runfoo-org/morethanadiagnosis-hub
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
morethanadiagnosis-hub/openspec/specs/privacy-compliance.md
admin cd53606dd4 chore: OpenSpec scaffold
2025-11-17 22:57:40 +00:00

818 B
Raw Blame History

Privacy & Compliance Spec

Status: draft Owners: Compliance, Security

Scope

  • GDPR: data subject rights, consent, DSR workflows, data minimization.
  • HIPAA: PHI handling, access controls, audit logging, BAAs, breach response.

Data classes

  • Public, PII, PHI — document perfield classification in data-model.md.

Controls

  • Encryption in transit (TLS 1.3) and at rest (AES256). Key mgmt with rotation.
  • RBAC/ABAC for sensitive actions; least privilege; admin action audit.
  • Logging with redaction; no PHI/PII in logs/traces.

DSR & retention

  • Defined SLAs and automated workflows for export/delete; retention policies per entity.

3rdparty

  • Subprocessors inventory; data flow diagrams; DPAs/BAAs tracked.

Validation

  • Privacy & security review is a gate on every proposal that touches user data.