Healthcare PHI/PII Compliance Patterns

Patterns for protecting patient data, clinician data, and financial data in healthcare applications. Applicable to HIPAA (US), DISHA (India), GDPR (EU), and general healthcare data protection.

When to Use

Building any feature that touches patient records
Implementing access control or authentication for clinical systems
Designing database schemas for healthcare data
Building APIs that return patient or clinician data
Implementing audit trails or logging
Reviewing code for data exposure vulnerabilities
Setting up Row-Level Security (RLS) for multi-tenant healthcare systems

How It Works

Healthcare data protection operates on three layers: classification (what is sensitive), access control (who can see it), and audit (who did see it).

Data Classification

PHI (Protected Health Information) — any data that can identify a patient AND relates to their health: patient name, date of birth, address, phone, email, national ID numbers (SSN, Aadhaar, NHS number), medical record numbers, diagnoses, medications, lab results, imaging, insurance policy and claim details, appointment and admission records, or any combination of the above.

PII (Non-patient-sensitive data) in healthcare systems: clinician/staff personal details, doctor fee structures and payout amounts, employee salary and bank details, vendor payment information.

Access Control: Row-Level Security

ALTER TABLE patients ENABLE ROW LEVEL SECURITY;

-- Scope access by facility
CREATE POLICY "staff_read_own_facility"
  ON patients FOR SELECT TO authenticated
  USING (facility_id IN (
    SELECT facility_id FROM staff_assignments
    WHERE user_id = auth.uid() AND role IN ('doctor','nurse','lab_tech','admin')
  ));

-- Audit log: insert-only (tamper-proof)
CREATE POLICY "audit_insert_only" ON audit_log FOR INSERT
  TO authenticated WITH CHECK (user_id = auth.uid());
CREATE POLICY "audit_no_modify" ON audit_log FOR UPDATE USING (false);
CREATE POLICY "audit_no_delete" ON audit_log FOR DELETE USING (false);

Audit Trail

Every PHI access or modification must be logged:

interface AuditEntry {
  timestamp: string;
  user_id: string;
  patient_id: string;
  action: 'create' | 'read' | 'update' | 'delete' | 'print' | 'export';
  resource_type: string;
  resource_id: string;
  changes?: { before: object; after: object };
  ip_address: string;
  session_id: string;
}

Common Leak Vectors

Error messages: Never include patient-identifying data in error messages thrown to the client. Log details server-side only.

Console output: Never log full patient objects. Use opaque internal record IDs (UUIDs) — not medical record numbers, national IDs, or names.

URL parameters: Never put patient-identifying data in query strings or path segments that could appear in logs or browser history. Use opaque UUIDs only.

Browser storage: Never store PHI in localStorage or sessionStorage. Keep PHI in memory only, fetch on demand.

Service role keys: Never use the service_role key in client-side code. Always use the anon/publishable key and let RLS enforce access.

Logs and monitoring: Never log full patient records. Use opaque record IDs only (not medical record numbers). Sanitize stack traces before sending to error tracking services.

Database Schema Tagging

Mark PHI/PII columns at the schema level:

COMMENT ON COLUMN patients.name IS 'PHI: patient_name';
COMMENT ON COLUMN patients.dob IS 'PHI: date_of_birth';
COMMENT ON COLUMN patients.aadhaar IS 'PHI: national_id';
COMMENT ON COLUMN doctor_payouts.amount IS 'PII: financial';

Deployment Checklist

Before every deployment:

No PHI in error messages or stack traces
No PHI in console.log/console.error
No PHI in URL parameters
No PHI in browser storage
No service_role key in client code
RLS enabled on all PHI/PII tables
Audit trail for all data modifications
Session timeout configured
API authentication on all PHI endpoints
Cross-facility data isolation verified

Examples

Example 1: Safe vs Unsafe Error Handling

// BAD — leaks PHI in error
throw new Error(`Patient ${patient.name} not found in ${patient.facility}`);

// GOOD — generic error, details logged server-side with opaque IDs only
logger.error('Patient lookup failed', { recordId: patient.id, facilityId });
throw new Error('Record not found');

Example 2: RLS Policy for Multi-Facility Isolation

-- Doctor at Facility A cannot see Facility B patients
CREATE POLICY "facility_isolation"
  ON patients FOR SELECT TO authenticated
  USING (facility_id IN (
    SELECT facility_id FROM staff_assignments WHERE user_id = auth.uid()
  ));

-- Test: login as doctor-facility-a, query facility-b patients
-- Expected: 0 rows returned

Example 3: Safe Logging

// BAD — logs identifiable patient data
console.log('Processing patient:', patient);

// GOOD — logs only opaque internal record ID
console.log('Processing record:', patient.id);
// Note: even patient.id should be an opaque UUID, not a medical record number

Files1

1 files · 1.0 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

85

Quality

85

Clarity

88

Completeness

72

Summary

A comprehensive healthcare PHI/PII compliance guidance skill that teaches secure data handling patterns for HIPAA, DISHA, GDPR, and other healthcare data protection frameworks. Covers data classification, row-level security (RLS) implementation, audit trail design, and identification of common data leak vectors through code examples and SQL templates.

Detected Capabilities

code analysis and pattern reviewSQL policy design and testingdata classification guidancecompliance checklist generationvulnerability identification in healthcare contexts

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

healthcare data complianceHIPAA access controlpatient data securityPHI audit trailRLS multi-tenanthealth data leak prevention

Use Cases

Implementing PHI access control via Row-Level Security in PostgreSQL/Supabase-based clinical systems
Designing audit trails that log all patient data access and modifications with tamper-proof insert-only policies
Identifying and fixing common data exposure vulnerabilities in healthcare APIs (error messages, console logs, URL parameters, browser storage)
Implementing multi-facility data isolation so clinicians can only see patients from their assigned facilities
Reviewing healthcare application code against HIPAA/GDPR/DISHA compliance checklist before deployment
Tagging sensitive database columns with PHI/PII metadata comments for developer reference and compliance tracking

Quality Notes

Clear, well-organized structure with distinct sections for data classification, access control, audit trails, and vulnerability patterns
Provides concrete SQL and TypeScript examples showing both unsafe and safe implementations, making patterns immediately applicable
Covers multiple regulatory frameworks (HIPAA, DISHA, GDPR) without being prescriptive about which applies to a given use case
Comprehensive deployment checklist provides actionable pre-production verification steps
Excellent focus on common leak vectors with specific guidance on error handling, logging, URL parameters, and browser storage
Database schema tagging guidance (SQL COMMENT) adds practical metadata tracking for compliance audits
Strong emphasis on opaque UUIDs vs. identifiable data in logs, reducing real-world data exposure incidents
Audit entry interface is well-defined with timestamp, user_id, action type, IP, and session tracking
Does not address encryption at rest or in transit (TLS, column encryption) — practical but incomplete for full HIPAA compliance
No guidance on data retention/purge policies, anonymization techniques, or incident response procedures

Model: claude-haiku-4-5-20251001Analyzed: May 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Version History

v1.1

Content updated

2026-04-20

Latest

v1.0

No changelog

2026-04-12

healthcare-phi-compliance