HIPAA Audit Readiness — Stratum Platform
Last Updated: 2026-04-16 Status: Phase 1 Complete (Infrastructure + BAA), Pre-Production Closeout In Progress Version: 1.1After verifying that App Runner had been frozen at a March image with stale RDS data while Fly.io served all real production traffic, the dual-stack was resolved by tearing down AWS App Runner + RDS and keeping the audit/data substrate. The CloudFormation template, BAA, S3 (PHI + audit), KMS, CloudTrail, GuardDuty, IAM, and ECR all remain ACTIVE. App Runner can be re-spun within ~2 hours from CloudFormation when an enterprise customer requires AWS hosting — see compliance/aws-app-runner-reactivation.md.
What's live in AWS now: S3 PHI buckets (KMS-encrypted, TLS-only, public-blocked, versioned), CloudTrail multi-region trail with log file validation, GuardDuty (S3 logs ON), BAA executed 2025-12-23 (customer-agreement-S951Sgj1601wcNeR).
What was torn down: App Runner stratum-api-production, RDS stratum-production. Final manual snapshot retained: stratum-production-final-20260416-1219. Saves ~$60–80/mo while preserving full re-activation optionality.
Outstanding before production PHI workloads land: rename phi-*-dev-* S3 buckets to production naming; if App Runner is re-activated, enable Multi-AZ on RDS at that time. Authoritative BAA record: compliance/aws-baa/aws-baa-agreement-record.json; full data-flow: compliance/aws-data-flow.md.
Executive Summary
The Stratum Platform AWS environment is configured for HIPAA-eligible workloads with comprehensive audit logging, data retention, encryption controls, and an executed Business Associate Addendum. This document describes the technical posture, with the 2026-04-16 update callout above reflecting the most current verified state.Compliance Checklist (Phase 1 — Technical)
Encryption & Data Protection
- ✅ Encryption at Rest (RDS): RDS Postgres
stratum-productionwithStorageEncrypted: true, KMS keyalias/aws/rds. - ✅ Encryption at Rest (PHI buckets):
phi-uploads-dev-stratumcollectiveandphi-sanitized-dev-stratumcollectiveuse SSE-KMS viaalias/aws/s3;BucketKeyEnabled: true. - ✅ Encryption at Rest (Audit bucket):
stratum-cloudtrail-947073314047uses AES-256 SSE-S3. - ✅ Encryption in Transit (RDS):
rds.force_ssl = 1(system parameter, cannot be disabled). All Postgres connections must use TLS 1.2+. - ✅ Encryption in Transit (S3): All three buckets enforce TLS via
aws:SecureTransportdeny policy. PHI buckets additionally deny PUTs lackingx-amz-server-side-encryptionheader (added 2026-04-16). - ✅ Key Management: AWS-managed KMS keys (no customer-managed KMS required for Phase 1; can migrate to CMK if compliance requirements escalate).
- ✅ CloudTrail: Multi-region trail
stratum-multiregion-trailenabled 2026-04-16. Logs all management events (R/W) plus S3 data events onphi-uploads-dev-*,phi-sanitized-dev-*, and the audit bucket itself. Storage:s3://stratum-cloudtrail-947073314047/with 7-year retention (Glacier transition at 90d). - ✅ Log File Validation: CloudTrail configured with
EnableLogFileValidation: true— cryptographic hash chain, tamper-evident. - ✅ GuardDuty: Threat detection enabled 2026-04-16 in us-west-2 (detector
8ececbd592d7615d75c985ec6e7dd586) with S3 log monitoring; finding publishing frequency 15 min. - ⏳ Application Audit Logs: CloudWatch Log Group
/stratum/api/production/auditdefined; application-level event logging integration pending (separate from CloudTrail infra logging). - ⏳ PostgreSQL Logs: RDS enhanced monitoring not currently enabled (
MonitoringInterval: 0); pending for production PHI workloads. - ✅ Backup Retention: RDS set to 35-day backup retention (extended 2026-04-16 from initial 7-day)
- ✅ Audit Log Retention: S3 and CloudWatch logs configured for 7-year retention (2555 days)
- ✅ Versioning: S3 bucket versioning enabled for immutability
- ✅ Archival: S3 Glacier archival after 90 days, expiration after 7 years
- ✅ Deletion Protection: RDS deletion protection enabled to prevent accidental destruction
- ✅ Network Isolation: RDS only accessible from App Runner via security group
- ✅ Publicly Inaccessible:
PubliclyAccessible: falseenforced - ✅ VPC Connector: App Runner uses VPC connector for private database access
- ✅ S3 Public Block: S3 audit bucket has all public access blocked
- ✅ Snapshots: RDS configured with
DeletionPolicy: Snapshotfor backup on delete - ✅ Multi-AZ: Staging environment can enable MultiAZ for HA (currently single-AZ for cost)
- ✅ Backup Validation: AWS-managed snapshots are automatically validated
- ✅ Status: EXECUTED 2025-12-23
- Agreement ID:
customer-agreement-S951Sgj1601wcNeR - State: ACTIVE — account
947073314047designated as a HIPAA Account - Evidence: Authoritative record from AWS Artifact API archived at
compliance/aws-baa/aws-baa-agreement-record.json. PDF copy available via AWS Console → Artifact → Agreements. - BAA terms apply: only HIPAA-eligible services may be used with PHI; all PHI must be encrypted in transit and at rest (both enforced).
- ⏳ Status: Infrastructure in place, code integration pending
- Action: Implement audit event logging in API routes (precedent CRUD, user actions)
- Location:
src/middleware/audit.ts(already present but needs enhancement) - Fields: timestamp, user_id, action, resource, changes, ip_address, status
- ⏳ Status: Phase 1 uses X-User-Id header (NOT HIPAA-compliant)
- Action: Integrate Auth0 or Clerk for OAuth2/OIDC authentication
- Timeline: Phase 2 (3–5 day project)
- Blocker: Required before live multi-tenant access
Audit Logging & Monitoring
Data Retention & Deletion
Access Control & Network Isolation
Disaster Recovery
Pending Work (Phase 2 — Legal/Administrative)
AWS Business Associate Agreement (BAA)
Application-Level Audit Logging
Authentication Hardening
Configuration Summary
CloudFormation Resources Deployed
1. AuditLogBucket
S3 bucket with AES-256 encryption
Versioning enabled
7-year retention (2555 days) with Glacier archival after 90 days
All public access blocked
CloudTrail (StratumTrail)
Logs all RDS and S3 API calls
Log file validation enabled
Data resources monitored: RDS instances, audit log bucket
CloudWatch Log Group (ApiAuditLogGroup)
Path: /stratum/api/{environment}/audit
Retention: 7 years (2555 days)
Used by application for event logging
RDS Postgres Database
Version: 16.13
Storage: Encrypted (StorageEncrypted: true)
Backups: 7-day retention
Deletion Protection: Enabled
Enhanced Monitoring: Enabled with CloudWatch export
App Runner Service
HIPAA-eligible service tier
VPC Connector for private RDS access
SSL/TLS for all connections
Environment Variables
The App Runner service has access to:AUDIT_LOG_GROUP: CloudWatch Log Group for application audit logsDATABASE_URL: PostgreSQL connection string (SSL required)Testing & Validation
Pre-Deployment Checklist
Post-Deployment Validation
Audit Log Verification
# Check CloudTrail logs in S3
aws s3 ls s3://stratum-audit-logs-{AccountId}-production/
Check CloudWatch logs
aws logs describe-log-groups --log-group-name-prefix "/stratum/api"
aws logs describe-log-streams --log-group-name "/stratum/api/production/audit"
Verify RDS encryption
aws rds describe-db-instances --db-instance-identifier stratum-production \
grep -E "(StorageEncrypted BackupRetentionPeriod)"
Compliance Standards Coverage
HIPAA Security Rule (45 CFR §164.300)
✅ Access Control (authentication/authorization infrastructure)
✅ Audit Controls (CloudTrail + audit logs)
✅ Integrity (encryption at rest + in transit)
✅ Transmission Security (SSL/TLS enforced)
HIPAA Breach Notification Rule (45 CFR §164.400)
✅ Audit trail for breach detection
✅ 7-year log retention for investigation
✅ Immutable logging (versioning + log file validation)
42 CFR Part 2 (Substance Use Disorder Confidentiality)
⏳ Application-level controls pending
✅ Data segregation by tenant (multi-tenancy infrastructure ready)
✅ Access restrictions (network isolation in place)
Incident Response Readiness
Detection
CloudTrail logs all administrative changes
CloudWatch Logs captures application events
RDS performance insights available for anomaly detection
Investigation
All audit logs retained for 7 years
Immutable log files with validation enabled
Timestamps synchronized with AWS infrastructure
Remediation
Deletion protection prevents accidental data loss
Backup snapshots available for point-in-time recovery
DMS (Database Migration Service) available for emergency export
Deployment Instructions
Prerequisites
# Verify AWS CLI configuration
aws sts get-caller-identity
Check VPC and subnet configuration
aws ec2 describe-vpcs
aws ec2 describe-subnets
Deploy CloudFormation Stack
cd infra/
Set environment variables
export AWS_REGION=us-west-2
export ENVIRONMENT=production
export DB_PASSWORD=$(openssl rand -base64 24)
export APP_IMAGE_URI=123456789.dkr.ecr.us-west-2.amazonaws.com/stratum-api:latest
Create stack
aws cloudformation create-stack \
--stack-name stratum-hipaa-${ENVIRONMENT} \
--template-body file://cloudformation.yml \
--parameters \
ParameterKey=Environment,ParameterValue=${ENVIRONMENT} \
ParameterKey=DBMasterPassword,ParameterValue=${DB_PASSWORD} \
ParameterKey=AppImageUri,ParameterValue=${APP_IMAGE_URI} \
ParameterKey=VpcId,ParameterValue=vpc-xxxxx \
ParameterKey=SubnetIds,ParameterValueList=subnet-xxxxx,subnet-yyyyy \
--capabilities CAPABILITY_NAMED_IAM
Monitor stack creation
aws cloudformation describe-stacks --stack-name stratum-hipaa-${ENVIRONMENT}
Roadmap (Phase 2 & Beyond)
Item Phase Timeline Priority
AWS BAA Execution 2 3/30–4/3 Critical
Auth0/Clerk Integration 2 Week 2-3 Critical
Application Audit Events 2 Week 2 High
Structured Logging (Pino) 3 Week 3-4 Medium
Security Assessment 3 Week 4 Medium
DMP Gap Closure 3 Week 4-5 Medium
Sign-Off
Role Name Date Status
Platform Engineer Claude Code 2026-03-31 Technical ✅
Business Owner Patrick TBD Legal ⏳
Questions or Issues? Review the Platform CLAUDE.md or contact the ops team via Hub-OPS.