Skip to main content
Regulation: HIPAA EDI (45 CFR 162), HIPAA Security Rule (45 CFR 164)

1. X12 5010 Transaction Support

2. Credential Security (45 CFR 164.312(a)(2)(iv))

  • Credentials stored as Edge Function Secrets (Deno.env.get)
  • No credentials in database, logs, or application state
  • Vault references in pm_clearinghouse_config are logical pointers only
  • OAuth2 tokens are short-lived and not persisted

3. Transport Security (45 CFR 164.312(e)(2)(ii))

  • All Waystar API communication uses HTTPS (TLS 1.2+)
  • REST transport enforced; no unencrypted channels
  • SFTP deferred (would also require TLS/SSH encryption)

4. Audit Trail (45 CFR 164.312(b))

  • All transactions logged to pm_transaction_log (append-only)
  • Metadata captured: timestamp, transaction type, direction, status, trace number, batch_id
  • Batch lifecycle tracked in pm_transaction_batches
  • No PHI in log entries (trace numbers and status only)

5. Tenant Isolation (Constitution §5.1)

  • All clearinghouse tables scoped by organization_id
  • RLS with FORCE prevents cross-tenant access
  • Edge functions validate organization_id on all operations

6. Test Evidence

  • Unit tests: tests/unit/pm/x12/ (envelope, 837P, 835, 270/271, 999, 277CA)
  • Component tests: tests/unit/pm/components/ClearinghouseHealthBadge.test.tsx

Sign-Off Status

See specs/pm/PM-15-P2-COMPLIANCE-SIGNOFF.md for compliance sign-off checklist.