Quickstart API Reference Blog

HIPAA Compliance Guide

Learn how to use Anchora for healthcare applications while maintaining HIPAA compliance. This guide covers PHI handling, required safeguards, and implementation patterns.

Important: HIPAA compliance requires a Business Associate Agreement (BAA). Contact sales@anchora.co.in to sign a BAA before processing any PHI with Anchora.

Overview

Anchora can be used to create immutable audit trails and verify data integrity for healthcare applications. However, handling Protected Health Information (PHI) requires specific safeguards and a signed Business Associate Agreement.

What is PHI?

Protected Health Information (PHI) includes any individually identifiable health information. The 18 HIPAA identifiers include:

  • Names and geographic data smaller than a state
  • Dates (except year) related to an individual
  • Phone numbers, fax numbers, email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers, certificate/license numbers
  • Vehicle identifiers, device identifiers
  • Web URLs, IP addresses
  • Biometric identifiers, photos
  • Any other unique identifying number or code

HIPAA-Compliant Architecture

The recommended architecture for HIPAA compliance separates PHI from blockchain records:

Pattern 1: Hash-Only Anchoring (Recommended)

Store PHI in your HIPAA-compliant systems. Send only cryptographic hashes to Anchora.

Hash-only anchoring for PHI 
const crypto = require('crypto');

// PHI stays in your HIPAA-compliant database
const medicalRecord = {
  patientId: 'P-12345',
  patientName: 'John Smith',
  dateOfBirth: '1985-03-15',
  diagnosis: 'Type 2 Diabetes',
  medications: ['Metformin 500mg'],
  lastVisit: '2024-01-31'
};

// Create a deterministic hash of the record
const recordHash = crypto
  .createHash('sha256')
  .update(JSON.stringify(medicalRecord))
  .digest('hex');

// Send ONLY the hash to Anchora (no PHI transmitted)
const response = await fetch('https://api.anchora.io/v1/anchor', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    hash: recordHash,
    metadata: {
      type: 'medical_record',
      internalRef: 'MR-2024-001',  // Non-PHI reference
      version: 1
    }
  })
});
Best Practice: With hash-only anchoring, no PHI leaves your HIPAA-compliant environment. The blockchain only stores a cryptographic fingerprint that proves the data existed at a specific time.

Pattern 2: Encrypted PHI (Requires BAA)

If you need to store encrypted PHI with Anchora, you must have a signed BAA and use client-side encryption.

Client-side encrypted PHI 
const crypto = require('crypto');

// Your encryption key (stored in HSM/KMS)
const encryptionKey = process.env.PHI_ENCRYPTION_KEY;

function encryptPHI(data, key) {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv(
    'aes-256-gcm',
    Buffer.from(key, 'hex'),
    iv
  );

  let encrypted = cipher.update(
    JSON.stringify(data),
    'utf8',
    'base64'
  );
  encrypted += cipher.final('base64');

  return {
    ciphertext: encrypted,
    iv: iv.toString('base64'),
    authTag: cipher.getAuthTag().toString('base64')
  };
}

// Encrypt PHI before transmission
const encryptedData = encryptPHI(medicalRecord, encryptionKey);

// Send encrypted data to Anchora
const response = await fetch('https://api.anchora.io/v1/anchor', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    data: encryptedData,
    metadata: {
      type: 'encrypted_phi',
      encryption: 'client_side_aes256gcm'
    }
  })
});

Required Safeguards

HIPAA requires three categories of safeguards. Here's how Anchora addresses each:

Administrative Safeguards

Requirement Anchora Implementation
Security Management SOC 2 Type II certified, annual penetration testing
Workforce Security Background checks, security training for all employees
Information Access Role-based access control, API key scoping
Security Awareness Regular training, security updates to customers
Contingency Planning Multi-region backups, disaster recovery plan

Physical Safeguards

Requirement Anchora Implementation
Facility Access AWS data centers with 24/7 security
Workstation Security Encrypted workstations, MDM policies
Device Controls Hardware encryption, secure disposal

Technical Safeguards

Requirement Anchora Implementation
Access Control API key authentication, IP allowlisting (Enterprise)
Audit Controls Immutable audit logs, blockchain verification
Integrity Controls SHA-256 hashing, Merkle tree verification
Transmission Security TLS 1.3, certificate pinning available

Audit Trail Implementation

HIPAA requires comprehensive audit trails. Use Anchora to create immutable records of PHI access and modifications.

Anchor audit events 
async function logPHIAccess(event) {
  const auditRecord = {
    eventType: event.type,  // 'view', 'modify', 'export', 'delete'
    timestamp: new Date().toISOString(),
    userId: event.userId,
    userRole: event.userRole,
    resourceType: 'medical_record',
    resourceRef: event.recordRef,  // Non-PHI reference
    action: event.action,
    ipAddress: hashIP(event.ip),  // Hash the IP
    outcome: event.success ? 'success' : 'failure'
  };

  // Anchor the audit event
  await fetch('https://api.anchora.io/v1/anchor', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      data: auditRecord,
      metadata: {
        type: 'hipaa_audit',
        category: event.type
      }
    })
  });
}

// Example usage
logPHIAccess({
  type: 'view',
  userId: 'dr_jane_doe',
  userRole: 'physician',
  recordRef: 'MR-2024-001',
  action: 'Viewed patient medication history',
  ip: '192.168.1.100',
  success: true
});

Breach Notification Support

In case of a breach, Anchora's immutable records help you:

  • Identify exactly what data was accessed
  • Determine the timeline of unauthorized access
  • Prove what data was and wasn't affected
  • Demonstrate compliance efforts to regulators

Data Retention

HIPAA requires retaining certain records for 6 years. Configure retention policies accordingly:

Configure HIPAA retention 
curl -X POST https://api.anchora.io/v1/anchor \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "hash": "a1b2c3d4...",
    "metadata": {
      "type": "hipaa_audit",
      "recordRef": "MR-2024-001"
    },
    "retention": {
      "minimumYears": 6,
      "deleteAfter": "2030-01-31T00:00:00Z"
    }
  }'

Business Associate Agreement

Before processing PHI with Anchora, you must sign a Business Associate Agreement. Our BAA includes:

  • Permitted uses and disclosures of PHI
  • Safeguards Anchora implements
  • Breach notification procedures
  • Termination and data return/destruction
  • Subcontractor obligations
Request a BAA: Contact sales@anchora.co.in with your organization details to initiate the BAA signing process. Enterprise plans include a pre-signed BAA.

Compliance Checklist

Item Status Notes
Signed BAA Required Contact sales@anchora.co.in
Client-side encryption Required For any PHI sent to Anchora
Hash-only mode Recommended No PHI leaves your system
Audit logging Required Log all PHI access
Access controls Required Use scoped API keys
Retention policies Required Minimum 6 years for HIPAA

Healthcare Use Cases

  • Medical Records: Prove record integrity and detect tampering
  • Consent Management: Immutable consent records with timestamps
  • Clinical Trials: Tamper-proof trial data and audit trails
  • Prescription Tracking: Verify prescription authenticity
  • Insurance Claims: Fraud prevention with immutable claims records