuln_scan_compliant": { "type": "boolean", "keywords": ["vulnerability scan", "security scan", "penetration test", "pentest", "vuln scan", "security tested"], "default": true }, "is_critical_system": { "type": "boolean", "keywords": ["critical system", "production", "ehr", "emr", "clinical system", "mission critical"], "default": false }, "has_recovery_plan": { "type": "boolean", "keywords": ["disaster recovery", "recovery plan", "backup plan", "business continuity", "rto:", "rpo:"], "default": true }, "has_phi_transmission": { "type": "boolean", "keywords": ["transmitted", "sent to", "transferred", "shared with", "transmitted via", "sent via"], "default": false }, "network_mapped": { "type": "boolean", "keywords": ["network diagram", "data flow", "network map", "architecture diagram", "documented flow"], "default": true }, "third_party_access": { "type": "boolean", "keywords": ["third party", "third-party", "vendor", "contractor", "external partner", "outside organization"], "default": false }, "has_subcontractor": { "type": "boolean", "keywords": ["subcontractor", "sub-contractor", "downstream vendor", "subprocessor"], "default": false }, "baa_chain_documented": { "type": "boolean", "keywords": ["baa chain", "downstream baa", "subcontractor baa", "baa in place"], "default": true }, "uses_cloud_storage": { "type": "boolean", "keywords": ["aws", "azure", "gcp", "cloud storage", "s3", "blob storage", "cloud-based"], "default": false }, "cloud_baa_confirmed": { "type": "boolean", "keywords": ["aws baa", "azure baa", "gcp baa", "cloud baa", "hipaa eligible", "hipaa compliant cloud"], "default": true }, "large_breach": { "type": "boolean", "keywords": ["500 or more", "large breach", "major breach", "significant breach", "mass exposure"], "default": false }, "notification_initiated": { "type": "boolean", "keywords": ["notification sent", "notified hhs", "breach notification", "reported to ocr"], "default": true }, "has_security_incident": { "type": "boolean", "keywords": ["security incident", "breach detected", "unauthorized access", "data breach", "incident report"], "default": false }, "incident_documented": { "type": "boolean", "keywords": ["incident report", "documented incident", "incident log", "security log"], "default": true }, "patient_access_request": { "type": "boolean", "keywords": ["access request", "request for records", "patient requests", "right to access"], "default": false }, "access_provided": { "type": "boolean", "keywords": ["access granted", "records provided", "information sent", "access fulfilled"], "default": true }, "patient_amendment_request": { "type": "boolean", "keywords": ["amendment request", "request to amend", "correction request", "update request"], "default": false }, "amendment_addressed": { "type": "boolean", "keywords": ["amendment processed", "correction made", "amendment denied", "amendment addressed"], "default": true }, "is_telehealth": { "type": "boolean", "keywords": ["telehealth", "telemedicine", "virtual visit", "video visit", "remote consultation", "televisit"], "default": false }, "platform_hipaa_compliant": { "type": "boolean", "keywords": ["hipaa compliant platform", "approved platform", "zoom for healthcare", "doxy.me", "teladoc"], "default": true }, "has_psychotherapy_notes": { "type": "boolean", "keywords": ["psychotherapy notes", "therapy notes", "counseling notes", "mental health notes", "psychiatric notes"], "default": false }, "has_special_authorization": { "type": "boolean", "keywords": ["special authorization", "separate consent", "specific authorization", "written authorization"], "default": true }, "has_substance_abuse_record": { "type": "boolean", "keywords": ["substance abuse", "addiction treatment", "drug treatment", "alcohol treatment", "rehab", "detox"], "default": false }, "has_42cfr_compliance": { "type": "boolean", "keywords": ["42 cfr", "part 2", "substance abuse consent", "sud consent", "addiction consent"], "default": true }, "has_genetic_info": { "type": "boolean", "keywords": ["genetic", "dna", "genome", "genetic test", "brca", "hereditary", "gene mutation"], "default": false }, "gina_compliant": { "type": "boolean", "keywords": ["gina", "genetic nondiscrimination", "genetic privacy", "genetic consent"], "default": true }, "uses_phi_for_research": { "type": "boolean", "keywords": ["research study", "clinical trial", "research protocol", "research use", "research purposes"], "default": false }, "has_irb_approval": { "type": "boolean", "keywords": ["irb approved", "irb approval", "ethics approved", "irb waiver", "institutional review"], "default": true }, "uses_limited_data_set": { "type": "boolean", "keywords": ["limited data set", "lds", "partially de-identified"], "default": false }, "has_data_use_agreement": { "type": "boolean", "keywords": ["data use agreement", "dua", "data sharing agreement"], "default": true } } }