US Healthtech PHI Pack
The us-healthtech-phi pack provides constraint rules for applications that create, receive, maintain, or transmit Protected Health Information (PHI) under the HIPAA Security Rule. It covers the three HIPAA safeguard categories: administrative, physical, and technical.
Apply the pack
vyb init --pack us-healthtech-phi
What is PHI in code?
PHI includes any health information that could identify a patient. In code, PHI surfaces as:
- Patient names, DOBs, addresses in data models or log output
- Medical record numbers, device identifiers
- Diagnosis codes (ICD-10), procedure codes (CPT)
- Insurance member IDs, policy numbers
- Biometric identifiers
The pack's dat-* rules catch the most common ways PHI leaks into code unintentionally.
HIPAA coverage
| HIPAA Section | Coverage |
|---|---|
| §164.312(a)(1) | Access control — authentication requirements |
| §164.312(a)(2)(iv) | Encryption and decryption of PHI at rest |
| §164.312(b) | Audit controls — logging PHI access |
| §164.312(c)(1) | Integrity — prevent unauthorized modification |
| §164.312(d) | Authentication — verify user identity |
| §164.312(e)(1) | Transmission security — encrypt PHI in transit |
What the pack enforces
Data handling (block severity)
| Rule ID | Name | What it catches |
|---|---|---|
dat-001 | no-phi-logging | PHI fields in console.log, logger.*, print() |
dat-002 | no-phi-client-storage | PHI in localStorage, sessionStorage, IndexedDB |
dat-003 | require-phi-encryption-annotation | Data model fields containing PHI without @encrypted annotation |
dat-004 | no-phi-url-params | PHI in URL query parameters or path segments |
dat-005 | no-phi-in-error-messages | Patient data interpolated into thrown Error messages |
Security (block severity)
| Rule ID | Name | What it catches |
|---|---|---|
sec-001 | no-eval | eval() — all PHI systems require heightened code integrity |
sec-002 | no-hardcoded-credentials | Inline database passwords, API keys |
sec-003 | require-https-only | HTTP calls (non-TLS) from any PHI-handling module |
sec-004 | require-auth-on-phi-routes | Routes under /phi/, /patient/, /health-records/ without auth middleware |
sec-005 | no-weak-session-tokens | Session IDs shorter than 128 bits |
Audit (block severity)
| Rule ID | Name | What it catches |
|---|---|---|
aud-001 | require-phi-access-log | PHI retrieval without logging the access event |
aud-002 | require-mutation-log | PHI write/update without logging who made the change |
Annotating your PHI fields
The pack's dat-003 rule requires PHI database fields to carry an @encrypted annotation in their type definition or schema. Here is the expected pattern for common ORMs:
// Prisma schema — pack compliant
model Patient {
id String @id @default(cuid())
/// @encrypted
dateOfBirth DateTime
/// @encrypted
diagnosis String
/// @phi
mrn String @unique // Medical Record Number
}
// TypeORM — pack compliant
@Entity()
export class Patient {
@PrimaryGeneratedColumn('uuid')
id: string;
/** @encrypted @phi */
@Column({ type: 'text' })
socialSecurityNumber: string;
}
Rules dat-003 and aud-001 are triggered when PHI fields are accessed without the annotation present in the module.
Example violations
[BLOCK] dat-001 / no-phi-logging
src/services/patient.ts:42
console.log(`Processing patient ${patient.ssn}`)
→ Remove PHI from log statements. Use audit-log
service for PHI access tracking.
[BLOCK] dat-004 / no-phi-url-params
src/api/records.ts:18
redirect(`/records?patientId=${mrn}&dob=${dob}`)
→ PHI must not appear in URLs. Use POST body with
HTTPS or a signed session reference.
Business Associate Agreement (BAA)
If your SaaS product is a Business Associate under HIPAA, every passing vyb check run produces a signed Evidence Pack that documents your technical safeguard controls. The Evidence Pack PDF includes a section specifically formatted for BAA audit requests, listing each HIPAA section and the rules that enforce it.
Next: Enterprise Vibe Coding