Cross-Cutting Compliance & Security Requirements
Scope: Compliance, security, privacy, and audit requirements enforced system-wide.
Authority: Normative for ALL modules.
1. Privacy & Consent
| Requirement | Detail |
|---|---|
| Consent/disclosure controls | Capture consent state, scope, dates, revocation; enforce in access and exports |
| Minimum necessary | Enforce at API level; role-based data filtering; segmentation of sensitive categories |
| Accounting of disclosures | Export access logs per patient over date range |
| Data localization | Country-specific residency rules configurable per tenant |
| Cross-border transfer | Policy-controlled; configurable per tenant |
2. Audit
| Requirement | Detail |
|---|---|
| Tamper-evident log | Append-only AuditEventRecord with chain hash (SHA-256) |
| Events logged | Authentication, PHI access, data modification, exports/print, break-glass, config changes |
| Retention | 90-day live query minimum; archive policy configurable |
| Separation | Audit logs MUST be separate from application logs |
| Chain integrity | Background verification job for hash chain |
| Meta-auditing | Audit service publishes events for export requests, completions, DLQ alerts |
3. Security Enforcement
| Layer | Requirement |
|---|---|
| Transport | TLS everywhere (in-transit encryption) |
| Storage | Encryption at rest for all data stores |
| Secrets | Managed secret store; automated rotation |
| MFA | Policy-driven; supported for all user types |
| Session | Configurable timeout; device tracking |
| Rate limiting | Gateway-level; per-endpoint tuning for patient-facing endpoints |
| Break-glass | Emergency access supported where configured; mandatory audit + justification |
4. Interoperability Standards
| Standard | Requirement |
|---|---|
| FHIR R4+ | Primary exchange interface; CapabilityStatement published |
| HL7 v2 | ADT/ORM/ORU/SIU via adapters |
| CDA/CCD | Import/export when required |
| DICOM/DICOMweb | Where imaging deployed |
| IHE profiles | PIX/PDQ/XDS/ATNA where required |
| SMART on FHIR | OAuth2/OIDC for third-party app integration |
| Terminology | SNOMED CT, LOINC, RxNorm, ICD-10/11 where licensed |
5. Electronic Signatures
- Support electronic signatures aligned with applicable local regulations.
- Clinical note signing creates an immutable record; corrections via addendum/amendment.
- Audit trail for all signature events.
6. WHO Alignment
- ICD-11 diagnosis classification
- ATC drug classification (optional)
- Immunization schedules (when module licensed)
- WHO health metrics and indicators (when reporting deployed)
7. Application Security and Zero Trust
- OWASP ASVS SHOULD inform secure design reviews for public and partner-facing surfaces (auth, session handling, input validation, crypto, logging).
- Zero trust: validate JWT and entitlements at gateway and service; never trust the network alone. Internal service calls SHOULD use mTLS or equivalent where deployment policy requires.
- Offline-first: PHI on device and sync channels MUST meet encryption, wipe, and audit expectations in OFFLINE_FIRST_AND_CLIENT_SYNC.md and module specs.
See also REQUIREMENTS_GUARD_RAILS.md.
8. AI, Automation, and Vendor Models
- Human oversight: Clinician-facing AI remains assistive unless a separately validated CDS program is defined; see AI_PLATFORM.md.
- Subprocessors / DPAs: Use of external model providers requires appropriate data processing agreements, subprocessor registers, and transfer impact assessment where GDPR or equivalent applies.
- Logging: Align with FR-NFR-018 — no raw PHI in default app logs; secured retention only when configured.
- EU AI Act / regional AI rules: High-risk or limited-risk categorizations SHOULD be reviewed with legal for documentation, transparency, and oversight obligations.
- Safety: Distinguish documentation assist from patient triage/diagnostic outputs; the latter requires explicit safety and clinical governance.
9. Compliance Requirement IDs (Cross-Reference)
These system-level requirements apply to ALL modules:
| Requirement IDs | Domain | Applies To |
|---|---|---|
| FR-MOD-001..007 | Module licensing & activation | All modules |
| FR-COMP-003..005 | Privacy (HIPAA/GDPR alignment) | All modules |
| FR-COMP-006..009 | Interoperability standards | All modules with external data |
| FR-COMP-010 | Electronic signatures | Clinical documentation modules |
| FR-COMP-011..013 | Consent, minimum necessary, disclosures | All modules that access PHI |
| FR-L10N-001..006 | Localization & RTL | All modules with UI/print |
| FR-NFR-001..006 | Performance, security, DR | All modules |
| FR-NFR-007..008 | Usability & localization | All modules with UI |
| FR-NFR-009..018 | API edge, offline/sync, UX, AI governance, AI NFRs | As stated in system FR doc |
| FR-AI-001..010 | AI platform and assistive capabilities | Modules using AI + orchestrator |