Elevate Your Legal Practice with AI-Driven Intelligence

This document summarizes the technical safeguards implemented in Think AI MediChron to protect Protected Health Information (PHI) in compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule (45 CFR Part 164, Subpart E). MediChron processes medical records to generate legal-ready chronologies and implements defense-in-depth security across data encryption, access control, audit logging, and secure data handling.

---

1. Encryption at Rest (Technical Safeguard - 164.312(a)(2)(iv))

• All Protected Health Information (PHI) is encrypted using AES-256-GCM before storage in the PostgreSQL database.
• Encryption covers all PHI fields across projects, documents, document chunks, and chronology tables.
• Each encrypted value includes a unique 12-byte initialization vector (IV) and 16-byte authentication tag to prevent tampering.
• Encrypted values are stored with an "ENC:" prefix; the decryption layer auto-detects and decrypts these, ensuring backward compatibility with any legacy unencrypted data.
• The encryption key (DOCUMENT_ENCRYPTION_KEY) is stored as a secret environment variable, never committed to source code or logged.
• Fields encrypted include: project names, patient info, document filenames, chunk text content, chronology generated content, case summaries, legal analyses, and narrative summaries.

---

2. Encryption in Transit (Technical Safeguard - 164.312(e)(1))

• All client-server communication is enforced over HTTPS via HTTP Strict Transport Security (HSTS) headers with a 1-year max-age.
• Helmet middleware sets security headers on every response: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and strict Referrer-Policy.
• No-cache headers are applied to all API responses to prevent PHI from being stored in browser or proxy caches.
• Cookies are configured with httpOnly, secure, and sameSite: lax attributes to prevent interception and cross-site attacks.

---

3. Access Controls (Technical Safeguard - 164.312(a)(1))

• All API endpoints serving PHI require authentication via the isAuthenticated middleware; unauthenticated requests receive a 401 response.
• Authentication uses Passport.js with bcrypt password hashing (salt rounds: 10) for local accounts.
• Magic link email login provides a passwordless option with cryptographically random tokens (32-byte hex) and 15-minute expiry.
• Static file downloads (e.g., overview documents) also require authentication.
• Each user can only access their own projects, documents, and chronologies; all queries are scoped by userId.

---

4. Session Management (Technical Safeguard - 164.312(a)(2)(iii))

• Sessions use a 2-hour idle timeout with rolling session renewal; each authenticated request resets the expiry timer.
• The 2-hour timeout accommodates long-running chronology generation workflows while still meeting HIPAA automatic logoff requirements.
• Active users (with periodic heartbeat requests and progress polling during generation) remain logged in; idle users are automatically logged out after 2 hours of inactivity.
• Sessions are stored server-side in PostgreSQL (connect-pg-simple), not in client-side storage.
• Session cookies are httpOnly (not accessible via JavaScript), secure (HTTPS only), and use sameSite: lax to prevent CSRF.
• Session secrets are stored as environment secrets, never hardcoded.

---

5. Brute Force & Abuse Prevention (Technical Safeguard - 164.312(a)(1))

• Login lockout: After 5 failed login attempts within 10 minutes, the account is locked for 15 minutes. The lockout returns HTTP 429 before any authentication attempt.
• Magic link rate limiting: Maximum 3 magic link requests per email address per 15-minute window. Rate-limited requests return the same success message as valid requests to prevent email enumeration.
• Failed login attempts are tracked in-memory per email address with timestamps for sliding window enforcement.
• Lockout and rate limit tracking resets on server restart, which is acceptable for the application's deployment model.

---

6. Audit & Log Protection (Administrative Safeguard - 164.312(b))

• API response bodies are never logged for endpoints that serve PHI. A strict whitelist approach logs response bodies only for safe metadata endpoints (health checks, auth status, login/logout).
• All PHI-serving endpoints (projects, documents, chunks, chronologies, exports) have their response bodies excluded from logs.
• Request metadata (method, path, status code, response time) is still logged for all API requests for audit and debugging purposes.
• The whitelist-based approach is fail-safe: any new endpoint is excluded from body logging by default unless explicitly added to the safe list.
• Admin panel integration logs user activity (login, document processing, chronology generation) without including PHI content.

---

7. Minimum Necessary & Document Lifecycle (Privacy Rule - 164.502(b))

• Uploaded PDF documents are completely purged from storage once text extraction and chronology generation begins, minimizing the window of PHI exposure.
• Only extracted text chunks (encrypted at rest) are retained for chronology generation; original PDFs are not stored long-term.
• Documents use immutable internal identifiers (DocIDs) for citation tracking, decoupled from original filenames.
• File uploads are processed via Multer with file size limits and type validation to prevent abuse.
• Re-processing after PDF deletion requires re-upload of the original documents.

---

8. Security Headers & Transport Protection

• Helmet middleware applies comprehensive security headers: HSTS (1 year, includeSubDomains), X-Frame-Options: DENY (prevents clickjacking), X-Content-Type-Options: nosniff, and strict Referrer-Policy (strict-origin-when-cross-origin).
• Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy are disabled to maintain compatibility with the application framework.
• Content Security Policy (CSP) is disabled in development mode for Vite compatibility but should be enabled in production deployments.
• All API responses include Cache-Control: no-store, no-cache, must-revalidate and Pragma: no-cache headers.

---

9. AI Processing & Third-Party Data Handling

• Medical record content is sent to AI models (Anthropic Claude) for extraction and synthesis. Anthropic's data processing agreement covers HIPAA compliance for PHI transmitted to their API.
• AI processing uses rate-limited parallel execution to prevent overload and ensure reliable processing.
• All AI-generated content (chronology entries, summaries, legal analyses) is encrypted before storage using the same AES-256-GCM encryption as source data.
• Citation validation ensures AI-generated references accurately map to source documents; unverifiable citations are removed rather than retained.
• No PHI is included in application logs during AI processing; only processing status metadata (counts, timing) is logged.

---

HIPAA Safeguard Coverage Summary