HighFile-scopeRust Plug & play

Protect backups/exports of ePHI with KMS and restricted buckets

Write ePHI backups to storage with server-side encryption (SSE-KMS) and least-privilege access; disallow public ACLs and cross-account access without a BAA. Record the KMS key id in metadata.

Add to Mesrai Open workspace

Why this matters

Backups contain full datasets; encryption and access controls prevent bulk disclosure.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

s3.put_object().bucket("phi-backups").body(data).send().await?; // no encryption

Prefer

s3.put_object().bucket("phi-backups").server_side_encryption("aws:kms").ssekms_key_id(kid).metadata("kms-kid", kid).body(data).send().await?;

More snippets

Bad

put_object(bucket,"phi-backups", data) // default

Good

put_object_kms(bucket,"phi-backups", kid, data)

Related rules

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys
Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.
compliance-hipaasecurity-hardening+2
High
De-identify analytics and block PHI egress to third parties
Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.
compliance-hipaaprivacy-pii+2

Why this matters

Bad vs. good

More snippets

Related rules

Check consent and role-based authorization before returning ePHI

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

De-identify analytics and block PHI egress to third parties

Why this matters

Bad vs. good

More snippets

Related rules

Check consent and role-based authorization before returning ePHI

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

De-identify analytics and block PHI egress to third parties