HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and business associates to implement technical safeguards protecting electronic Protected Health Information (ePHI). vybdocs enforces these safeguards at the code level, on every AI-assisted commit.
Who needs HIPAA compliance
You need HIPAA compliance if your product:
- Processes, stores, or transmits ePHI on behalf of a covered entity (hospital, insurer, provider)
- Is a Business Associate under a BAA with a covered entity
- Builds SaaS tools used in clinical workflows
Relevant Security Rule sections
| Section | Name | How vybdocs helps |
|---|---|---|
| §164.312(a)(1) | Access control | Rules require auth middleware on PHI endpoints |
| §164.312(a)(2)(iv) | Encryption | Rules require encryption annotations on PHI fields |
| §164.312(b) | Audit controls | Rules require PHI access logging |
| §164.312(c)(1) | Integrity | Rules prevent unauthorized data modification patterns |
| §164.312(d) | Authentication | Rules require identity verification before PHI access |
| §164.312(e)(1) | Transmission security | Rules ban HTTP for PHI-handling modules |
Applying the healthtech pack
vyb init --pack us-healthtech-phi
This pack covers the technical safeguard requirements above. See US Healthtech PHI Pack for the full rule list.
Business Associate Agreements (BAAs)
If your organization has signed BAAs, the Evidence Pack from each vyb check run provides documented evidence of the technical safeguards you have implemented. The Evidence Pack PDF includes a HIPAA section formatted for BAA audit presentation.
PHI in AI-generated code
AI coding tools present a specific HIPAA risk: when developers use AI assistance to write data models or API handlers, the AI may generate code that inadvertently logs, caches, or exposes PHI. Common violations from AI-generated code:
console.logstatements that include PHI fields (often added for debugging)- URL parameters containing patient IDs or diagnoses
- API responses that return more PHI fields than necessary
- Error messages that include patient data
The us-healthtech-phi pack's dat-* rules catch all of these patterns before they are committed.
Minimum necessary standard
HIPAA's "minimum necessary" standard requires that PHI access is limited to what is necessary. Code-level rules that can help:
- id: dat-010
name: no-wildcard-phi-select
description: >
SELECT * on PHI tables violates the minimum necessary standard.
Only retrieve the fields your code actually uses.
severity: warn
pattern: "SELECT \\* FROM (patients|medical_records|phi_)"
remediation: >
Enumerate the columns your code needs explicitly.
SELECT * on PHI tables returns more data than necessary,
violating HIPAA's minimum necessary standard (§164.514(d)).
maps-to:
- framework: hipaa
control: "164.514(d)"
Retention
HIPAA requires retaining security-related documentation for 6 years. Evidence Packs covering PHI-handling code changes should be retained for this period.
Next: DORA