CareBridge handles Protected Health Information (PHI) and surfaces AI-driven clinical flags, so compliance is a first-class concern rather than an afterthought. This page summarizes the safety and regulatory posture; each section links to its authoritative runbook in the source repo.
PHI encryption
PHI columns are encrypted with AES-256-GCM using a 32-byte key from PHI_ENCRYPTION_KEY (hex-encoded), read at runtime by a Drizzle custom type. A second key, PHI_ENCRYPTION_KEY_PREVIOUS, acts as a decryption fallback so rotation can be gradual. HMAC indexes (e.g. mrn_hmac) use a separate PHI_HMAC_KEY that must never be rotated with the same procedure.
Routine and emergency rotation are documented step-by-step, including a keyset-paginated re-encryption script and post-rotation sanity checks. The long-term plan is envelope encryption against a managed KMS. See the PHI key rotation runbook.
HIPAA audit log
CareBridge retains audit records for 7 years (one year beyond the HIPAA Security Rule minimum of 6, as a safety buffer). The audit_log table is append-only and tamper-evident at the database level:
- Row triggers block per-row UPDATE and DELETE.
- A statement trigger blocks TRUNCATE (which bypasses row-level triggers).
UPDATE / DELETE / TRUNCATEare REVOKEd from thePUBLICpseudo-role as defense-in-depth.
A known limitation is that the table owner can DROP TRIGGER, so the migration role and the runtime application role must be distinct — the app runs with INSERT only. Only audit_log satisfies the HIPAA tamper-evidence requirement; review_jobs is supplementary operational state. Full policy, including PHI handling for review_jobs.rules_output, in the HIPAA retention doc.
CDS non-device posture
The clinical flag system is designed to qualify as non-device Clinical Decision Support (CDS) under section 520(o)(1)(E) of the FD&C Act. It meets all four statutory criteria; the load-bearing one is independent review — clinicians must be able to review the basis for each recommendation rather than rely on it. CareBridge satisfies this by construction:
- Every flag carries a human-readable
rationale. - Deterministic flags carry a stable
rule_idtraceable to source code. - LLM flags record
model_idandprompt_version, and are gated byrequires_human_review = true. - Clinicians must enter a reason to dismiss or resolve a flag.
- The patient portal does not surface AI flags.
Auto-acting on flags, surfacing AI diagnostic conclusions to patients, and closed-loop time-critical alerts are explicitly out of scope (they would push CareBridge into device classification). The memo also fixes approved vs. prohibited marketing language. See the CDS exemption memo.
Vendor data handling (Claude API)
Because residual quasi-identifiers survive redaction, outbound LLM prompts are treated as PHI for compliance purposes. A signed Business Associate Agreement (BAA), zero-retention on the API tier, scoped production keys, and model pinning are required before any production PHI traffic reaches the Claude API. Until a BAA is in place, the LLM path is disabled in any environment with real PHI (AI_OVERSIGHT_LLM_ENABLED=false), and deterministic rules continue to fire. See the Anthropic BAA doc.
More compliance and design docs
The source repo’s docs/ directory carries further references: FHIR licensing, image-upload security design, patient-education readability, care-team tables, migration patterns, and the clinician-bridge MVP scope.
See also: AI Oversight Layer, Clinical Domain Model, Design Decisions.