getdoorman 1.0.0

package/src/rules/compliance/healthcare.js

@@ -0,0 +1,520 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+
+const PHI_FIELDS = /(?:patient|diagnosis|medication|treatment|prescription|medical_record|health_plan|insurance_id|dob|date_of_birth|ssn|medical|clinical|lab_result|vital_sign|allergy|immunization|discharge|prognosis)/i;
+const HEALTH_ENDPOINT = /(?:\/(?:api\/)?(?:patient|health|medical|clinical|appointment|prescription|diagnosis|ehr|fhir|telehealth))/i;
+
+// Only flag HIPAA rules if the project is clearly a healthcare app.
+// Require: health-specific dependencies OR dedicated health API routes (3+ matches).
+const HEALTH_DEPS = /(?:hl7|fhir|@medplum|openemr|smart-on-fhir|bluebutton|healthcare|hipaa|phi-|epic-client)/i;
+function hasHealthContext(files) {
+  let healthEndpointCount = 0;
+  let hasHealthDep = false;
+  for (const [fp, c] of files) {
+    if (fp.endsWith('package.json') || fp.endsWith('requirements.txt') || fp.endsWith('Gemfile')) {
+      if (HEALTH_DEPS.test(c)) hasHealthDep = true;
+    }
+    const endpoints = c.match(HEALTH_ENDPOINT);
+    if (endpoints) healthEndpointCount += endpoints.length;
+  }
+  // Need strong signal: health dependency OR 3+ health-related endpoints
+  return hasHealthDep || healthEndpointCount >= 3;
+}
+
+const rules = [
+  // COMP-HIPAA-007: PHI in error messages/stack traces
+  {
+    id: 'COMP-HIPAA-007', category: 'compliance', severity: 'critical', confidence: 'likely',
+    title: 'PHI Exposed in Error Messages',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/catch\s*\(/.test(line) || /\.catch\(/.test(line) || /error/i.test(line)) {
+            const block = lines.slice(i, Math.min(i + 10, lines.length)).join('\n');
+            if (PHI_FIELDS.test(block) && /res\.(json|send|status|write)|response\.(json|send)/.test(block)) {
+              findings.push({ ruleId: 'COMP-HIPAA-007', category: 'compliance', severity: 'critical',
+                title: 'PHI may be exposed in error response to client', description: 'Error handlers should never include PHI in responses. Log errors server-side only and return generic error messages to clients. HIPAA §164.312(a)(1).',
+                file: fp, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-008: Missing BAA references
+  {
+    id: 'COMP-HIPAA-008', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Business Associate Agreement (BAA) Reference',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasBAA = [...files.values()].some(c => /baa|business.associate|hipaa.agreement|covered.entity/i.test(c)) ||
+        [...files.keys()].some(f => /baa|hipaa/i.test(f));
+      if (!hasBAA) {
+        findings.push({ ruleId: 'COMP-HIPAA-008', category: 'compliance', severity: 'high',
+          title: 'Health app with no Business Associate Agreement (BAA) reference',
+          description: 'HIPAA requires BAAs with all third-party vendors who handle PHI. Document BAA requirements in your codebase or configuration.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-009: PHI shared with third-party SDKs
+  {
+    id: 'COMP-HIPAA-009', category: 'compliance', severity: 'critical', confidence: 'likely',
+    title: 'PHI Shared with Third-Party Monitoring SDKs',
+    check({ files }) {
+      const findings = [];
+      const thirdParty = /(?:Sentry|Datadog|NewRelic|Bugsnag|LogRocket|Rollbar|Raygun|TrackJS|datadog|sentry|newrelic|bugsnag|logrocket)/;
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (thirdParty.test(c) && PHI_FIELDS.test(c)) {
+          findings.push({ ruleId: 'COMP-HIPAA-009', category: 'compliance', severity: 'critical',
+            title: 'PHI may be sent to third-party monitoring service without BAA',
+            description: 'Ensure PHI is scrubbed before sending to third-party services. Each vendor handling PHI requires a signed BAA. Use beforeSend/beforeBreadcrumb hooks to filter PHI.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-010: Missing session timeout for PHI access
+  {
+    id: 'COMP-HIPAA-010', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Session Timeout for PHI Access',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasTimeout = [...files.values()].some(c =>
+        /session.*timeout|sessionTimeout|session.*expir|idle.*timeout|maxAge|cookie.*maxAge/i.test(c));
+      if (!hasTimeout) {
+        findings.push({ ruleId: 'COMP-HIPAA-010', category: 'compliance', severity: 'high',
+          title: 'No session timeout configured for health application',
+          description: 'HIPAA requires automatic logoff after periods of inactivity when accessing PHI. Implement session timeouts (recommended: 15 minutes). §164.312(a)(2)(iii).',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-011: PHI in client-side storage
+  {
+    id: 'COMP-HIPAA-011', category: 'compliance', severity: 'critical', confidence: 'definite',
+    title: 'PHI in Client-Side Storage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/localStorage|sessionStorage|document\.cookie/.test(line) && PHI_FIELDS.test(line)) {
+            findings.push({ ruleId: 'COMP-HIPAA-011', category: 'compliance', severity: 'critical',
+              title: 'PHI stored in browser storage (localStorage/sessionStorage/cookie)',
+              description: 'Browser storage is accessible to JavaScript and persists across sessions. Never store PHI client-side. Use server-side sessions with encrypted storage.',
+              file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-012: Missing access controls on health endpoints
+  {
+    id: 'COMP-HIPAA-012', category: 'compliance', severity: 'critical', confidence: 'likely',
+    title: 'Missing Access Controls on Health Endpoints',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (!HEALTH_ENDPOINT.test(c)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (HEALTH_ENDPOINT.test(lines[i]) && /\.(get|post|put|patch|delete)\s*\(/.test(lines[i])) {
+            const block = lines.slice(Math.max(0, i - 3), i + 3).join('\n');
+            if (!/auth|protect|authenticate|middleware|guard|requireAuth|isAuth|verifyToken|passport|jwt/i.test(block)) {
+              findings.push({ ruleId: 'COMP-HIPAA-012', category: 'compliance', severity: 'critical',
+                title: 'Health endpoint without authentication middleware',
+                description: 'All endpoints handling PHI must require authentication. HIPAA §164.312(d) requires person or entity authentication for PHI access.',
+                file: fp, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-013: PHI in email/SMS notifications
+  {
+    id: 'COMP-HIPAA-013', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'PHI in Email/SMS Notifications',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/sendEmail|sendMail|sendSMS|twilio|sendgrid|nodemailer|ses\.send|sns\.publish/i.test(c) && PHI_FIELDS.test(c)) {
+          const lines = c.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (/sendEmail|sendMail|sendSMS|twilio|sendgrid|nodemailer/i.test(lines[i])) {
+              const block = lines.slice(i, Math.min(i + 15, lines.length)).join('\n');
+              if (PHI_FIELDS.test(block)) {
+                findings.push({ ruleId: 'COMP-HIPAA-013', category: 'compliance', severity: 'high',
+                  title: 'PHI may be included in email/SMS notifications',
+                  description: 'Email and SMS are not secure channels for PHI. Use secure messaging portals with patient authentication instead of including health details in notifications.',
+                  file: fp, line: i + 1, fix: null });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-014: Missing backup/disaster recovery config
+  {
+    id: 'COMP-HIPAA-014', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Backup/Disaster Recovery Configuration',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasBackup = [...files.values()].some(c => /backup|disaster.*recover|recovery.*plan|data.*replication|failover/i.test(c)) ||
+        [...files.keys()].some(f => /backup|disaster|recovery/i.test(f));
+      if (!hasBackup) {
+        findings.push({ ruleId: 'COMP-HIPAA-014', category: 'compliance', severity: 'high',
+          title: 'No backup or disaster recovery configuration for health application',
+          description: 'HIPAA §164.308(a)(7) requires contingency planning including data backup, disaster recovery, and emergency mode operation plans.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-015: PHI database without field-level encryption
+  {
+    id: 'COMP-HIPAA-015', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'PHI Database Fields Without Encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) && !fp.endsWith('.sql')) continue;
+        if (!/schema|model|migration|entity|table/i.test(fp) && !/Schema|define|createTable|CREATE TABLE/i.test(c)) continue;
+        if (PHI_FIELDS.test(c) && !/encrypt|cipher|aes|pgcrypto|hashBytes/i.test(c)) {
+          findings.push({ ruleId: 'COMP-HIPAA-015', category: 'compliance', severity: 'high',
+            title: 'PHI fields in database schema without encryption references',
+            description: 'Consider field-level encryption for sensitive PHI fields. HIPAA requires encryption of ePHI at rest. Use database-level encryption (TDE) or application-level field encryption.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-016: SELECT * on patient tables
+  {
+    id: 'COMP-HIPAA-016', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'SELECT * on Patient/Health Tables (Minimum Necessary Violation)',
+    check({ files }) {
+      const findings = [];
+      const selectStar = /SELECT\s+\*\s+FROM\s+(?:patient|health|medical|clinical|diagnosis|medication|prescription)/i;
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) && !fp.endsWith('.sql')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (selectStar.test(lines[i])) {
+            findings.push({ ruleId: 'COMP-HIPAA-016', category: 'compliance', severity: 'medium',
+              title: 'SELECT * from health/patient table violates minimum necessary principle',
+              description: 'HIPAA minimum necessary standard requires limiting PHI access to only what is needed. Select specific columns instead of SELECT *.',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-017: Missing patient consent tracking
+  {
+    id: 'COMP-HIPAA-017', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Patient Consent Tracking',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasConsent = [...files.values()].some(c => /consent|authorization|hipaa.*consent|patient.*consent|consent.*form/i.test(c)) ||
+        [...files.keys()].some(f => /consent/i.test(f));
+      if (!hasConsent) {
+        findings.push({ ruleId: 'COMP-HIPAA-017', category: 'compliance', severity: 'high',
+          title: 'No patient consent tracking mechanism found',
+          description: 'HIPAA requires tracking patient authorizations for use and disclosure of PHI. Implement consent management for data sharing beyond treatment, payment, and operations.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-018: PHI in cache without encryption
+  {
+    id: 'COMP-HIPAA-018', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'PHI in Cache Without Encryption',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (/redis|memcached|cache\.set|cache\.put|cacheManager/i.test(c) && PHI_FIELDS.test(c)) {
+          if (!/encrypt|cipher|tls|ssl/i.test(c)) {
+            findings.push({ ruleId: 'COMP-HIPAA-018', category: 'compliance', severity: 'high',
+              title: 'PHI stored in cache (Redis/Memcached) potentially without encryption',
+              description: 'Cache systems storing PHI must use encryption in transit (TLS) and at rest. Configure Redis with TLS and consider encrypting values at the application level.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-019: PHI retained beyond retention policy
+  {
+    id: 'COMP-HIPAA-019', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'No Data Retention Policy for PHI',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasRetention = [...files.values()].some(c => /retention|ttl|expir|purge|archive|cleanup.*patient|delete.*old/i.test(c)) ||
+        [...files.keys()].some(f => /retention|archive|cleanup/i.test(f));
+      if (!hasRetention) {
+        findings.push({ ruleId: 'COMP-HIPAA-019', category: 'compliance', severity: 'medium',
+          title: 'No data retention/expiration policy for PHI',
+          description: 'HIPAA requires retaining records for 6 years from creation or last effective date. Implement data retention policies with automated archival/deletion.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-020: Missing emergency access procedure
+  {
+    id: 'COMP-HIPAA-020', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Missing Emergency Access Procedure',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasEmergency = [...files.values()].some(c => /emergency.*access|break.*glass|breakglass|emergency.*override|crisis.*mode/i.test(c));
+      if (!hasEmergency) {
+        findings.push({ ruleId: 'COMP-HIPAA-020', category: 'compliance', severity: 'medium',
+          title: 'No emergency access procedure for health application',
+          description: 'HIPAA §164.312(a)(2)(ii) requires emergency access procedures to obtain necessary ePHI during emergencies. Implement break-glass access with full audit logging.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-021: Health API without rate limiting
+  {
+    id: 'COMP-HIPAA-021', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Health API Without Rate Limiting',
+    check({ files }) {
+      const findings = [];
+      const hasHealthAPI = [...files.values()].some(c => HEALTH_ENDPOINT.test(c) && /\.(get|post|put|delete)\s*\(/.test(c));
+      if (!hasHealthAPI) return findings;
+      const hasRateLimit = [...files.values()].some(c => /rateLimit|rate.limit|throttle|express-rate-limit|bottleneck/i.test(c));
+      if (!hasRateLimit) {
+        findings.push({ ruleId: 'COMP-HIPAA-021', category: 'compliance', severity: 'medium',
+          title: 'Health API endpoints without rate limiting',
+          description: 'Rate limiting protects against brute-force attacks on PHI endpoints. Implement rate limiting to prevent unauthorized bulk data access.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-022: PHI in mobile app without device encryption check
+  {
+    id: 'COMP-HIPAA-022', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Mobile Health App Without Device Encryption Check',
+    check({ files }) {
+      const findings = [];
+      const isMobile = [...files.keys()].some(f => /\.swift$|\.kt$|\.dart$|react-native|expo/i.test(f)) ||
+        [...files.values()].some(c => /react-native|flutter|expo|UIKit|SwiftUI|Jetpack/i.test(c));
+      if (!isMobile) return findings;
+      if (!hasHealthContext(files)) return findings;
+      const hasDeviceEncryption = [...files.values()].some(c => /device.*encrypt|isDeviceSecure|passcode|biometric|keychain|keystore|SecureEnclave/i.test(c));
+      if (!hasDeviceEncryption) {
+        findings.push({ ruleId: 'COMP-HIPAA-022', category: 'compliance', severity: 'high',
+          title: 'Mobile health app without device encryption verification',
+          description: 'Mobile apps handling PHI should verify device encryption is enabled before storing or displaying PHI. Use platform APIs to check device security state.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-023: Missing breach notification mechanism
+  {
+    id: 'COMP-HIPAA-023', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Breach Notification Mechanism',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasBreach = [...files.values()].some(c => /breach|incident.*report|security.*incident|notification.*breach|data.*breach/i.test(c)) ||
+        [...files.keys()].some(f => /breach|incident/i.test(f));
+      if (!hasBreach) {
+        findings.push({ ruleId: 'COMP-HIPAA-023', category: 'compliance', severity: 'high',
+          title: 'No breach notification mechanism in health application',
+          description: 'HIPAA Breach Notification Rule requires notifying affected individuals within 60 days. Implement breach detection, logging, and notification workflows.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-024: Telehealth without end-to-end encryption
+  {
+    id: 'COMP-HIPAA-024', category: 'compliance', severity: 'critical', confidence: 'likely',
+    title: 'Telehealth Without End-to-End Encryption',
+    check({ files }) {
+      const findings = [];
+      const hasTelehealth = [...files.values()].some(c => /telehealth|telemedicine|video.*call|video.*consult|webrtc|peer.*connection/i.test(c));
+      if (!hasTelehealth) return findings;
+      const hasE2E = [...files.values()].some(c => /e2e|end.to.end|encrypted.*video|srtp|dtls|encryptionKey/i.test(c));
+      if (!hasE2E) {
+        findings.push({ ruleId: 'COMP-HIPAA-024', category: 'compliance', severity: 'critical',
+          title: 'Telehealth functionality without end-to-end encryption',
+          description: 'Telehealth communications containing PHI must be encrypted end-to-end. Use SRTP/DTLS for WebRTC or verified encrypted video platforms with BAAs.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HIPAA-025: PHI in test fixtures/seed data
+  {
+    id: 'COMP-HIPAA-025', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'PHI in Test Fixtures or Seed Data',
+    check({ files }) {
+      const findings = [];
+      const realPHI = /(?:\d{3}-\d{2}-\d{4})|(?:patient.*john|patient.*jane|diagnosis.*diabetes|medication.*metformin)/i;
+      for (const [fp, c] of files) {
+        if (!/test|spec|fixture|seed|mock|fake|sample/i.test(fp)) continue;
+        if (realPHI.test(c) && PHI_FIELDS.test(c)) {
+          findings.push({ ruleId: 'COMP-HIPAA-025', category: 'compliance', severity: 'high',
+            title: 'Test/seed data may contain real PHI patterns',
+            description: 'Never use real patient data in test fixtures. Use synthetic/fake data generators. Even realistic-looking PHI in tests can be a compliance risk if it matches real records.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // === HITECH Rules ===
+
+  // COMP-HITECH-001: No breach notification endpoint
+  {
+    id: 'COMP-HITECH-001', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'No Breach Notification Endpoint (HITECH)',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasNotifyEndpoint = [...files.values()].some(c =>
+        /breach.*notif|notify.*breach|incident.*report.*endpoint|\/api\/.*breach/i.test(c));
+      if (!hasNotifyEndpoint) {
+        findings.push({ ruleId: 'COMP-HITECH-001', category: 'compliance', severity: 'high',
+          title: 'No breach notification endpoint or process',
+          description: 'HITECH Act strengthened breach notification requirements. Implement automated breach notification systems to notify HHS, affected individuals, and media (for breaches affecting 500+).',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HITECH-002: Missing encryption safe harbor
+  {
+    id: 'COMP-HITECH-002', category: 'compliance', severity: 'high', confidence: 'likely',
+    title: 'Missing Encryption Safe Harbor Documentation',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasEncryption = [...files.values()].some(c => /aes-256|AES_256|encrypt.*at.*rest|encryption.*standard|NIST.*approved/i.test(c));
+      if (!hasEncryption) {
+        findings.push({ ruleId: 'COMP-HITECH-002', category: 'compliance', severity: 'high',
+          title: 'No NIST-approved encryption documented for PHI',
+          description: 'HITECH provides safe harbor from breach notification if PHI is encrypted with NIST-approved standards. Use AES-256 for data at rest and TLS 1.2+ for data in transit.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HITECH-003: No accounting of disclosures
+  {
+    id: 'COMP-HITECH-003', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'No Accounting of Disclosures',
+    check({ files }) {
+      const findings = [];
+      if (!hasHealthContext(files)) return findings;
+      const hasDisclosure = [...files.values()].some(c => /disclosure.*log|accounting.*disclosure|phi.*disclosure|data.*sharing.*log|access.*log.*phi/i.test(c));
+      if (!hasDisclosure) {
+        findings.push({ ruleId: 'COMP-HITECH-003', category: 'compliance', severity: 'medium',
+          title: 'No accounting of disclosures for PHI',
+          description: 'HITECH expanded the right to accounting of disclosures to include treatment, payment, and operations when using EHR. Track all PHI disclosures with date, recipient, and purpose.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HITECH-004: EHR without interoperability standards
+  {
+    id: 'COMP-HITECH-004', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'EHR Data Without Interoperability Standards',
+    check({ files }) {
+      const findings = [];
+      const hasEHR = [...files.values()].some(c => /ehr|electronic.*health.*record|emr|electronic.*medical/i.test(c));
+      if (!hasEHR) return findings;
+      const hasStandards = [...files.values()].some(c => /fhir|hl7|cda|ccda|dicom|icd-10|snomed|loinc/i.test(c));
+      if (!hasStandards) {
+        findings.push({ ruleId: 'COMP-HITECH-004', category: 'compliance', severity: 'medium',
+          title: 'EHR system without health data interoperability standards',
+          description: 'HITECH promotes interoperability through standards like HL7 FHIR, CDA, and standard terminologies (ICD-10, SNOMED, LOINC). Implement FHIR APIs for data exchange.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COMP-HITECH-005: Missing meaningful use audit trail
+  {
+    id: 'COMP-HITECH-005', category: 'compliance', severity: 'medium', confidence: 'likely',
+    title: 'Missing Meaningful Use Audit Trail',
+    check({ files }) {
+      const findings = [];
+      const hasEHR = [...files.values()].some(c => /ehr|electronic.*health.*record|emr/i.test(c));
+      if (!hasEHR) return findings;
+      const hasAudit = [...files.values()].some(c => /audit.*trail|audit.*log|access.*log|activity.*log|user.*action.*log/i.test(c));
+      if (!hasAudit) {
+        findings.push({ ruleId: 'COMP-HITECH-005', category: 'compliance', severity: 'medium',
+          title: 'EHR without comprehensive audit trail for meaningful use',
+          description: 'HITECH meaningful use requirements include audit logging of all EHR access and modifications. Log user, timestamp, action, and data accessed.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;