@cloudstreamsoftware/claude-tools 1.0.0 → 1.1.0

package/skills/compliance-patterns/hipaa/audit-requirements.md

@@ -0,0 +1,251 @@
+# HIPAA Audit Requirements
+
+## Overview
+
+HIPAA requires covered entities and business associates to maintain audit trails for a minimum of **6 years**. Zoho Creator only retains audit data for **1 year**. This gap is the single most critical compliance risk in our Zoho-based healthcare implementations.
+
+> **WARNING**: Failure to maintain 6-year audit trails can result in OCR penalties up to $1.5M per violation category per year. This is non-negotiable for any client handling ePHI.
+
+---
+
+## The 6-Year Retention Requirement vs. Creator's 1-Year Limitation
+
+| Requirement | HIPAA Mandate | Zoho Creator Native | Gap |
+|---|---|---|---|
+| Audit log retention | 6 years from creation or last effective date | 1 year (auto-deleted) | 5 years |
+| Access logs | All ePHI access events | Basic form-level audit | Field-level detail missing |
+| Export tracking | Who exported what, when | Not natively logged | Must custom-build |
+| Share tracking | Record sharing events | Partial (share actions) | Must supplement |
+
+---
+
+## What Constitutes an Adequate Audit Trail
+
+Every audit entry MUST capture the **5 Ws**:
+
+1. **WHO** - User ID, role, IP address, session identifier
+2. **WHAT** - Action performed, fields affected, before/after values
+3. **WHEN** - Timestamp in UTC (ISO 8601 format)
+4. **WHERE** - Application, form, record ID, network location
+5. **WHY** - Business justification (for break-glass access scenarios)
+
+---
+
+## Minimum Logged Events
+
+The following events MUST be captured for any form containing ePHI:
+
+| Event Category | Specific Actions | Priority |
+|---|---|---|
+| **Access** | View record, view report, API read | Critical |
+| **Create** | New record, record duplication | Critical |
+| **Update** | Field modification (before/after values) | Critical |
+| **Delete** | Record deletion, bulk deletion | Critical |
+| **Export** | CSV export, PDF generation, API bulk read | Critical |
+| **Share** | Record sharing, permission changes | Critical |
+| **Auth** | Login, logout, failed login, MFA events | High |
+| **Admin** | Form schema changes, workflow modifications | High |
+| **Print** | Any print action on ePHI-containing views | Medium |
+
+---
+
+## Audit Log Schema Design
+
+### Creator Audit Form Structure
+
+```
+Form: HIPAA_Audit_Log
+Fields:
+  - Audit_ID (Auto-number, primary key)
+  - Timestamp (DateTime, UTC)
+  - User_Email (Email)
+  - User_Role (Single Line)
+  - IP_Address (Single Line)
+  - Session_ID (Single Line)
+  - Action_Type (Picklist: Access/Create/Update/Delete/Export/Share/Auth/Admin)
+  - Form_Name (Single Line)
+  - Record_ID (Number)
+  - Field_Name (Single Line, nullable)
+  - Old_Value (Multi Line, encrypted)
+  - New_Value (Multi Line, encrypted)
+  - Justification (Multi Line, nullable)
+  - Client_ID (Lookup to Clients form)
+  - Archived (Checkbox, default: false)
+  - Archive_Batch_ID (Single Line, nullable)
+```
+
+### BigQuery Long-Term Storage Schema
+
+```sql
+CREATE TABLE `project.dataset.hipaa_audit_logs` (
+  audit_id STRING NOT NULL,
+  timestamp TIMESTAMP NOT NULL,
+  user_email STRING NOT NULL,
+  user_role STRING,
+  ip_address STRING,
+  session_id STRING,
+  action_type STRING NOT NULL,
+  form_name STRING NOT NULL,
+  record_id INT64,
+  field_name STRING,
+  old_value STRING,  -- Encrypted at application layer
+  new_value STRING,  -- Encrypted at application layer
+  justification STRING,
+  client_id STRING NOT NULL,
+  source_org STRING NOT NULL,
+  archive_date TIMESTAMP NOT NULL,
+  archive_batch_id STRING NOT NULL
+)
+PARTITION BY DATE(timestamp)
+CLUSTER BY client_id, action_type;
+```
+
+---
+
+## BigQuery as Long-Term Audit Storage
+
+### Why BigQuery
+
+- **Cost**: $0.02/GB/month for long-term storage (after 90 days untouched)
+- **Durability**: 99.999999999% (11 nines)
+- **Query**: Full SQL for audit investigations
+- **Encryption**: AES-256 at rest by default, CMEK available
+- **Access Controls**: IAM-based, fully auditable
+- **Retention Policies**: Configurable, prevents accidental deletion
+
+### Cost Estimation Per Client
+
+| Records/Month | Estimated Size | Monthly Cost (Long-term) | 6-Year Cost |
+|---|---|---|---|
+| 10,000 | ~5 MB | $0.0001 | $0.007 |
+| 100,000 | ~50 MB | $0.001 | $0.07 |
+| 1,000,000 | ~500 MB | $0.01 | $0.72 |
+
+---
+
+## Automated Archival Before 1-Year Auto-Delete
+
+> **WARNING**: Creator auto-deletes audit data at 12 months. Archival MUST run monthly with buffer. Set the archival window to 10 months maximum to allow for failure recovery.
+
+See `hipaa/data-archival-strategy.md` for the complete automated archival implementation.
+
+### Archival Schedule
+
+- **Monthly**: Export previous month's audit logs to BigQuery
+- **Weekly**: Verify last archival completed successfully
+- **Daily**: Alert if archival job has not run in 35 days
+
+---
+
+## Quarterly Audit Review Process
+
+### Q1/Q2/Q3/Q4 Review Checklist
+
+- [ ] Verify all archival jobs completed for the quarter
+- [ ] Run completeness check (Creator count vs BigQuery count)
+- [ ] Review access patterns for anomalies
+- [ ] Confirm no gaps in audit trail coverage
+- [ ] Validate encryption of sensitive field values
+- [ ] Test restore procedure from BigQuery backup
+- [ ] Update audit scope if new forms added
+- [ ] Document review findings in compliance folder
+
+### Anomaly Detection Queries
+
+```sql
+-- Detect unusual access patterns
+SELECT user_email, COUNT(*) as access_count,
+       DATE(timestamp) as access_date
+FROM `project.dataset.hipaa_audit_logs`
+WHERE action_type = 'Access'
+  AND timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 90 DAY)
+GROUP BY user_email, DATE(timestamp)
+HAVING access_count > 100
+ORDER BY access_count DESC;
+
+-- Detect after-hours access
+SELECT user_email, timestamp, action_type, form_name
+FROM `project.dataset.hipaa_audit_logs`
+WHERE EXTRACT(HOUR FROM timestamp) NOT BETWEEN 7 AND 19
+  AND action_type IN ('Access', 'Export', 'Delete')
+ORDER BY timestamp DESC
+LIMIT 100;
+```
+
+---
+
+## Responding to Audit Requests
+
+### OCR (Office for Civil Rights) Audit Response
+
+1. **Acknowledge** receipt within 24 hours
+2. **Scope** the request - identify date ranges and data types requested
+3. **Query** BigQuery for the relevant audit records
+4. **Format** results per OCR specifications (typically CSV or structured report)
+5. **Review** with client legal counsel before submission
+6. **Submit** within the timeframe specified (typically 30 days)
+7. **Document** the entire response process
+
+### Internal Audit Response Template
+
+```json
+{
+  "audit_request_id": "AR-2025-001",
+  "requested_by": "auditor@client.com",
+  "date_range": {"start": "2024-01-01", "end": "2024-12-31"},
+  "scope": "All ePHI access events for Patient Records form",
+  "records_returned": 45230,
+  "export_format": "CSV",
+  "delivered_date": "2025-02-15",
+  "delivered_to": "auditor@client.com",
+  "delivery_method": "Encrypted file transfer",
+  "reviewed_by": "compliance@cloudstreamsoftware.com"
+}
+```
+
+---
+
+## OCR Breach Notification Requirements
+
+> **WARNING**: Breach notification must be provided to affected individuals within **60 days** of discovery. HHS notification is required for breaches affecting 500+ individuals.
+
+### Breach Response Timeline
+
+| Day | Action |
+|---|---|
+| Day 0 | Breach discovered - begin investigation |
+| Day 1-3 | Assess scope using audit logs |
+| Day 3-7 | Determine if notification is required |
+| Day 7-14 | Prepare notification content |
+| Day 14-30 | Begin individual notifications |
+| Day 60 | **DEADLINE**: All individual notifications complete |
+| Day 60 | Submit to HHS if 500+ individuals affected |
+| Annual | Breaches affecting <500 reported to HHS annually |
+
+### Audit Log Queries for Breach Investigation
+
+```sql
+-- Identify all records accessed during breach window
+SELECT DISTINCT record_id, form_name, user_email,
+       MIN(timestamp) as first_access, MAX(timestamp) as last_access
+FROM `project.dataset.hipaa_audit_logs`
+WHERE timestamp BETWEEN @breach_start AND @breach_end
+  AND (user_email = @compromised_user OR ip_address = @suspicious_ip)
+GROUP BY record_id, form_name, user_email
+ORDER BY first_access;
+```
+
+---
+
+## Implementation Checklist for New Healthcare Clients
+
+- [ ] Identify all forms containing ePHI
+- [ ] Deploy audit logging Deluge functions on all identified forms
+- [ ] Configure BigQuery dataset with retention policy
+- [ ] Set up monthly archival via Catalyst Cron
+- [ ] Configure alerting for archival failures
+- [ ] Document audit scope in client compliance folder
+- [ ] Schedule quarterly review calendar events
+- [ ] Verify BAA coverage for all tools in data flow
+- [ ] Test audit trail completeness with sample transactions
+- [ ] Obtain client sign-off on audit configuration

package/skills/compliance-patterns/hipaa/baa-process.md

@@ -0,0 +1,298 @@
+# HIPAA Business Associate Agreement (BAA) Process
+
+## Overview
+
+A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity (the healthcare client) and any business associate (CloudStream, Zoho, GCP, etc.) that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) on behalf of the covered entity.
+
+> **WARNING**: Handling ePHI without a valid BAA in place is a HIPAA violation regardless of whether a breach occurs. Penalties range from $100 to $50,000 per violation, up to $1.5M per year per violation category.
+
+---
+
+## When You Need a BAA
+
+A BAA is required whenever ANY of the following are true:
+
+| Scenario | BAA Required? | Example |
+|---|---|---|
+| Storing ePHI in a platform | YES | Patient records in Zoho Creator |
+| Processing ePHI through a service | YES | Sending appointment reminders via Zoho Mail |
+| Transmitting ePHI between systems | YES | API integration between Creator and GCP |
+| Hosting ePHI in infrastructure | YES | GCP Cloud Functions processing patient data |
+| Accessing ePHI for support/maintenance | YES | CloudStream staff accessing client Creator org |
+| Storing de-identified data only | NO | Aggregate analytics with no individual identifiers |
+| Marketing site with no data collection | NO | Static website with no forms collecting health info |
+
+### The BAA Chain
+
+```
+Healthcare Client (Covered Entity)
+    |
+    +-- BAA --> CloudStream Software LLC (Business Associate)
+    |               |
+    |               +-- BAA --> Zoho Corporation (Subcontractor BA)
+    |               |
+    |               +-- BAA --> Google Cloud Platform (Subcontractor BA)
+    |               |
+    |               +-- BAA --> Any MCP/Third-party tool (Subcontractor BA)
+    |
+    +-- BAA --> Other vendors with ePHI access
+```
+
+> **WARNING**: Every link in the chain MUST have a BAA. If ANY vendor in the data flow lacks a BAA, the entire implementation is non-compliant.
+
+---
+
+## Zoho BAA Request Process
+
+### Prerequisites
+
+1. Active Zoho One subscription (paid plan required)
+2. Organization Admin access
+3. Zoho Org ID (found in Admin Panel → Organization)
+
+### Step-by-Step Process
+
+1. **Compose email** to `legal@zohocorp.com`
+2. **Subject line**: `BAA Request - [Organization Name] - Org ID: [YOUR_ORG_ID]`
+3. **Include in body**:
+   - Organization name and Org ID
+   - Primary contact name, title, email, phone
+   - List of Zoho services that will handle ePHI
+   - Brief description of use case
+   - Requested effective date
+
+### Email Template
+
+```
+To: legal@zohocorp.com
+Subject: BAA Request - [Client Name] - Org ID: [ORG_ID]
+
+Dear Zoho Legal Team,
+
+We are requesting a Business Associate Agreement for the following organization:
+
+Organization: [Client Legal Name]
+Org ID: [ORG_ID]
+Subscription: Zoho One [Enterprise/Professional]
+Primary Contact: [Name, Title]
+Email: [email]
+Phone: [phone]
+
+Zoho services that will process ePHI:
+- Zoho Creator (patient records, appointment scheduling)
+- Zoho CRM (patient contact information)
+- Zoho Mail (patient communications)
+- [Other applicable services]
+
+Use Case: [Brief 2-3 sentence description]
+
+Requested Effective Date: [Date]
+
+Please send the BAA for review and signature.
+
+Thank you,
+[Your Name]
+CloudStream Software LLC
+[Contact info]
+```
+
+### Expected Timeline
+
+| Step | Duration |
+|---|---|
+| Initial response from Zoho Legal | 3-5 business days |
+| BAA document provided for review | 5-10 business days |
+| Review and negotiation (if needed) | 5-15 business days |
+| Final signature and execution | 3-5 business days |
+| **Total typical timeline** | **2-5 weeks** |
+
+> **WARNING**: Start the BAA process BEFORE beginning any ePHI-related development work. Never assume the BAA will be approved. Factor this timeline into project planning.
+
+---
+
+## GCP BAA Process
+
+### Prerequisites
+
+1. Active GCP billing account
+2. Organization-level access
+3. GCP Organization ID
+
+### Step-by-Step Process
+
+1. Navigate to **Google Cloud Console**
+2. Go to **Settings** (Organization level)
+3. Select **HIPAA compliance** section
+4. Review the Google Cloud BAA
+5. Accept the BAA terms
+6. BAA takes effect **immediately** upon acceptance
+
+### GCP BAA-Covered Services
+
+Not all GCP services are covered under the BAA. Verify each service at:
+https://cloud.google.com/security/compliance/hipaa-covered
+
+Key covered services for CloudStream implementations:
+
+| Service | Covered | Common Use |
+|---|---|---|
+| BigQuery | YES | Long-term audit log storage |
+| Cloud Functions | YES | Catalyst-equivalent serverless |
+| Cloud Storage | YES | File/document storage |
+| Cloud SQL | YES | Relational database |
+| Pub/Sub | YES | Event messaging |
+| Cloud Run | YES | Container workloads |
+| Firebase Authentication | YES | User auth |
+| Cloud KMS | YES | Key management |
+| Compute Engine | YES | VM workloads |
+
+> **WARNING**: Verify current coverage list before using ANY GCP service for ePHI. Google updates the covered services list periodically.
+
+---
+
+## Subcontractor BAA Chain Management
+
+### For Every Third-Party Tool/MCP in the Stack
+
+Before integrating ANY third-party service that will touch ePHI:
+
+1. **Determine** if the service will access, process, store, or transmit ePHI
+2. **Request** BAA from the vendor
+3. **Review** BAA terms with client legal counsel
+4. **Execute** BAA before any ePHI flows through the service
+5. **Document** in the BAA inventory
+
+### Common Third-Party BAA Status
+
+| Vendor | BAA Available | Process |
+|---|---|---|
+| Zoho Corporation | YES | Email legal@zohocorp.com |
+| Google Cloud Platform | YES | Console self-service |
+| Twilio (SMS) | YES | Enterprise plan required |
+| SendGrid (Email) | YES | Contact sales |
+| Stripe (Payments) | NO - not needed | Does not handle ePHI |
+| GitHub | YES | Enterprise plan, contact sales |
+| Custom MCP servers | DEPENDS | Must evaluate per server |
+
+---
+
+## BAA Inventory Tracking
+
+Maintain a BAA inventory for each healthcare client:
+
+### BAA Inventory Template
+
+```json
+{
+  "client": "Example Healthcare Corp",
+  "client_id": "CLT-001",
+  "covered_entity_type": "Healthcare Provider",
+  "inventory_last_reviewed": "2025-01-15",
+  "agreements": [
+    {
+      "vendor": "CloudStream Software LLC",
+      "baa_type": "Business Associate Agreement",
+      "effective_date": "2024-03-01",
+      "expiration": "None - terminates with service agreement",
+      "signed_by_client": "Jane Smith, CEO",
+      "signed_by_vendor": "CloudStream authorized signatory",
+      "document_location": "client-folder/legal/baa-cloudstream-signed.pdf",
+      "services_covered": ["Zoho Creator development", "GCP integration", "ongoing support"],
+      "annual_review_due": "2025-03-01",
+      "status": "Active"
+    },
+    {
+      "vendor": "Zoho Corporation",
+      "baa_type": "Subcontractor BAA",
+      "effective_date": "2024-03-15",
+      "expiration": "Co-terminus with Zoho subscription",
+      "document_location": "client-folder/legal/baa-zoho-signed.pdf",
+      "services_covered": ["Zoho Creator", "Zoho CRM", "Zoho Mail"],
+      "annual_review_due": "2025-03-15",
+      "status": "Active"
+    },
+    {
+      "vendor": "Google Cloud Platform",
+      "baa_type": "Subcontractor BAA",
+      "effective_date": "2024-04-01",
+      "accepted_date": "2024-04-01",
+      "document_location": "GCP Console - Organization Settings",
+      "services_covered": ["BigQuery", "Cloud Functions", "Cloud Storage"],
+      "annual_review_due": "2025-04-01",
+      "status": "Active"
+    }
+  ]
+}
+```
+
+---
+
+## Annual BAA Review Process
+
+### Review Checklist (Perform Annually for Each BAA)
+
+- [ ] Verify BAA is still in effect (not expired or terminated)
+- [ ] Confirm vendor still offers BAA-covered services
+- [ ] Review if scope of ePHI handling has changed
+- [ ] Check for new services added that need BAA coverage
+- [ ] Verify vendor has not had material breaches
+- [ ] Update inventory with current status
+- [ ] Confirm client awareness of all active BAAs
+- [ ] Document review completion and findings
+
+### Annual Review Calendar
+
+Schedule annual reviews 30 days before BAA anniversary date. Create recurring calendar events for each client BAA set.
+
+---
+
+## What To Do If a BAA Is Denied
+
+If a vendor refuses to sign a BAA:
+
+1. **STOP** - Do not proceed with ePHI integration for that vendor
+2. **Document** the denial (save email/communication)
+3. **Evaluate alternatives**:
+   - Find a BAA-willing alternative vendor
+   - Restructure architecture to avoid ePHI in that service
+   - De-identify data before it reaches that service (per HIPAA Safe Harbor method)
+4. **Inform the client** of the limitation and alternatives
+5. **Update** the architecture documentation to reflect the constraint
+
+> **WARNING**: "The vendor said it was fine" is NOT a substitute for a signed BAA. Verbal assurances have zero legal standing under HIPAA.
+
+---
+
+## BAA Requirements by Tool in the CloudStream Stack
+
+| Tool | ePHI Contact | BAA Required | How to Obtain |
+|---|---|---|---|
+| Zoho Creator | Direct (forms/data) | YES | legal@zohocorp.com |
+| Zoho CRM | Direct (contacts) | YES | Same as above |
+| Zoho Flow | Transit (workflows) | YES | Same as above |
+| Zoho Analytics | Direct (reports) | YES | Same as above |
+| Zoho Catalyst | Direct (processing) | YES | Same as above |
+| Zoho Mail | Direct (communications) | YES | Same as above |
+| GCP BigQuery | Direct (audit storage) | YES | Console self-service |
+| GCP Cloud Functions | Transit (processing) | YES | Same GCP BAA |
+| GCP Cloud Storage | Direct (file storage) | YES | Same GCP BAA |
+| Claude/AI tools | NEVER | N/A | Never send ePHI to AI |
+| GitHub | Code only (no ePHI) | NO | No ePHI in code repos |
+| Custom MCPs | Evaluate per use | MAYBE | Contact vendor |
+
+> **WARNING**: NEVER send ePHI to AI/LLM services (Claude, GPT, etc.). These services are NOT BAA-eligible for ePHI processing. Use only de-identified or synthetic data for AI-assisted development.
+
+---
+
+## CloudStream Internal BAA Obligations
+
+As a Business Associate, CloudStream MUST:
+
+1. Use ePHI only as permitted by the BAA
+2. Implement appropriate safeguards (administrative, physical, technical)
+3. Report breaches to the covered entity within contractual timeframe
+4. Ensure subcontractors agree to the same restrictions
+5. Make ePHI available to individuals upon request (if applicable)
+6. Make internal practices available to HHS for compliance audits
+7. Return or destroy ePHI upon contract termination
+8. Maintain documentation of compliance activities for 6 years