HighPR-scope

De-identify analytics and block PHI egress to third parties

Any PR that adds or modifies telemetry/analytics must prove that no PHI leaves the boundary. Use irreversible tokenization or hashing (HMAC with secret salt) for identifiers and document the data dictionary.

Add to Mesrai Open workspace

Why this matters

Sending PHI to vendors without BAAs risks violations; de-identification reduces exposure.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

PR code adds: analytics.track('view_record', { name, dob, diagnosis })

Prefer

PR code uses: analytics.track('view_record', { patient_token: hmac(patientId), age_bucket: '40-49' })
PR includes: analytics_data_dictionary.md

More snippets

Bad

analytics.track('lab', { patientName })

Good

analytics.track('lab', { patient_token: hmac(patientId) })

Related rules

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys
Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.
compliance-hipaasecurity-hardening+2
High
Do not log PHI; mask and drop sensitive fields
Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.
compliance-hipaaobservability-logging+2

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

PR code adds: analytics.track('view_record', { name, dob, diagnosis })

Prefer

PR code uses: analytics.track('view_record', { patient_token: hmac(patientId), age_bucket: '40-49' })
PR includes: analytics_data_dictionary.md

More snippets

Bad

analytics.track('lab', { patientName })

Good

analytics.track('lab', { patient_token: hmac(patientId) })

Related rules

From the same buckets as this rule.

Critical

Check consent and role-based authorization before returning ePHI

Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

compliance-hipaasecurity-hardening+2

Critical

Encrypt ePHI at rest with KMS-managed AES-256 and envelope keys

Before persisting ePHI, encrypt using a data key protected by a Key Management Service (KMS). Use authenticated encryption (AES-256-GCM or equivalent), rotate keys, and store the key id and algorithm with the record.

compliance-hipaasecurity-hardening+2

High

Do not log PHI; mask and drop sensitive fields

Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.

compliance-hipaaobservability-logging+2