MODEL
Threat model → PHI scope.
The model traces patient data across services, names the in-scope code, and maps each finding to a §164.308 administrative, §164.310 physical, or §164.312 technical safeguard.
HIPAA
Technical safeguards for code that handles PHI.
VibeReview traces PHI through your services, generates HIPAA-aware guardrails per safeguard, and produces evidence aligned with §164.312. Audit log doubles as the §164.312(b) audit controls record. BAA-friendly architecture on Enterprise.
14-day free trial · No card required
You prompting Cursor · app/api/records/search.py
"Add a search over patient records so clinicians can find a chart by name."
VibeReview matched 3 HIPAA safeguards · invisibly - ✓ §164.502 — return only records in the clinician's treatment scope
- ✓ §164.312(a) — require clinician role; enforce per-record ACL
- ✓ §164.312(b) — write a PHI-access audit row per result
@app.get("/records/search")
@require_role("clinician")
def search(
q: str,
clinician = Depends(auth),
):
rows = db.execute(
"SELECT r.id, r.patient_name "
"FROM records r "
"JOIN care_team c ON c.patient_id = r.patient_id "
"WHERE c.clinician_id = ? "
" AND r.patient_name LIKE ?",
(clinician.id, f"%{q}%"),
)
for r in rows:
audit.phi_access(
actor=clinician.id,
record=r.id,
purpose="search",
)
return rows✓ Treatment-scoped, role-checked, PHI access logged per row. §164.502 and §164.312(a)/(b) covered.
ENFORCE
Guardrails → §164.312 technical safeguards.
Access control, audit controls, integrity, authentication, transmission security. Each guardrail cites the safeguard it enforces.
EVIDENCE
PR review → per-safeguard evidence.
Every diff that touches PHI code runs the matching safeguards. Audit log records the safeguard and the outcome.
REPORT
Mapping report → OCR-ready.
Per-safeguard coverage. Evidence-pack export. Aligns with the HIPAA Security Rule auditor's protocol.
WHAT'S COVERED
HIPAA Security Rule safeguards and the VibeReview controls behind them.
Coverage focuses on §164.312 technical safeguards. Administrative and physical safeguards remain your organization's responsibility.
- §164.312(a)(1) Access Control: Unique user identification guardrails, automatic logoff patterns, role-based access enforcement.
- §164.312(a)(2)(iv) Encryption and decryption: Encryption-at-rest guardrails for PHI storage, key management, and KDF rules.
- §164.312(b) Audit Controls: Read-only audit log of guardrail enforcement and PHI access patterns. Exportable to your SIEM.
- §164.312(c)(1) Integrity: Guardrails on data validation, checksum patterns, and write-path verification.
- §164.312(d) Person or Entity Authentication: MFA hooks, session binding, credential rotation policies.
- §164.312(e)(1) Transmission Security: TLS 1.2+ enforcement on every PHI-bearing channel, certificate validation, no fallback to cleartext.
- §164.308 Administrative Safeguards (technical evidence): Guardrail-change audit log supports §164.308(a)(8) evaluation and §164.308(a)(1)(ii)(B) risk management evidence.
Get the HIPAA mapping report for your repo.
Bring your privacy officer. We walk through PHI scope, safeguard coverage, and audit-log export. BAA available on Enterprise.