bootstrap/profiles/domains/healthcare-hipaa.json

{
  "name": "Healthcare HIPAA Compliance",
  "description": "HIPAA compliance requirements for healthcare applications handling PHI",
  "domainKeywords": ["health", "medical", "patient", "hipaa", "phi", "healthcare"],
  "compliance": {
    "regulation": "HIPAA (Health Insurance Portability and Accountability Act)",
    "scope": "All applications handling Protected Health Information (PHI)",
    "requirements": [
      "Encrypt PHI at rest and in transit",
      "Implement access controls for PHI",
      "Audit all access to PHI", 
      "Ensure data integrity",
      "Implement proper user authentication",
      "Maintain data minimization practices"
    ]
  },
  "dataClassification": {
    "phi": {
      "definition": "Individually identifiable health information",
      "examples": [
        "Names, addresses, birth dates",
        "Phone numbers, email addresses",
        "Social Security numbers",
        "Medical record numbers",
        "Health plan beneficiary numbers",
        "Account numbers",
        "Certificate/license numbers",
        "Vehicle identifiers and serial numbers",
        "Device identifiers and serial numbers",
        "Web Universal Resource Locators (URLs)",
        "Internet Protocol (IP) address numbers",
        "Biometric identifiers",
        "Full face photographic images",
        "Medical diagnoses and treatment information",
        "Lab results and vital signs"
      ],
      "encryption": "AES-256 encryption required",
      "storage": "Must be encrypted at rest",
      "transmission": "Must be encrypted in transit (TLS 1.2+)"
    }
  },
  "securityPatterns": {
    "encryption": {
      "algorithm": "AES-256",
      "keyManagement": "Use AWS KMS, Azure Key Vault, or similar",
      "implementation": "Field-level encryption for PHI columns",
      "example": "@Encrypted decorator for entity fields"
    },
    "authentication": {
      "method": "Multi-factor authentication required",
      "tokenType": "JWT with refresh tokens",
      "sessionTimeout": "Maximum 15 minutes inactive timeout",
      "passwordPolicy": "Minimum 8 characters, complexity requirements"
    },
    "authorization": {
      "model": "Role-Based Access Control (RBAC)",
      "principle": "Minimum necessary access",
      "implementation": "Care group permissions with data segmentation",
      "auditTrail": "Log all authorization decisions"
    },
    "auditLogging": {
      "requirement": "All PHI access must be logged",
      "fields": [
        "User ID",
        "Patient ID", 
        "Action performed",
        "Timestamp",
        "IP address",
        "Success/failure",
        "Data accessed"
      ],
      "retention": "6 years minimum",
      "integrity": "Logs must be tamper-evident"
    }
  },
  "implementationPatterns": {
    "backend": {
      "entities": {
        "phiFields": "Mark PHI fields with @PHIEncrypted decorator",
        "auditables": "Extend BaseAuditableEntity for PHI entities",
        "relationships": "Implement proper access control on relationships"
      },
      "controllers": {
        "authentication": "All PHI endpoints require authentication",
        "authorization": "Check user permissions before PHI access",
        "logging": "Log all PHI access attempts",
        "validation": "Validate all inputs to prevent injection"
      },
      "services": {
        "encryption": "Encrypt PHI before database storage",
        "decryption": "Decrypt PHI only for authorized access",
        "minimization": "Return only necessary PHI fields",
        "auditing": "Create audit log entries for all PHI operations"
      }
    },
    "frontend": {
      "dataHandling": {
        "localStorage": "Never store PHI in localStorage",
        "sessionStorage": "Only encrypted session data allowed",
        "memory": "Clear PHI from component state on unmount",
        "logging": "Never log PHI to console or external services"
      },
      "ui": {
        "masking": "Mask sensitive data by default",
        "permissions": "Hide UI elements based on user roles",
        "timeout": "Implement session timeout with warnings",
        "accessibility": "Ensure screen readers don't expose PHI inappropriately"
      }
    }
  },
  "testingRequirements": {
    "coverage": {
      "minimum": "80% for all PHI-handling modules",
      "focus": "Security and privacy controls"
    },
    "security": [
      "Test for PHI leakage in API responses",
      "Verify encryption of PHI fields",
      "Test authorization controls",
      "Validate audit logging functionality",
      "Test session timeout behavior"
    ],
    "compliance": [
      "Verify minimum necessary access",
      "Test audit log completeness",
      "Validate encryption implementation",
      "Test user access controls",
      "Verify data retention policies"
    ]
  },
  "context7Libraries": [
    "@nestjs/jwt",
    "bcrypt",
    "helmet",
    "crypto",
    "jsonwebtoken",
    "express-rate-limit"
  ],
  "codeTemplates": {
    "phiEntity": {
      "description": "Entity with PHI fields",
      "template": "@Entity()\nexport class Patient {\n  @PHIEncrypted()\n  @Column()\n  firstName: string;\n\n  @AuditableField()\n  @Column()\n  medicalRecordNumber: string;\n}"
    },
    "auditLog": {
      "description": "Audit log entry",
      "template": "await this.auditService.log({\n  userId: user.id,\n  action: 'VIEW_PATIENT',\n  resourceType: 'Patient',\n  resourceId: patientId,\n  ipAddress: request.ip,\n  timestamp: new Date()\n});"
    },
    "authGuard": {
      "description": "HIPAA auth guard",
      "template": "@UseGuards(JwtAuthGuard, RolesGuard)\n@RequirePermission('view_patient_phi')\n@ApiSecurity('bearer')"
    }
  },
  "complianceChecklist": [
    "All PHI fields are encrypted at rest",
    "All PHI transmission uses TLS 1.2+",
    "User authentication is implemented with MFA",
    "Role-based access control is enforced",
    "All PHI access is logged and auditable",
    "Session timeout is configured (max 15 minutes)",
    "Password policies meet HIPAA requirements",
    "Data backup and recovery procedures are secure",
    "Incident response procedures are documented",
    "Employee access is based on minimum necessary principle"
  ],
  "riskAssessment": [
    "Unauthorized access to PHI",
    "Data breaches due to weak encryption",
    "Insider threats and inappropriate access",
    "Data loss due to inadequate backups",
    "System vulnerabilities and exploits",
    "Third-party vendor security risks",
    "Physical security of systems and data",
    "Network security and access controls",
    "Application security vulnerabilities",
    "Business continuity and disaster recovery"
  ],
  "incidentResponse": [
    "Identify and contain the incident",
    "Assess the scope and severity",
    "Notify affected individuals if required",
    "Report to HHS if breach affects 500+ individuals",
    "Implement corrective actions",
    "Document all incident response activities",
    "Conduct post-incident review and lessons learned",
    "Update security policies and procedures",
    "Provide additional training if needed",
    "Monitor for similar incidents"
  ]
}