{"summary":{"chain":{"verified":true,"recordCount":1171,"headSequence":1170,"backend":"postgres"},"counts":{"implemented":16,"partial":7,"inherited":1,"planned":1,"not-applicable":1,"total":26},"overall":{"score":80,"applicable":25},"generatedAt":"2026-06-25T01:49:31.937Z"},"families":[{"family":"audit-and-accountability","label":"Audit & Accountability","blurb":"Tamper-evident records of every consequential decision, agent or human.","controls":[{"id":"HN-AUDIT-INTEGRITY","family":"audit-and-accountability","title":"Tamper-evident audit trail (WORM, hash-chained, signed)","objective":"Every consequential decision — agent or human — appends an append-only, hash-chained, Ed25519-signed record that an independent auditor can verify offline.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/audit-evidence","symbol":"WormAuditLog / chain.ts:sealRecord+verifyChain","detail":"Each record's SHA-256 hash folds in the previous record's hash and is Ed25519-signed with a per-tenant key; verifyChain recomputes the whole chain and rejects any tampered record."},{"package":"apps/console","symbol":"src/server/harness/audit.ts:getWormAuditLog + recentAuditRecords","detail":"The console hangs ONE process-shared WormAuditLog off globalThis (durable Postgres-backed when HEALTHNEXT_DATABASE_URL is set, else real in-memory crypto); the harness AND the PHI gate seal into this same chain, and reads go through exportEvidence which verifies the range before returning it."},{"package":"apps/console","symbol":"src/server/agent/data.ts:appendAudit","detail":"Every governed agent turn (read, held write, navigation) appends a sequenced, attributable audit row through appendAudit — the single in-process write path the tool executor and determination/payment/credentialing writes all route through — sealed into the hash-chained, Ed25519-signed WormAuditLog cited above."}],"evidence":[{"kind":"worm-action","ref":"agent.run.completed","label":"A sealed run-completion record in the live chain"},{"kind":"verify-fn","ref":"verifyChain","label":"Offline Ed25519 chain verification"}],"mappings":[{"framework":"nist-800-53","clauses":["AU-9","AU-10","AU-2","AU-3"]},{"framework":"nist-csf","clauses":["PR.PS-04","DE.AE-03"]},{"framework":"soc2","clauses":["CC7.2","CC7.3"]},{"framework":"iso27001","clauses":["A.8.15","A.5.28"]},{"framework":"hipaa","clauses":["164.312(b)","164.312(c)(1)"]},{"framework":"hitech","clauses":["13402 (audit trail)"]},{"framework":"hitrust-ai","clauses":["09.aa","12.c"]}],"policyId":"POL-AUDIT-RETENTION","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"agent.run.completed","sequence":1170,"action":"agent.run.completed","outcome":"success","hash":"65cad334312921a7b8d8f1895598e27a68599b004a20bd71e24223615690293a","previousHash":"d7eabb137aa4321df80cea9fe73f2b1a185ab55f987621bd866c79f1c2ae935b","correlationId":"corr-harness-1782307105982","recordedAt":"2026-06-24T13:18:26.943Z"}],"hasLiveProof":true},{"id":"HN-AUDIT-EXPORT","family":"audit-and-accountability","title":"Independently-verifiable evidence export","objective":"Produce a self-describing evidence bundle an auditor verifies using only the bundle + the signer's public key — no access to our database.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/audit-evidence","symbol":"evidence.ts:buildEvidenceBundle / verifyEvidenceBundle","detail":"exportEvidence verifies the range before handing out a bundle (refuses a tampered export); the bundle carries the SPKI public key + records for standalone verification."}],"evidence":[{"kind":"code-artifact","ref":"verifyEvidenceBundle","label":"Standalone bundle verifier"},{"kind":"worm-action","ref":"phi.egress","label":"Egress decisions sealed into the exportable chain"}],"mappings":[{"framework":"nist-800-53","clauses":["AU-7","AU-9(2)"]},{"framework":"soc2","clauses":["CC7.3"]},{"framework":"iso27001","clauses":["A.8.15"]},{"framework":"hitrust-ai","clauses":["09.ab"]}],"status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"phi.egress","sequence":1168,"action":"phi.egress","outcome":"allow","hash":"bfbbf1253f30f58e5801f312dd862ecdf6a29265059706ae677dfe395432d00c","previousHash":"098965e5525e19f4c9031edc9997e29ebda3aa217754bda2bbe7f1445e4644ce","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.910Z"}],"hasLiveProof":true}]},{"family":"access-control","label":"Access Control","blurb":"Deny-by-default, tenant-isolated, attribute-based access to PHI.","controls":[{"id":"HN-ACCESS-ENFORCEMENT","family":"access-control","title":"Deny-by-default access enforcement (ABAC + RLS)","objective":"Access to PHI is deny-by-default, attribute-based, and enforced at the database row level so a buggy query still cannot read another tenant's or an unauthorized row.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/tenancy-abac","symbol":"AbacPolicyEngine + rls/index.ts:generateTableRls","detail":"DENY overrides PERMIT; per-tenant Postgres RLS isolates by current_setting('healthnext.tenant_id'); the semantic-layer compiler also inlines the tenant predicate so even SELECT * cannot cross tenants."}],"evidence":[{"kind":"rls-policy","ref":"generateTableRls","label":"Generated deny-by-default RLS policy"},{"kind":"worm-action","ref":"agent.run.completed","label":"Runs execute under the principal's RLS, sealed in the chain"}],"mappings":[{"framework":"nist-800-53","clauses":["AC-3","AC-2","AC-6"]},{"framework":"nist-csf","clauses":["PR.AA-05"]},{"framework":"soc2","clauses":["CC6.1","CC6.3"]},{"framework":"iso27001","clauses":["A.5.15","A.8.3"]},{"framework":"hipaa","clauses":["164.312(a)(1)","164.308(a)(4)"]},{"framework":"hitrust-ai","clauses":["01.c","01.v"]}],"policyId":"POL-LEAST-PRIVILEGE","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"agent.run.completed","sequence":1170,"action":"agent.run.completed","outcome":"success","hash":"65cad334312921a7b8d8f1895598e27a68599b004a20bd71e24223615690293a","previousHash":"d7eabb137aa4321df80cea9fe73f2b1a185ab55f987621bd866c79f1c2ae935b","correlationId":"corr-harness-1782307105982","recordedAt":"2026-06-24T13:18:26.943Z"}],"hasLiveProof":true},{"id":"HN-TENANT-ISOLATION","family":"access-control","title":"Multi-tenant isolation","objective":"Each customer's data, audit chain, and signing key are isolated; a compromise of one tenant cannot read or forge another's.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/tenancy-abac","symbol":"tenant-isolation.ts:assertSameTenant + rls TENANT_GUC","detail":"The outermost boundary, enforced above ABAC; the WORM chain keys signing + sequencing by tenantId so each customer's evidence is a separate Ed25519 chain."}],"evidence":[{"kind":"rls-policy","ref":"TENANT_GUC","label":"Per-tenant RLS GUC isolation"},{"kind":"verify-fn","ref":"verifyChain","label":"Per-tenant signing key (cross-tenant forgery fails verification)"}],"mappings":[{"framework":"nist-800-53","clauses":["SC-4","AC-4","SC-2"]},{"framework":"soc2","clauses":["CC6.1"]},{"framework":"iso27001","clauses":["A.8.22"]},{"framework":"hitrust-ai","clauses":["09.m"]}],"status":"implemented","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-AUTHN","family":"access-control","title":"Authentication & session management","objective":"Strong authentication, session expiry, and MFA for console operators.","claimedStatus":"partial","enforcement":[{"package":"apps/console","symbol":"surface.ts host-gated console + login gate","detail":"The product surface is login-gated and host-resolved; the bare router host carries no PHI."}],"note":"Login gating + tenant host routing are in place. MFA + full SSO/SCIM are an identity-provider integration on the roadmap (inherited from the deployment IdP today); shown Partial until MFA is enforced in-product.","mappings":[{"framework":"nist-800-53","clauses":["IA-2","IA-2(1)","AC-12"]},{"framework":"soc2","clauses":["CC6.1"]},{"framework":"hipaa","clauses":["164.312(d)"]},{"framework":"hitrust-ai","clauses":["01.b"]}],"status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"data-protection-and-privacy","label":"Data Protection & Privacy","blurb":"PHI stays in-boundary; minimum-necessary, consent, and egress enforcement.","controls":[{"id":"HN-PHI-EGRESS","family":"data-protection-and-privacy","title":"PHI egress boundary (fail-closed)","objective":"PHI cannot leave the boundary to an unmanaged destination. Egress is BLOCKED — not merely redacted — and the gate fails closed on any classification or audit failure.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/phi-gate","symbol":"gate.ts:BlockingPhiGate.enforceEgress","detail":"Deny-by-default egress policy; a classification error blocks; an audit-write failure DOWNGRADES an ALLOW to BLOCK (no unaudited egress); special-protection classes block to any unauthorized destination."},{"package":"apps/console","symbol":"src/server/agent/modelops.ts:buildPhiGate","detail":"The console builds the BlockingPhiGate with a deny-by-default EgressPolicy: the in-boundary model is the only channel that accepts raw PHI; frontier endpoints are redacted-only; external MCP servers accept NO PHI at all. The gate seals every decision into the live WORM chain via a LiveWormAuditLog proxy and is the SAME gate the MCP client routes through — there is no second, ungated egress path."}],"evidence":[{"kind":"worm-action","ref":"phi.egress","label":"Every egress decision sealed (allow/redacted/block)"}],"mappings":[{"framework":"nist-800-53","clauses":["SC-7","AC-4","SC-7(10)"]},{"framework":"nist-csf","clauses":["PR.DS-02"]},{"framework":"soc2","clauses":["CC6.7","C1.1"]},{"framework":"iso27001","clauses":["A.8.12","A.5.14"]},{"framework":"hipaa","clauses":["164.312(e)(1)","164.502(b)"]},{"framework":"owasp-llm","clauses":["LLM02: Sensitive Information Disclosure"]},{"framework":"owasp-agentic","clauses":["Excessive Agency / Tool Misuse"]},{"framework":"hitrust-ai","clauses":["09.s","13.j"]}],"policyId":"POL-PHI-BOUNDARY","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"phi.egress","sequence":1168,"action":"phi.egress","outcome":"allow","hash":"bfbbf1253f30f58e5801f312dd862ecdf6a29265059706ae677dfe395432d00c","previousHash":"098965e5525e19f4c9031edc9997e29ebda3aa217754bda2bbe7f1445e4644ce","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.910Z"}],"hasLiveProof":true},{"id":"HN-MIN-NECESSARY","family":"data-protection-and-privacy","title":"Minimum-necessary data projection","objective":"A query or agent receives only the fields justified by its purpose-of-use; PHI/quasi-identifier columns are dropped unless the purpose permits them.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/semantic-layer","symbol":"compile.ts:projectable() (+ tenancy-abac computeMinimumNecessary)","detail":"The SQL compiler drops PHI dimensions unless purpose-of-use is treatment and quasi-identifiers outside payment/treatment/operations; the dropped fields are recorded as a governance rewrite on the run."}],"evidence":[{"kind":"worm-action","ref":"agent.run.completed","label":"The min-necessary rewrite is part of the sealed run record"}],"mappings":[{"framework":"hipaa","clauses":["164.502(b)","164.514(d)"]},{"framework":"nist-800-53","clauses":["AC-6","SI-12"]},{"framework":"soc2","clauses":["C1.1","P4.1"]},{"framework":"iso27001","clauses":["A.8.10","A.8.11"]},{"framework":"hitrust-ai","clauses":["06.d","13.k"]}],"policyId":"POL-MIN-NECESSARY","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"agent.run.completed","sequence":1170,"action":"agent.run.completed","outcome":"success","hash":"65cad334312921a7b8d8f1895598e27a68599b004a20bd71e24223615690293a","previousHash":"d7eabb137aa4321df80cea9fe73f2b1a185ab55f987621bd866c79f1c2ae935b","correlationId":"corr-harness-1782307105982","recordedAt":"2026-06-24T13:18:26.943Z"}],"hasLiveProof":true},{"id":"HN-CONSENT","family":"data-protection-and-privacy","title":"Member consent & special-protection records (42 CFR Part 2)","objective":"A member's recorded consent can turn a permitted access into a denial; substance-use-disorder records carry heightened protection.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/consent","symbol":"resolution.ts + semantic-layer compile.ts consent predicate","detail":"Member-scoped queries inject a consent NOT-EXISTS predicate (rows for members with an active denial for the purpose are filtered out); the PHI gate's special-protection categories block 42 CFR Part 2 data to unauthorized destinations."}],"evidence":[{"kind":"worm-action","ref":"phi.egress","label":"Special-protection category blocks sealed in the chain"},{"kind":"code-artifact","ref":"compile.ts consent predicate","label":"Consent predicate injected into the SQL"}],"mappings":[{"framework":"part2","clauses":["2.12","2.13","2.31"]},{"framework":"hipaa","clauses":["164.508","164.522"]},{"framework":"nist-800-53","clauses":["AC-21","PT-2","PT-3"]},{"framework":"soc2","clauses":["P3.1","P3.2"]},{"framework":"hitrust-ai","clauses":["06.c","13.c"]}],"policyId":"POL-CONSENT","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"phi.egress","sequence":1168,"action":"phi.egress","outcome":"allow","hash":"bfbbf1253f30f58e5801f312dd862ecdf6a29265059706ae677dfe395432d00c","previousHash":"098965e5525e19f4c9031edc9997e29ebda3aa217754bda2bbe7f1445e4644ce","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.910Z"}],"hasLiveProof":true},{"id":"HN-ENCRYPTION","family":"data-protection-and-privacy","title":"Encryption in transit & at rest","objective":"PHI is encrypted in transit (TLS) and at rest; keys are managed in a KMS/HSM.","claimedStatus":"partial","enforcement":[{"package":"@healthnext/audit-evidence","symbol":"crypto.ts KeyProvider (KMS/HSM-pluggable)","detail":"Signing keys are abstracted behind a KeyProvider interface so production plugs a KMS/HSM where the private key never leaves the boundary; transport is HTTPS/HSTS via next.config headers."}],"note":"TLS + HSTS are enforced in production and the signing-key provider is KMS-ready. At-rest DB/field encryption + the KMS-backed provider are a deployment-time control (managed by the cloud KMS in the customer's boundary); shown Partial until the KMS provider is wired in-product rather than the in-memory reference.","mappings":[{"framework":"nist-800-53","clauses":["SC-13","SC-28","SC-8"]},{"framework":"soc2","clauses":["CC6.7"]},{"framework":"iso27001","clauses":["A.8.24"]},{"framework":"hipaa","clauses":["164.312(a)(2)(iv)","164.312(e)(2)(ii)"]},{"framework":"hitrust-ai","clauses":["06.d"]}],"status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-ACCESS-LOGGING","family":"data-protection-and-privacy","title":"Access logging (every read of a member record is an audit entry)","objective":"Reads of PHI are themselves attributable, purpose-scoped audit entries.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"governed-tool.ts defineGovernedTool (audits every invocation)","detail":"Every governed tool invocation appends a PHI-free audit entry to the WORM spine with the actor, target, purpose, and outcome — including read tools."},{"package":"apps/console","symbol":"src/server/agent/model-tools.server.ts → data.ts:appendAudit","detail":"In the console's live loop, every model-selected tool call — read, held write, or navigation — seals an appendAudit row carrying the action, target, outcome, and correlationId, so a read of a member record is itself an attributable audit entry."}],"evidence":[{"kind":"worm-action","ref":"graph.read","label":"A sealed read-access record"}],"mappings":[{"framework":"hipaa","clauses":["164.312(b)","164.308(a)(1)(ii)(D)"]},{"framework":"nist-800-53","clauses":["AU-2","AC-6(9)"]},{"framework":"hitrust-ai","clauses":["09.aa"]}],"status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"graph.read","sequence":1143,"action":"graph.read","outcome":"success","hash":"980171e04f01d8ac1b052aff8e9da39916c2dbad4338471bfa272c0508f84a0a","previousHash":"ec3c05031ee4fbd5fe0099adea751442a46b78fb0c415520553743e298447cb8","correlationId":"corr-harness-1782307106016","recordedAt":"2026-06-24T13:18:26.476Z"}],"hasLiveProof":true},{"id":"HN-PCI-CARDHOLDER","family":"data-protection-and-privacy","title":"Cardholder data protection (PCI DSS) — scoped","objective":"When card data is in the deployment's estate, cardholder data is segmented, encrypted, and access-controlled per PCI DSS v4.0.","claimedStatus":"not-applicable","note":"HealthNext does not process or store cardholder data in the core product; premium-billing card handling is delegated to a PCI-compliant payment processor. This control becomes IN-SCOPE only when a deployment brings card data into the estate (\"when in PCI estate\"), at which point the segmentation + encryption controls above apply to that boundary.","mappings":[{"framework":"pci-dss","clauses":["Req 3","Req 4","Req 7","Req 8"]},{"framework":"nist-800-53","clauses":["SC-28","AC-3"]}],"status":"not-applicable","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"ai-governance","label":"AI Governance","blurb":"The AI system is mapped, measured, and managed under a governed lifecycle.","controls":[{"id":"HN-AI-INBOUNDARY","family":"ai-governance","title":"In-boundary model routing (no PHI to external models)","objective":"The agent fleet routes to an in-boundary served model by default; the PHI gate runs on every model call so PHI never reaches an external foundation model.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/modelops","symbol":"modelops.ts:getModelOps (in-boundary default, PHI gate inside)","detail":"The default route is the in-boundary served model; the orchestrator never calls a foundation model directly; the PHI gate seals each in-boundary egress ALLOW into the same WORM chain."},{"package":"apps/console","symbol":"src/server/agent/modelops.ts:getModelOps + modelStatus","detail":"The console resolves ONE ModelOps handle: live only when an operator points HEALTHNEXT_MODEL_BASE_URL at a served in-boundary endpoint, else a graceful in-boundary mock — and the PHI gate runs on every call on either path. modelStatus surfaces mode/host (redacted) without ever exposing the connection string or weights."}],"evidence":[{"kind":"worm-action","ref":"phi.egress","label":"In-boundary egress ALLOW decisions sealed in the chain"},{"kind":"worm-action","ref":"agent.run.completed","label":"The route (in-boundary) recorded on the run"}],"mappings":[{"framework":"nist-ai-rmf","clauses":["MANAGE 2.2","MAP 5.1"]},{"framework":"iso42001","clauses":["8.3","A.10.2"]},{"framework":"owasp-llm","clauses":["LLM02: Sensitive Information Disclosure"]},{"framework":"hitrust-ai","clauses":["AI.04"]}],"policyId":"POL-PHI-BOUNDARY","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"phi.egress","sequence":1168,"action":"phi.egress","outcome":"allow","hash":"bfbbf1253f30f58e5801f312dd862ecdf6a29265059706ae677dfe395432d00c","previousHash":"098965e5525e19f4c9031edc9997e29ebda3aa217754bda2bbe7f1445e4644ce","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.910Z"},{"anchorRef":"agent.run.completed","sequence":1170,"action":"agent.run.completed","outcome":"success","hash":"65cad334312921a7b8d8f1895598e27a68599b004a20bd71e24223615690293a","previousHash":"d7eabb137aa4321df80cea9fe73f2b1a185ab55f987621bd866c79f1c2ae935b","correlationId":"corr-harness-1782307105982","recordedAt":"2026-06-24T13:18:26.943Z"}],"hasLiveProof":true},{"id":"HN-AI-LIFECYCLE","family":"ai-governance","title":"Governed AI lifecycle (map / measure / manage)","objective":"The AI system is inventoried, its risks mapped, its performance measured, and changes managed under a documented lifecycle.","claimedStatus":"partial","enforcement":[{"package":"@healthnext/tenant-model","symbol":"fork client + published eval snapshot","detail":"Per-customer model forks are trained on non-PHI sources only (a discipline guard partitions PHI out); a published eval snapshot records val-loss + corpus provenance."}],"note":"Model inventory, training-discipline guard, and a published eval exist. The full ISO 42001 management system (risk register, impact assessments, continuous measurement cadence) is being formalized; shown Partial.","mappings":[{"framework":"iso42001","clauses":["6.1","8.2","9.1"]},{"framework":"nist-ai-rmf","clauses":["GOVERN 1.1","MEASURE 2.3","MAP 1.1"]},{"framework":"hitrust-ai","clauses":["AI.01","AI.02"]}],"status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"agent-and-llm-safety","label":"Agent & LLM Safety","blurb":"The agent fleet is bounded: human gates, kill-switch, prompt/egress controls.","controls":[{"id":"HN-HUMAN-GATE","family":"agent-and-llm-safety","title":"Human-in-the-loop approval gates (AI never holds the decision)","objective":"Any agent action that changes clinical, financial, or member-facing state is HELD for human sign-off; the agent proposes, a human approves.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"orchestrator.ts approval-gate dispatch (propose + hold)","detail":"A step that trips an agent's approval gate is proposed and HELD (status awaiting-approval); the held decision is sealed, and the step runs only when a human supplies its approval."},{"package":"apps/console","symbol":"src/server/agent/model-tools.server.ts:executeGovernedToolCall (isGated)","detail":"In the live conversational loop, a write/adverse tool (requiresHumanReview or risk ≥ moderate) is NOT executed: it is proposed, a held-for-review record is sealed, and a stable heldStepId is returned. The write runs ONLY when that exact step id is in approvalsCleared (a human signed). Determination/payment/credentialing writes in data.ts only seal AFTER this gate clears."}],"evidence":[{"kind":"worm-action","ref":"agent.action.gated","label":"A held-for-review decision sealed in the chain"}],"mappings":[{"framework":"nist-ai-rmf","clauses":["MANAGE 1.1","GOVERN 3.2"]},{"framework":"iso42001","clauses":["A.9.2"]},{"framework":"owasp-llm","clauses":["LLM06: Excessive Agency"]},{"framework":"owasp-agentic","clauses":["Excessive Agency","Insufficient Oversight"]},{"framework":"nist-800-53","clauses":["AC-3","CM-5"]},{"framework":"hitrust-ai","clauses":["AI.06"]}],"policyId":"POL-HUMAN-OVERSIGHT","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"agent.action.gated","sequence":1150,"action":"agent.action.gated","outcome":"held-for-review","hash":"d5fea143e96fdb22bf8b5a0b635bbfdd0b6f4612e4a8dc9cbc5b044aeacf973c","previousHash":"398ab6b742cf09d1f58f3563757a8dd74ac15fdff8e56c6564229765928e4acb","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.600Z"}],"hasLiveProof":true},{"id":"HN-AGENT-TOOL-SCOPING","family":"agent-and-llm-safety","title":"Least-privilege tool scoping (an agent calls only declared tools)","objective":"An agent can invoke only the governed tools it declared; an undeclared tool call fails the run.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"registry.ts agentCanUse + orchestrator dispatch check","detail":"Before each step the orchestrator checks the agent declared the tool AND the registry knows it; an undeclared tool yields an error step and fails the run."},{"package":"apps/console","symbol":"src/server/agent/model-tools.server.ts:buildGovernedModelTools + executeGovernedToolCall","detail":"Only registered tools (the data tools + nav tools) are advertised to the model, with JSON-Schema parameters derived from each tool's own Zod schema. A model-named tool that is not registered returns state \"unknown-tool\" and never executes — the capability boundary the registry defines is the boundary the loop honors."}],"evidence":[{"kind":"code-artifact","ref":"agentCanUse","label":"Tool-scope check in the dispatch loop"}],"mappings":[{"framework":"owasp-agentic","clauses":["Tool Misuse","Excessive Agency"]},{"framework":"owasp-llm","clauses":["LLM06: Excessive Agency"]},{"framework":"nist-800-53","clauses":["AC-6","CM-7"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 2.2"]},{"framework":"hitrust-ai","clauses":["AI.06"]}],"status":"implemented","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-PROMPT-INJECTION","family":"agent-and-llm-safety","title":"Prompt-injection & untrusted-content defenses","objective":"Retrieved/tool content cannot escalate an agent's privileges or exfiltrate data; the structured tool boundary and the egress gate contain injected instructions.","claimedStatus":"partial","enforcement":[{"package":"@healthnext/agent-harness","symbol":"governed-tool typed I/O + phi-gate egress","detail":"Agents emit only validated structured tool calls (not free-form actions) and every egress passes the PHI gate, so an injected instruction cannot exfiltrate PHI or call an undeclared tool."}],"note":"The structured-tool boundary + egress gate already blunt the highest-impact injection outcomes (exfiltration, undeclared actions). A dedicated input-classifier / spotlighting layer for retrieved content is a hardening follow-on; shown Partial.","mappings":[{"framework":"owasp-llm","clauses":["LLM01: Prompt Injection","LLM05: Improper Output Handling"]},{"framework":"owasp-agentic","clauses":["Memory Poisoning","Tool Misuse"]},{"framework":"nist-ai-rmf","clauses":["MEASURE 2.7","MANAGE 2.2"]},{"framework":"hitrust-ai","clauses":["AI.03"]}],"status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"operational-resilience","label":"Operational Resilience","blurb":"Circuit breakers, cost & rate caps, blast-radius limits, incident response.","controls":[{"id":"HN-KILL-SWITCH","family":"operational-resilience","title":"Fleet kill-switch (halt the agent fleet)","objective":"An operator can immediately halt all agent dispatch (globally or per-agent); a halt fails closed and is sealed to the audit spine.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts:InMemoryFleetControlPlane.setKillSwitch + orchestrator gate","detail":"The orchestrator calls the control plane's gate at run admission AND before every step; an engaged kill-switch halts the run (status rejected) and seals fleet.control.halt to the WORM chain."}],"evidence":[{"kind":"worm-action","ref":"fleet.control.admission-denied","label":"An admission denied by a control, sealed"},{"kind":"worm-action","ref":"fleet.control.halt","label":"A mid-run control halt, sealed"}],"mappings":[{"framework":"nist-800-53","clauses":["IR-4","SI-4","CP-2"]},{"framework":"nist-csf","clauses":["RS.MI-01","RS.MA-01"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 4.1","MANAGE 2.4"]},{"framework":"iso42001","clauses":["A.9.2","A.10.4"]},{"framework":"owasp-agentic","clauses":["Cascading Failures","Insufficient Oversight"]},{"framework":"hitrust-ai","clauses":["AI.08"]}],"policyId":"POL-INCIDENT-RESPONSE","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"fleet.control.halt","sequence":735,"action":"fleet.control.halt","outcome":"block","hash":"79e09663ee57ac000cc6eb18915fcf35498fd13cdd2d29d56a6e5f7b27a93fa8","previousHash":"5b6a2d7f598d7a5726a329bc62017b7517bfe0a0332a6babca4e7999dc7403a3","correlationId":"corr-harness-1782167119794","recordedAt":"2026-06-22T22:25:20.377Z"}],"hasLiveProof":true},{"id":"HN-CIRCUIT-BREAKER","family":"operational-resilience","title":"Per-agent circuit breakers","objective":"An agent that fails repeatedly is automatically taken out of rotation (breaker opens) until a cooldown elapses, so a malfunction cannot hammer the operational plane.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts circuit breaker (open/half-open/closed)","detail":"After N consecutive step failures the per-agent breaker OPENS and the orchestrator halts further dispatch for that agent; a cooldown moves it to half-open (one trial), and a success closes it."}],"evidence":[{"kind":"worm-action","ref":"fleet.control.halt","label":"A breaker-open halt sealed in the chain"}],"mappings":[{"framework":"nist-800-53","clauses":["SI-4","CP-10","IR-4"]},{"framework":"nist-csf","clauses":["RS.MI-01","RC.RP-01"]},{"framework":"owasp-agentic","clauses":["Cascading Failures","Resource Exhaustion"]},{"framework":"hitrust-ai","clauses":["AI.08"]}],"policyId":"POL-INCIDENT-RESPONSE","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"fleet.control.halt","sequence":735,"action":"fleet.control.halt","outcome":"block","hash":"79e09663ee57ac000cc6eb18915fcf35498fd13cdd2d29d56a6e5f7b27a93fa8","previousHash":"5b6a2d7f598d7a5726a329bc62017b7517bfe0a0332a6babca4e7999dc7403a3","correlationId":"corr-harness-1782167119794","recordedAt":"2026-06-22T22:25:20.377Z"}],"hasLiveProof":true},{"id":"HN-COST-RATE-CAPS","family":"operational-resilience","title":"Per-tenant cost & rate caps","objective":"Each tenant has a rolling-window ceiling on runs started and tokens consumed; new runs are refused once a ceiling is hit, bounding spend and protecting shared infrastructure.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts rate cap + cost cap (rolling window)","detail":"At run admission the control plane refuses a run if the tenant's window run-count or token total is at the cap; token usage is fed back from each model step into the cost cap."}],"evidence":[{"kind":"worm-action","ref":"fleet.control.admission-denied","label":"A cap-refused admission sealed in the chain"}],"mappings":[{"framework":"nist-800-53","clauses":["SC-5","SC-6","AU-12"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 2.4"]},{"framework":"owasp-llm","clauses":["LLM10: Unbounded Consumption"]},{"framework":"owasp-agentic","clauses":["Resource Exhaustion"]},{"framework":"hitrust-ai","clauses":["AI.08"]}],"policyId":"POL-CAPACITY","status":"implemented","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-BLAST-RADIUS","family":"operational-resilience","title":"Blast-radius limits (bounded concurrent high-risk actions)","objective":"The number of concurrently-executing high/critical-risk agent steps is capped fleet-wide, so a runaway cannot fan out irreversible actions all at once.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts blast-radius slot accounting","detail":"A high/critical step occupies a concurrency slot at the per-step gate; once the ceiling is reached, further high-risk steps halt until a slot is released."}],"evidence":[{"kind":"worm-action","ref":"fleet.control.halt","label":"A blast-radius halt sealed in the chain"}],"mappings":[{"framework":"nist-800-53","clauses":["SC-5","CM-7","CP-2"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 2.4","MANAGE 4.1"]},{"framework":"owasp-agentic","clauses":["Cascading Failures","Excessive Agency"]},{"framework":"hitrust-ai","clauses":["AI.08"]}],"policyId":"POL-CAPACITY","status":"implemented","downgraded":false,"liveEvidence":[{"anchorRef":"fleet.control.halt","sequence":735,"action":"fleet.control.halt","outcome":"block","hash":"79e09663ee57ac000cc6eb18915fcf35498fd13cdd2d29d56a6e5f7b27a93fa8","previousHash":"5b6a2d7f598d7a5726a329bc62017b7517bfe0a0332a6babca4e7999dc7403a3","correlationId":"corr-harness-1782167119794","recordedAt":"2026-06-22T22:25:20.377Z"}],"hasLiveProof":true},{"id":"HN-INCIDENT-RESPONSE","family":"operational-resilience","title":"Incident detection & response runbook","objective":"Security/operational incidents are detected, triaged on a documented runbook, and contained; breach-notification timelines are met.","claimedStatus":"partial","enforcement":[{"package":"apps/console","symbol":"Operations Wall (NOC) + Observe gate/egress incident stream","detail":"Live fleet activity, gate holds, and PHI-egress incidents stream to the NOC wall; the kill-switch + breakers provide automated containment."}],"note":"Detection + automated containment (NOC, kill-switch, breakers) are live. The documented runbook + breach-notification workflow (HITECH timelines) are being formalized as an operational policy; shown Partial.","mappings":[{"framework":"nist-800-53","clauses":["IR-1","IR-4","IR-6","IR-8"]},{"framework":"nist-csf","clauses":["RS.MA-01","RS.AN-01","RS.CO-02"]},{"framework":"hipaa","clauses":["164.308(a)(6)"]},{"framework":"hitech","clauses":["13402 (breach notification)"]},{"framework":"soc2","clauses":["CC7.4","CC7.5"]},{"framework":"hitrust-ai","clauses":["11.a","11.c"]}],"policyId":"POL-INCIDENT-RESPONSE","status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-BCDR","family":"operational-resilience","title":"Backup & disaster recovery","objective":"Durable, tested backups and a recovery plan that meets RPO/RTO targets.","claimedStatus":"inherited","note":"The durable run store + audit chain persist to managed Postgres with provider-level backups/PITR; RPO/RTO and a tested DR runbook are inherited from the deployment's managed data plane and documented per-deployment.","mappings":[{"framework":"nist-800-53","clauses":["CP-9","CP-10"]},{"framework":"nist-csf","clauses":["RC.RP-01"]},{"framework":"soc2","clauses":["A1.2","A1.3"]},{"framework":"iso27001","clauses":["A.8.13","A.5.30"]},{"framework":"hipaa","clauses":["164.308(a)(7)"]},{"framework":"hitrust-ai","clauses":["12.b"]}],"status":"inherited","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"supply-chain-and-provenance","label":"Supply Chain & Provenance","blurb":"Model lineage, signed provenance, and dependency integrity.","controls":[{"id":"HN-AI-PROVENANCE","family":"supply-chain-and-provenance","title":"Model & data provenance (no PHI in weights)","objective":"Per-customer models are trained on non-PHI corpora only; the accepted corpus is recorded with an audit-safe attestation and PHI/secret sources are held out for runtime RAG.","claimedStatus":"implemented","enforcement":[{"package":"@healthnext/tenant-model","symbol":"real-fork-client.ts partitionSources + discipline attestation","detail":"forkAndTrain/retrain run the PHI/secret guard LOCALLY; only audit-safe AcceptedSource records (id/kind/label/chars — no content) go on the wire; a test asserts raw PHI/secret appears nowhere in the serialized calls."}],"evidence":[{"kind":"code-artifact","ref":"partitionSources discipline attestation","label":"trainingExcludesPhi attestation on the order"}],"mappings":[{"framework":"nist-ai-rmf","clauses":["MAP 4.1","MANAGE 3.1"]},{"framework":"iso42001","clauses":["A.7.2","A.7.3"]},{"framework":"nist-800-53","clauses":["SR-3","SR-4","SA-8"]},{"framework":"owasp-llm","clauses":["LLM03: Supply Chain","LLM04: Data and Model Poisoning"]},{"framework":"hitrust-ai","clauses":["AI.05"]}],"policyId":"POL-MODEL-PROVENANCE","status":"implemented","downgraded":false,"liveEvidence":[],"hasLiveProof":false},{"id":"HN-AI-SIGNING-IDENTITY","family":"supply-chain-and-provenance","title":"Human vs agent signing-identity separation","objective":"Records signed by an autonomous agent are cryptographically distinguishable from records signed by a human approver.","claimedStatus":"planned","note":"Today every record is per-tenant-signed and the actor (agent vs human) is in the signed metadata. A distinct signing identity per actor-class (so the key itself proves agent-vs-human) is on the roadmap (tracked as P3).","mappings":[{"framework":"nist-800-53","clauses":["IA-9","AU-10"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 4.1"]},{"framework":"owasp-agentic","clauses":["Identity & Impersonation"]},{"framework":"hitrust-ai","clauses":["AI.07"]}],"status":"planned","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]},{"family":"interoperability","label":"Interoperability & Patient Access","blurb":"Standards-based exchange and the CMS prior-authorization mandate.","controls":[{"id":"HN-CMS-PRIOR-AUTH","family":"interoperability","title":"Electronic prior authorization (CMS-0057-F)","objective":"Prior-authorization decisions are determined, recorded, and exchangeable per the CMS Interoperability and Prior Authorization Final Rule, with the decision held for human sign-off when adverse.","claimedStatus":"partial","enforcement":[{"package":"@healthnext/agent-harness","symbol":"fleet/prior-authorization.ts (criteria → determination → human gate)","detail":"The prior-authorization agent retrieves criteria in-boundary, produces a determination, and HOLDS an adverse determination at a human approval gate before it is recorded."}],"evidence":[{"kind":"worm-action","ref":"agent.action.gated","label":"An adverse PA determination held for sign-off, sealed"}],"note":"The governed PA determination + human gate are live. The full FHIR Da Vinci PAS/CRD/DTR API surface + the Provider/Payer Access APIs are connector work (X12/FHIR connectors exist); shown Partial until the CMS API endpoints are certified.","mappings":[{"framework":"cms-0057-f","clauses":["Prior Authorization API","Provider Access API","Payer-to-Payer API"]},{"framework":"nist-ai-rmf","clauses":["MANAGE 1.1"]},{"framework":"hitrust-ai","clauses":["AI.06"]}],"status":"partial","downgraded":false,"liveEvidence":[{"anchorRef":"agent.action.gated","sequence":1150,"action":"agent.action.gated","outcome":"held-for-review","hash":"d5fea143e96fdb22bf8b5a0b635bbfdd0b6f4612e4a8dc9cbc5b044aeacf973c","previousHash":"398ab6b742cf09d1f58f3563757a8dd74ac15fdff8e56c6564229765928e4acb","correlationId":"corr-harness-1782307106017","recordedAt":"2026-06-24T13:18:26.600Z"}],"hasLiveProof":true},{"id":"HN-FHIR-EXCHANGE","family":"interoperability","title":"Standards-based health data exchange (FHIR / X12)","objective":"Health data is exchanged over standard FHIR R4 + X12 transactions through governed connectors.","claimedStatus":"partial","enforcement":[{"package":"@healthnext/connector-fhir + connector-x12 + connector-davinci","symbol":"integration-fabric governed connectors","detail":"FHIR, X12, and Da Vinci connectors parse + map standard transactions; the EDI tool parses X12 in-boundary."}],"note":"Connector packages + the X12 parser exist and run in-boundary. Full conformance certification (USCDI, Da Vinci IGs) is in progress; shown Partial.","mappings":[{"framework":"cms-0057-f","clauses":["Patient Access API","FHIR US Core"]},{"framework":"nist-800-53","clauses":["SC-8","SI-10"]},{"framework":"hitrust-ai","clauses":["09.s"]}],"status":"partial","downgraded":false,"liveEvidence":[],"hasLiveProof":false}]}],"frameworks":[{"id":"soc2","name":"SOC 2 Type II","short":"SOC 2 II","version":"2017 TSC (rev. 2022)","authority":"AICPA","scope":"Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy.","conditional":false,"score":82,"applicable":11,"counts":{"implemented":7,"partial":3,"inherited":1,"planned":0,"not-applicable":0,"total":11}},{"id":"iso27001","name":"ISO/IEC 27001","short":"ISO 27001","version":"2022","authority":"ISO/IEC","scope":"Information Security Management System — Annex A controls.","conditional":false,"score":88,"applicable":8,"counts":{"implemented":6,"partial":1,"inherited":1,"planned":0,"not-applicable":0,"total":8}},{"id":"iso42001","name":"ISO/IEC 42001","short":"ISO 42001","version":"2023","authority":"ISO/IEC","scope":"AI Management System — the governance lifecycle for AI.","conditional":false,"score":90,"applicable":5,"counts":{"implemented":4,"partial":1,"inherited":0,"planned":0,"not-applicable":0,"total":5}},{"id":"nist-800-53","name":"NIST SP 800-53 Rev. 5","short":"NIST 800-53 R5","version":"Rev. 5","authority":"NIST","scope":"Security & Privacy Controls for Information Systems and Organizations.","conditional":false,"score":83,"applicable":21,"counts":{"implemented":15,"partial":4,"inherited":1,"planned":1,"not-applicable":1,"total":22}},{"id":"nist-csf","name":"NIST CSF 2.0","short":"NIST CSF 2.0","version":"2.0","authority":"NIST","scope":"Cybersecurity Framework — Govern, Identify, Protect, Detect, Respond, Recover.","conditional":false,"score":86,"applicable":7,"counts":{"implemented":5,"partial":1,"inherited":1,"planned":0,"not-applicable":0,"total":7}},{"id":"nist-ai-rmf","name":"NIST AI RMF (AI 600-1)","short":"NIST AI RMF","version":"1.0 + Generative AI Profile (AI 600-1)","authority":"NIST","scope":"AI Risk Management Framework — Govern, Map, Measure, Manage.","conditional":false,"score":77,"applicable":11,"counts":{"implemented":7,"partial":3,"inherited":0,"planned":1,"not-applicable":0,"total":11}},{"id":"owasp-llm","name":"OWASP LLM Top 10","short":"OWASP LLM","version":"2025","authority":"OWASP","scope":"Top risks for LLM applications — prompt injection, data leakage, excessive agency.","conditional":false,"score":93,"applicable":7,"counts":{"implemented":6,"partial":1,"inherited":0,"planned":0,"not-applicable":0,"total":7}},{"id":"owasp-agentic","name":"OWASP Agentic Top 10 (ASI)","short":"OWASP Agentic","version":"Agentic Security Initiative","authority":"OWASP","scope":"Top threats for agentic systems — tool misuse, memory poisoning, cascading failures.","conditional":false,"score":83,"applicable":9,"counts":{"implemented":7,"partial":1,"inherited":0,"planned":1,"not-applicable":0,"total":9}},{"id":"hitrust-ai","name":"HITRUST AI Security Certification","short":"HITRUST AI","version":"AI Security Assessment","authority":"HITRUST","scope":"The harmonized assurance program; its crosswalk is HealthNext's mapping source.","conditional":false,"score":80,"applicable":25,"counts":{"implemented":16,"partial":7,"inherited":1,"planned":1,"not-applicable":0,"total":25}},{"id":"hipaa","name":"HIPAA Security & Privacy Rules","short":"HIPAA","version":"45 CFR Parts 160 & 164","authority":"HHS / OCR","scope":"Safeguards for electronic protected health information + the Privacy Rule.","conditional":false,"score":80,"applicable":10,"counts":{"implemented":6,"partial":3,"inherited":1,"planned":0,"not-applicable":0,"total":10}},{"id":"hitech","name":"HITECH Act","short":"HITECH","version":"2009 (as amended)","authority":"HHS","scope":"Breach notification + strengthened HIPAA enforcement + audit-trail expectations.","conditional":false,"score":75,"applicable":2,"counts":{"implemented":1,"partial":1,"inherited":0,"planned":0,"not-applicable":0,"total":2}},{"id":"part2","name":"42 CFR Part 2","short":"42 CFR Part 2","version":"2024 final rule","authority":"SAMHSA / HHS","scope":"Heightened confidentiality for substance-use-disorder treatment records.","conditional":false,"score":100,"applicable":1,"counts":{"implemented":1,"partial":0,"inherited":0,"planned":0,"not-applicable":0,"total":1}},{"id":"cms-0057-f","name":"CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F)","short":"CMS-0057-F","version":"2024 (effective 2026–2027)","authority":"CMS","scope":"Patient/Provider/Payer Access APIs + the electronic Prior Authorization API mandate.","conditional":false,"score":50,"applicable":2,"counts":{"implemented":0,"partial":2,"inherited":0,"planned":0,"not-applicable":0,"total":2}},{"id":"pci-dss","name":"PCI DSS v4.0","short":"PCI-DSS v4","version":"4.0","authority":"PCI SSC","scope":"Payment-card data protection. Applies ONLY when card data is in the deployment's estate.","conditional":true,"score":0,"applicable":0,"counts":{"implemented":0,"partial":0,"inherited":0,"planned":0,"not-applicable":1,"total":1}}],"policies":[{"id":"POL-PHI-BOUNDARY","title":"PHI Boundary & In-Boundary AI","statement":"Protected health information never leaves the tenant boundary. All model inference runs on an in-boundary served model; egress to any unmanaged destination is blocked, not redacted.","owner":"Chief Information Security Officer","version":"1.2","effective":"2026-01-15","reviewCadence":"quarterly","lastReviewed":"2026-04-15","nextReview":"2026-07-15","enforcedBy":[{"package":"@healthnext/phi-gate","symbol":"BlockingPhiGate.enforceEgress","detail":"Deny-by-default, fail-closed egress boundary; audit-write failure downgrades ALLOW to BLOCK."},{"package":"@healthnext/modelops","symbol":"getModelOps (in-boundary default)","detail":"The orchestrator routes to the in-boundary model by default and never calls an external model directly."}]},{"id":"POL-MIN-NECESSARY","title":"Minimum Necessary","statement":"Any access to PHI is limited to the minimum data necessary for the stated purpose-of-use. PHI and quasi-identifier fields are dropped unless the purpose justifies them.","owner":"Privacy Officer","version":"1.1","effective":"2026-01-15","reviewCadence":"semi-annual","lastReviewed":"2026-03-01","nextReview":"2026-09-01","enforcedBy":[{"package":"@healthnext/semantic-layer","symbol":"compile.ts:projectable()","detail":"The SQL compiler drops non-projectable PHI/quasi columns per purpose-of-use and records the rewrite."},{"package":"@healthnext/tenancy-abac","symbol":"computeMinimumNecessary","detail":"The ABAC engine attaches a minimum-necessary field projection to every PERMIT decision."}]},{"id":"POL-CONSENT","title":"Consent & Special-Protection Records","statement":"Member consent is honored as a denial control. Substance-use-disorder records (42 CFR Part 2) and other special-protection classes receive heightened restriction and never egress to unauthorized destinations.","owner":"Privacy Officer","version":"1.0","effective":"2026-02-01","reviewCadence":"semi-annual","lastReviewed":"2026-02-01","nextReview":"2026-08-01","enforcedBy":[{"package":"@healthnext/consent","symbol":"resolution.ts + semantic-layer consent predicate","detail":"A consent NOT-EXISTS predicate filters denied rows; special-protection categories block at the PHI gate."}]},{"id":"POL-LEAST-PRIVILEGE","title":"Least Privilege & Access Control","statement":"Access is deny-by-default and scoped by tenant, role, and purpose. Agents may invoke only the tools they declare. Database row-level security is the last line of defense.","owner":"Chief Information Security Officer","version":"1.3","effective":"2026-01-15","reviewCadence":"quarterly","lastReviewed":"2026-04-15","nextReview":"2026-07-15","enforcedBy":[{"package":"@healthnext/tenancy-abac","symbol":"AbacPolicyEngine + generateTableRls","detail":"DENY overrides PERMIT; per-tenant RLS isolates rows at the database."},{"package":"@healthnext/agent-harness","symbol":"registry.ts:agentCanUse","detail":"An agent cannot call a tool it did not declare."}]},{"id":"POL-HUMAN-OVERSIGHT","title":"Human Oversight of AI Decisions","statement":"AI never holds a final decision that changes clinical, financial, or member-facing state. Such actions are proposed by an agent and held for human sign-off.","owner":"Chief Medical Officer","version":"1.1","effective":"2026-01-15","reviewCadence":"quarterly","lastReviewed":"2026-04-15","nextReview":"2026-07-15","enforcedBy":[{"package":"@healthnext/agent-harness","symbol":"orchestrator.ts approval gates","detail":"Gated steps are held (awaiting-approval) and sealed; they run only after a human approves."}]},{"id":"POL-AUDIT-RETENTION","title":"Audit Logging & Retention","statement":"Every consequential action is recorded to a tamper-evident, append-only audit trail and retained for the regulatory retention period. The trail is independently verifiable.","owner":"Compliance Officer","version":"1.2","effective":"2026-01-15","reviewCadence":"annual","lastReviewed":"2026-01-15","nextReview":"2027-01-15","enforcedBy":[{"package":"@healthnext/audit-evidence","symbol":"WormAuditLog + verifyChain","detail":"Append-only, hash-chained, Ed25519-signed; no update/delete path exists."}]},{"id":"POL-INCIDENT-RESPONSE","title":"Fleet Incident Response","statement":"Operators can immediately halt the agent fleet. Repeatedly-failing agents are automatically taken out of rotation. Incidents are detected, contained, and recorded.","owner":"Chief Information Security Officer","version":"1.0","effective":"2026-06-22","reviewCadence":"quarterly","lastReviewed":"2026-06-22","nextReview":"2026-09-22","enforcedBy":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts kill-switch + circuit breakers","detail":"The orchestrator gates every admission + step; halts are fail-closed and sealed to the audit chain."}]},{"id":"POL-CAPACITY","title":"Capacity, Cost & Blast-Radius","statement":"Each tenant's run-rate and token cost are capped over a rolling window, and the number of concurrent high-risk agent actions is bounded fleet-wide.","owner":"VP, Platform Engineering","version":"1.0","effective":"2026-06-22","reviewCadence":"quarterly","lastReviewed":"2026-06-22","nextReview":"2026-09-22","enforcedBy":[{"package":"@healthnext/agent-harness","symbol":"fleet-control.ts rate/cost caps + blast-radius","detail":"Admission is refused past the caps; high-risk concurrency is slot-limited."}]},{"id":"POL-MODEL-PROVENANCE","title":"Model & Data Provenance","statement":"Per-customer models are trained on non-PHI corpora only. PHI and secrets are partitioned out before training and served at runtime via governed RAG. Every training order carries an audit-safe attestation.","owner":"Head of AI / MLOps","version":"1.0","effective":"2026-03-01","reviewCadence":"semi-annual","lastReviewed":"2026-03-01","nextReview":"2026-09-01","enforcedBy":[{"package":"@healthnext/tenant-model","symbol":"real-fork-client.ts:partitionSources","detail":"The PHI/secret guard runs locally; only audit-safe records (no content) go on the training wire."}]}],"subProcessors":[{"name":"Managed Postgres (deployment cloud)","purpose":"Durable storage of the operations graph, run store, and WORM audit chain — inside the tenant boundary.","phiAccess":"processor","location":"Customer-elected region (US)","note":"Encrypted at rest; per-tenant RLS; backups/PITR by the managed data plane."},{"name":"In-boundary served model (LeanLogix-trained fork)","purpose":"Healthcare LLM inference for the agent fleet.","phiAccess":"in-boundary-only","location":"In the tenant boundary","note":"Trained on non-PHI corpora only; PHI is served at runtime via governed RAG and never transits an external API."},{"name":"Netlify","purpose":"Static hosting + serverless functions for the console + marketing surfaces.","phiAccess":"none","location":"Global edge / US functions","note":"Serves the application shell; the data plane + model run in the tenant boundary."},{"name":"Resend","purpose":"Transactional email (operational notifications).","phiAccess":"none","location":"US","note":"Operational metadata only; no PHI in email bodies."}],"postureDocs":[{"id":"DOC-DPA","title":"Data Processing Addendum (DPA)","kind":"DPA","status":"template","summary":"How HealthNext processes PHI on the customer's behalf as a Business Associate, the security commitments, and the sub-processing terms.","disclaimer":"TEMPLATE — not an executed agreement. This is a starting-point draft for a customer's counsel to review and negotiate; it is not legal advice and confers no obligation until both parties sign a final version. Clauses marked with a control reference are enforced in code today; the rest are documentary commitments pending counsel review.","version":"0.3 (template)","lastUpdated":"2026-06-22","owner":"Chief Information Security Officer","sections":[{"heading":"Roles & scope","body":"The customer (Covered Entity or its Business Associate) is the controller of the PHI; HealthNext acts as a Business Associate / processor and processes PHI only on documented instructions and only to provide the contracted service. A separate Business Associate Agreement (BAA) governs HIPAA obligations and is incorporated by reference."},{"heading":"Processing boundary (in-boundary PHI)","body":"PHI is processed inside the customer-elected boundary. Model inference runs on an in-boundary served model; PHI is never transmitted to an external foundation-model provider. Egress to any unmanaged destination is blocked — not merely redacted — and fails closed.","backedBy":["HN-PHI-EGRESS","HN-AI-INBOUNDARY"]},{"heading":"Security measures","body":"HealthNext maintains deny-by-default access control with per-tenant row-level isolation, minimum-necessary data projection, encryption in transit, and a tamper-evident, hash-chained, signed audit trail of every consequential decision. Detailed control mappings are in the Trust Center crosswalk.","backedBy":["HN-ACCESS-ENFORCEMENT","HN-TENANT-ISOLATION","HN-MIN-NECESSARY","HN-AUDIT-INTEGRITY"]},{"heading":"Sub-processing","body":"HealthNext engages the sub-processors listed in the Trust Center inventory. HealthNext will give the customer prior written notice of any intended addition or replacement of a sub-processor that processes PHI and an opportunity to object. No external foundation-model provider processes PHI."},{"heading":"Assistance & data subject rights","body":"HealthNext assists the customer in responding to individuals' access/amendment/accounting requests and in meeting the customer's own regulatory obligations, using the audit and evidence-export capabilities of the platform.","backedBy":["HN-AUDIT-EXPORT","HN-ACCESS-LOGGING"]},{"heading":"Return & deletion","body":"On termination, HealthNext returns or securely destroys PHI per the Data Retention Schedule, subject to retention required by law. The append-only audit chain is retained for the regulatory retention period and is not deleted on a per-record basis (WORM)."}]},{"id":"DOC-RETENTION","title":"Data Retention & Disposal Schedule","kind":"Retention","status":"template","summary":"How long each data class is retained, why, and how it is disposed of — including the append-only audit chain that, by design, has no per-record delete path.","disclaimer":"TEMPLATE — not an executed agreement. This is a starting-point draft for a customer's counsel to review and negotiate; it is not legal advice and confers no obligation until both parties sign a final version. Clauses marked with a control reference are enforced in code today; the rest are documentary commitments pending counsel review.","version":"0.2 (template)","lastUpdated":"2026-06-22","owner":"Compliance Officer","sections":[{"heading":"Audit & evidence records","body":"Retained for the regulatory retention period (HIPAA requires documentation be retained 6 years; some states require longer). The audit trail is append-only, hash-chained, and Ed25519-signed — there is no update or delete path for an individual record, so retention is enforced structurally, not by policy alone.","backedBy":["HN-AUDIT-INTEGRITY","HN-AUDIT-EXPORT"]},{"heading":"Operational PHI (graph, cases, runs)","body":"Retained for the active contract term plus the customer-elected retention window, then returned or destroyed per the DPA. Stored inside the boundary in managed Postgres with per-tenant isolation.","backedBy":["HN-TENANT-ISOLATION","HN-ACCESS-ENFORCEMENT"]},{"heading":"Model training corpora","body":"Per-customer model forks are trained on non-PHI corpora only; PHI and secrets are partitioned out before training and served at runtime via governed retrieval. Training inputs therefore carry no PHI retention obligation.","backedBy":["HN-AI-PROVENANCE"]},{"heading":"Operational metadata & email","body":"Transactional email and operational notifications carry no PHI in their bodies; metadata is retained for the operational window needed for deliverability and support, then purged on the provider's schedule."},{"heading":"Disposal method","body":"Operational data is deleted via the managed data plane's cryptographic-erase / secure-delete facilities. The audit chain is exempt from per-record deletion by design and ages out only at the end of the regulatory retention period for the whole tenant chain."}]},{"id":"DOC-IR","title":"Incident Response & Breach Notification Plan","kind":"Incident Response","status":"template","summary":"How operational and security incidents are detected, contained, investigated, and — when reportable — notified, including the automated fleet containment that is live today.","disclaimer":"TEMPLATE — not an executed agreement. This is a starting-point draft for a customer's counsel to review and negotiate; it is not legal advice and confers no obligation until both parties sign a final version. Clauses marked with a control reference are enforced in code today; the rest are documentary commitments pending counsel review.","version":"0.2 (template)","lastUpdated":"2026-06-22","owner":"Chief Information Security Officer","sections":[{"heading":"Detection","body":"Fleet activity, approval-gate holds, and PHI-egress decisions stream to the operations wall in real time. Every egress ALLOW/BLOCK and every held write is a signed audit record, so anomalous activity is visible and attributable.","backedBy":["HN-INCIDENT-RESPONSE","HN-ACCESS-LOGGING","HN-PHI-EGRESS"]},{"heading":"Automated containment (live)","body":"An operator can immediately halt the agent fleet globally or per-agent; repeatedly-failing agents are taken out of rotation by per-agent circuit breakers; per-tenant rate/cost caps and a fleet-wide blast-radius limit bound the damage of a runaway. Halts fail closed and are sealed to the audit chain.","backedBy":["HN-KILL-SWITCH","HN-CIRCUIT-BREAKER","HN-COST-RATE-CAPS","HN-BLAST-RADIUS"]},{"heading":"Triage & investigation","body":"On declaration of an incident, the response team scopes affected tenants and data classes using the per-tenant audit chain and evidence export, establishes a timeline from the signed records, and determines whether PHI was disclosed to an unauthorized party.","backedBy":["HN-AUDIT-EXPORT"]},{"heading":"Notification (draft commitment)","body":"Where an incident is a reportable breach of unsecured PHI, HealthNext will notify the affected customer without unreasonable delay so the customer can meet HIPAA/HITECH breach-notification timelines (individual notice within 60 days of discovery; HHS and, where applicable, media notice per the rule). Specific contractual SLAs are set in the executed agreement.","backedBy":["HN-INCIDENT-RESPONSE"]},{"heading":"Post-incident","body":"Root-cause analysis, corrective actions, and control updates are tracked to closure; the incident record and its evidence are retained per the Data Retention Schedule."}]},{"id":"DOC-SUBPROCESSOR","title":"Subprocessor Change-Notification Commitment","kind":"Subprocessor","status":"template","summary":"How the subprocessor inventory is maintained and how the customer is notified before a PHI-touching subprocessor changes — paired with the live inventory in the Trust Center.","disclaimer":"TEMPLATE — not an executed agreement. This is a starting-point draft for a customer's counsel to review and negotiate; it is not legal advice and confers no obligation until both parties sign a final version. Clauses marked with a control reference are enforced in code today; the rest are documentary commitments pending counsel review.","version":"0.2 (template)","lastUpdated":"2026-06-22","owner":"Chief Information Security Officer","sections":[{"heading":"Current inventory","body":"The authoritative subprocessor list is published in the Trust Center, with each entry's PHI-access level. The notable absence a reviewer should confirm: there is NO external foundation-model provider in the PHI path — all inference runs on an in-boundary served model.","backedBy":["HN-AI-INBOUNDARY","HN-PHI-EGRESS"]},{"heading":"Notification of change","body":"HealthNext will provide the customer prior written notice before adding or replacing any subprocessor that processes PHI, with a reasonable window to object. A change that would route PHI to a new external destination is gated by the egress boundary and would require a deliberate, audited policy change.","backedBy":["HN-PHI-EGRESS"]},{"heading":"Subprocessor due diligence","body":"PHI-touching subprocessors are limited to those operating inside the tenant boundary (managed data plane, in-boundary model) under appropriate agreements; non-PHI subprocessors (hosting, transactional email) carry no PHI access by design."}]}],"noExternalModelNote":"No external foundation-model provider processes PHI. All inference runs on an in-boundary served model; PHI never leaves the boundary."}