HIPAA Privacy & Security Rules
Built
45 CFR §164 · Subparts A, C, D, E
Granular per-category consent, embedded consent gate at every clinical query, immutable audit trail, sanitized error responses, expanded log redaction.
Code: consent-service · clinical-service · packages/shared/logger · hipaaAuditMiddleware
42 CFR Part 2 (Substance Use Disorder)
Built
SAMHSA · F10–F19 ICD-10 · re-disclosure prohibition
Defense-in-depth across all four engines: F03 normalization tags Part 2 records · F04 reconciliation honors revocation · F05 entitlement engine categorically blocks SUD records to buyers · F06 payouts compliance gate before disbursement.
Code: icd10-validator · data-entitlement-engine PROHIBIT_SUD_RECORDS · payout compliance-engine F1[0-9] check
21st Century Cures Act §171 (Info Blocking)
Built
ONC Final Rule · 8 exceptions classified
Information-blocking exception classifier across all 8 categories: Preventing Harm · Privacy · Security · Infeasibility · Health IT Performance · Content & Manner · Fees · Licensing. Consent denials route through classifier so refusals are documented as exceptions, not blocking.
Code: info-blocking-classifier.ts in packages/shared/src
GINA — Genetic Non-Discrimination
Built
Title I (insurance) · Title II (employment)
Genetic data flagged as a separate sensitivity category in the consent schema. Buyer entitlement matrix categorically blocks Genetic data for Insurer + Employer buyer types regardless of consent state.
Code: data-entitlement-engine 11×7 matrix · ConsentScope.dataCategories enum
ACA §1182 — Pre-existing condition
Built
Affordable Care Act · pre-ex protection
Buyer-type entitlement matrix prohibits Insurer queries on diagnosis history that could be used to underwrite or deny coverage. Re-disclosure restrictions at delivery boundary.
Code: entitlement matrix Insurer rules · F05 data-delivery-controller
CMS-0057-F (Prior Auth FHIR APIs)
In progress
2027 deadline · 4 required APIs
Prior Authorization API built on Da Vinci PAS profile, registered, consent-gated, 72-hour urgent timer. Patient Access · Provider Access · Payer-to-Payer APIs are roadmap (Phase 3).
Code: clinical-service/prior-auth/pa-routes · davinci-pas-client · pa-engine
HTI-5 / ONC Final Rule
In progress
Health Technology Initiative · USCDI v3
FHIR R4 + US Core profiles enforced via fhir-validator. Traceability matrix maintained against every USCDI v3 data element. SMART on FHIR app authorization on roadmap.
Code/Doc: fhir-validator.ts · Moonlitic_HTI5_Traceability_Matrix.docx
FedRAMP Moderate / StateRAMP
Roadmap
Federal cloud authorization
Track laid via Azure Government / Azure-platform inheritance. Federal Audit Readiness doc enumerates the path. Required when serving CMS, VA, or state Medicaid agencies as buyers.
Doc: codebase/docs/Moonlitic_Federal_Audit_Readiness.html
Texas HB 300 / §611
Built
Texas Medical Records Privacy Act · Mental Health
State Compliance Engine validates TX residency at every consent write. §611 mental-health re-disclosure rules enforced via stateConsentMiddleware. Stricter than HIPAA for behavioral health.
Code: state-compliance-engine.ts · stateConsentMiddleware (wired across services)
California CMIA / CCPA / CPRA
Built
Confidentiality of Medical Information Act + Consumer Privacy
CA-specific consent disclosures, opt-out-of-sale mechanism via marketplace consent toggle, DSAR endpoint returns FHIR Bundle export, deletion request honored except where HIPAA retention overrides (with documented exception).
Code: consumer-rights routes · DSAR FHIR export · state-compliance-engine CA branch
Nebraska Data Privacy Act (NDPA)
Built
Nebraska state privacy law · 2024
NDPA-specific data-subject rights (access, correction, deletion, portability). Consent flow surfaces NE residents the NDPA notice. Validation runs at consent write.
Code: state-compliance-engine.ts NE branch
Other states (CO, CT, VA, UT, IA, IN, MT, OR, TN, TX-DPA)
Roadmap
Comprehensive state privacy laws · 2024–2026
Engine architecture supports per-state branches; additional jurisdictions activate by config. Cost is low per state once the first three are in.
Doc: STATE_COMPLIANCE_ENGINE_GUIDE.md
FHIR R4 / US Core / Da Vinci PAS
Built
HL7 FHIR · USCDI v3 · Da Vinci IG v2.1
FHIR R4 across the platform: ingestion normalizes 9 rails into FHIR resources, validator enforces R4 structure + US Core profiles, Prior Auth uses Da Vinci PAS Bundle $submit operation.
Code: seqster-fhir-mapper · fhir-validator · davinci-pas-client
X12 EDI 837P / 835
Built
Professional claim · Remittance advice
Strict 837P/835 parsers with redacted error reporting (segment IDs only, no PHI in logs). 837 ingest → normalize → FHIR Claim. 835 ingest → reconcile against 837 → FHIR ExplanationOfBenefit.
Code: claims-ingestion-api · x12-835-parser · normalization-engine
HL7 FAST
Partial
FHIR at Scale Taskforce · 20 requirements
12 BUILT · 5 PARTIAL · 3 PLANNED of 20 FAST requirements per scorecard. UDAP dynamic registration + JWT/X.509 binding on Phase 3.
Doc: Moonlitic_vs_HL7_FAST_Coverage.html
TEFCA / QHIN participation
Roadmap
Trusted Exchange Framework · QHIN gateway
Rail 1 (TEFCA/QHIN summaries) wired to ingest QHIN-format Patient Bundles today. Live QHIN participation requires Sequoia Project agreement + technical certification.
Code: ingestion-rails-api Rail 1 · TEFCA bundle handler
NIST 800-53 Moderate
~80%
Federal Information Security · Moderate baseline
~80% control coverage across the 17 control families. Gaps tracked in POA&M (Plan of Action & Milestones). Required for federal customers and contributory for SOC 2.
Doc: Compliance Evidence Matrix · POA&M
AES-256 field encryption (envelope)
Built
Azure Key Vault adapter · per-field
Sensitive categories (Genetic, Mental Health, HIV, Substance Use) encrypted with envelope keys backed by Azure Key Vault. Distinct from at-rest disk encryption — protects against insider DB read.
Code: field-crypto.ts · field-crypto-keyvault.ts
HMAC-SHA256 ledger entries
Built
Azure Confidential Ledger · tamper-evident
Every consent write, claim event, marketplace settlement, and payout disbursement is recorded with an HMAC-signed entry on Azure Confidential Ledger. Can be independently verified by an auditor offline.
Code: consent-service ledger writes · F06 verifyLedgerState · F04 ledger gate
mTLS + OAuth 2.0 / OIDC
Built
Mutual TLS · Azure Entra ID
Service-to-service mutual TLS inside the trust boundary. Patient-facing OAuth 2.0 / OIDC via Azure Entra ID. Identity verification (IAL2) via Clear / ID.me before bank-link or trial enrollment.
Code: auth.ts middleware · idme-backend
Zero-trust network boundary
Built
Private endpoints · VNet · Azure Sentinel
Internal services on private endpoints behind a single zero-trust boundary. Every cross-engine call carries a consent token verified at the receiver. Sentinel for anomaly detection.
Diagram: Moonlitic_Technical_Diagram.html
Cross-engine consent revocation
Built
F01 → F02 → F03 → F04 → F06
A patient revoking consent at F01 propagates to every downstream engine. F04 reconciliation calls verifyLedgerState() before any retry — a revoked claim cannot be re-submitted to a payer. F06 re-verifies before disbursement.
Code: verifyLedgerState gate (F04) · payout-orchestrator (F06)
Sanitized error responses
Built
No PHI in errors · no stack traces to clients
Single sanitizeErrorForClient() helper across all routes. Audit logs use IDs only (no DOBs, MRNs, names, SSNs). Extensive log redaction key-list maintained in shared logger.
Code: packages/shared/logger redaction · error-sanitizer
Granular per-category consent
Built
7 categories · per-buyer-type
Patients toggle consent per data category (Demographics, Clinical, Claims, Genetic, Mental Health, Substance Use, Imaging). Real-time propagation to marketplace, clinician portal, and payouts.
Code: consent-service routes · ConsentScope schema · F05 marketplace consumer
FHIR Bundle DSAR export
Built
Data Subject Access Request · FHIR R4
Patient downloads everything Moonlitic holds about them as a FHIR Bundle. Cross-state portable. CCPA / CPRA / NDPA compliant.
Code: consent-service/routes/consumer-rights.ts
Deletion & opt-out
Built
CCPA opt-out-of-sale · NDPA delete
Opt-out-of-sale toggle disconnects patient from marketplace. Deletion honored where HIPAA retention permits, refusals classified under Cures Act §171 Privacy Exception with audit log.
Code: consumer-rights deletion · info-blocking-classifier
Transparent earnings cascade
Built
80/20 NET split · per-record provenance
Every dollar paid to a patient is traced to: which buyer query, which records, gross amount, fees (Velo + audit + tax), 80% net to patient, 20% to Moonlitic. Patient sees the cascade in the dashboard.
Code: F06_Payouts/disbursement-engine · Patient_Earnings_Cascade.html
SOC 2 Type II readiness
Pre-audit
Trust Service Criteria · Security · Privacy · Availability
Evidence Matrix maintained. POA&M tracks open items. Pre-audit hygiene done — formal Type II audit window opens after a continuous 6-month evidence collection period.
Doc: Moonlitic_Compliance_Evidence.html · COMPLIANCE_AUDIT_2026-05-03.md
Immutable audit trail
Built
Azure Confidential Ledger · per-event
Every consent change, every claim event, every marketplace settlement, every payout writes a tamper-evident entry to Azure Confidential Ledger. Independently verifiable by HHS OCR.
Code: hipaaAuditMiddleware · F06 ledger writes · F04 ledger gate
Compliance Evidence Matrix
Built
HIPAA · SOC 2 · GDPR · NIST 800-53 · state laws
Living document mapping every regulation to specific code paths and runtime controls. Version-controlled.
Doc: codebase/docs/Moonlitic_Compliance_Evidence.html
HTI-5 traceability matrix
Built
USCDI v3 mapping
Each USCDI v3 data element traced to FHIR resource + persistence path + consent gate.
Doc: Moonlitic_HTI5_Traceability_Matrix.docx
Code-level audit (2026-05-03)
Phase 1 closed
39 findings · Critical/High closed · pre-audit hygiene
Independent code-level audit run against the Evidence Matrix. Top-5 critical findings closed in Phase 1. Phase 2/3 remediation roadmap published in the same doc.
Doc: COMPLIANCE_AUDIT_2026-05-03.md §10 — Phase 1 fixes committed
BAAs & vendor compliance
Built
Microsoft Azure · Velo Payments · Health-data aggregator
Business Associate Agreements in place with every vendor that touches PHI. Velo Payments KYC/OFAC/HMAC-verified webhooks for ACH disbursement.
Doc: contract register · MIGRATION_STATUS.md
1. Time-to-credibility
The Evidence Matrix + immutable ledger + Phase 1 audit closure represents 18+ months of sustained work. A new entrant without these artifacts cannot win an enterprise pharma or QHIN engagement, regardless of UX.
2. Multi-regulator surface
Federal + 3 states + 5 standards is not additive — it's multiplicative. Each new regulator adds a documentation, code, and audit-log axis. Moonlitic already runs on all of them.
3. Patient-trust flywheel
Granular per-category consent + transparent earnings cascade + DSAR export are visible to the patient. They become a marketing asset, not just a compliance asset. Network effect compounds when patients refer.
4. Buyer-side gating defaults
The 11×7 entitlement matrix encodes regulator-required denials (Insurer cannot read Genetic; Drug Mfgr cannot read Clinical; nobody reads SUD). A buyer pre-empted from misuse stays a buyer for the long term.
5. CMS-0057-F deadline as accelerator
Mandatory in 2027. Most payer/EHR incumbents are scrambling. Moonlitic's PA path is built on the Da Vinci PAS profile already and will service incumbents that can't meet the deadline themselves.
6. State-engine extensibility
3 states wired today. Each new state activates by config — incremental engineering cost is near-zero per jurisdiction. Competitors building per-state will burn quarters on what's a config flip here.