Appearance
HIPAA Controls → Gatez Feature Mapping
Overview
This document maps HIPAA Security Rule requirements to Gatez gateway platform features. Gatez provides the technical controls; organizational policies and BAA agreements are the customer's responsibility.
Administrative Safeguards (§164.308)
| HIPAA Control | Requirement | Gatez Feature | Status |
|---|---|---|---|
| §164.308(a)(1) | Security management process | Audit trail in ClickHouse (all actions logged) | ✅ Implemented |
| §164.308(a)(3) | Workforce security | Keycloak RBAC (platform-admin, tenant-admin, analyst roles) | ✅ Implemented |
| §164.308(a)(4) | Information access management | Per-tenant isolation (Redis keyspace, ClickHouse row-level) | ✅ Implemented |
| §164.308(a)(5) | Security awareness training | N/A (organizational, not platform) | Customer responsibility |
| §164.308(a)(6) | Security incident procedures | Audit log + notification system for anomaly detection | ✅ Implemented |
Technical Safeguards (§164.312)
| HIPAA Control | Requirement | Gatez Feature | Status |
|---|---|---|---|
| §164.312(a)(1) | Access control | JWT auth (L1), master key auth (L2/L3), SCIM provisioning | ✅ Implemented |
| §164.312(a)(2)(i) | Unique user identification | Keycloak user management, tenant_id in JWT claims | ✅ Implemented |
| §164.312(a)(2)(iii) | Automatic logoff | Session TTL in L3 (configurable, default 3600s) | ✅ Implemented |
| §164.312(b) | Audit controls | ClickHouse audit trail: every API call, tool call, A2A hop, session event | ✅ Implemented |
| §164.312(c)(1) | Integrity controls | Tool poisoning detection (server fingerprinting, naming collision) | ✅ Implemented |
| §164.312(d) | Person/entity authentication | Keycloak SSO (OIDC, SAML), MFA pass-through, SCIM 2.0 | ✅ Implemented |
| §164.312(e)(1) | Transmission security | TLS termination at APISIX (cert-manager), Redis auth | ✅ Partial (TLS in K8s, not Docker dev) |
Physical Safeguards (§164.310)
| HIPAA Control | Requirement | Gatez Feature | Status |
|---|---|---|---|
| §164.310(a)(1) | Facility access controls | Self-hosted / on-prem deployment (customer controls physical security) | ✅ Architecture supports |
| §164.310(d)(1) | Device and media controls | No PII stored in gateway (PII redacted before LLM forwarding) | ✅ Implemented |
Data Protection
| Concern | Gatez Feature | Details |
|---|---|---|
| PII in LLM prompts | PII redaction (regex-based) | SSN, email, credit card, phone, IP detected and redacted before forwarding |
| PHI in audit logs | Only pii_detected=true flag logged | Actual content never written to ClickHouse |
| Data residency | Self-hosted / on-prem | No data leaves customer infrastructure |
| Data retention | Configurable TTL per table | 90 days (request logs), 365 days (AI/audit logs) |
| Encryption at rest | ClickHouse native encryption, Redis persistence disabled | Customer configures volume encryption |
| Encryption in transit | TLS via APISIX + cert-manager (K8s) | mTLS between services (production) |
Agent-Specific Controls
| Concern | Gatez Feature | Details |
|---|---|---|
| Agent blast radius | Per-session tool allowlist (deny by default) | Agent can only access approved tools |
| Agent data access | Tenant-scoped MCP tool federation | Agent sees only its tenant's tools |
| Human oversight | HITL gate on high-risk tool calls | Configurable per-tenant approval workflow |
| Agent-to-agent delegation | A2A loop detection + delegation policies | Cross-tenant delegation blocked by default |
| Agent audit | ClickHouse agent_audit_log | Every tool call, A2A hop, session event with tenant_id |
Gaps / Future Work
| Gap | Mitigation | Timeline |
|---|---|---|
| TLS not enforced in Docker Compose dev | Dev cert generation script added (EL-2). Use K8s with cert-manager for production. | ✅ Resolved |
| No encryption at rest for Redis | Disable Redis persistence (done) or use encrypted volumes | Customer config |
| No BAA template | See docs/compliance/baa-template.md for outline | ✅ Template created |
| L2 trusts L1 blindly | JWKS-based JWT signature validation added (EL-3) | ✅ Resolved |
| Auth headers in logs | Verified clean across all 3 layers (EL-4). Only auth_type metadata logged. | ✅ Resolved |
Evidence Mapping
For HIPAA auditors, here are the specific code files implementing each control:
| Control | Evidence File | What to Verify |
|---|---|---|
| Access control (§164.312(a)(1)) | layers/ai-gateway/src/auth.rs, layers/agent-gateway/src/routes.rs | JWT validation on every request |
| Audit trail (§164.312(b)) | infra/clickhouse/init.sql | All tables have tenant_id + timestamp |
| PII protection | layers/ai-gateway/src/pii.rs | Regex redaction before LLM call |
| Tool access control | layers/agent-gateway/src/security.rs | CEL rules + allowlist/denylist |
| HITL gates | layers/agent-gateway/src/routes.rs (hitl_approve/deny) | Human approval workflow |
| Session TTL | layers/agent-gateway/src/sessions.rs | Configurable max_session_duration_secs |
| Transmission security | infra/helm/gatez/templates/certificate.yaml | cert-manager Certificate + ClusterIssuer |