Compliance and HIPAA
Data-privacy (GDPR) and HIPAA/PHI capabilities—consent, data-subject access and erasure requests, PHI records and access logs, breach recording, and admin compliance reporting.
Overview
Shift-Left Studio includes two compliance subsystems — GDPR / data privacy and HIPAA / PHI. These are administrator- and API-driven governance capabilities, not a single settings screen: users exercise their own rights (consent, data-access, erasure) through the platform, and administrators process requests, record breaches, and pull statistics. Every action is written to the audit log. Explore the related capability at HIPAA & GDPR compliance.
Availability: governance capability for enterprise deployments. The reporting, processing, breach, BAA, and safeguard operations require administrator access (the access_settings_section permission; creating PHI patient records also accepts assign_environment_access, held by Environment Managers).
Before you begin
- These operations run against the compliance API (
/api/compliance/*and/api/hipaa/*) — plan to drive them programmatically or through administrator tooling rather than expecting one configuration page. - User-scoped actions (consent, privacy preferences, data-access/erasure requests) act on the signed-in user's own record; admin actions act across all records and require the admin permission above.
- PHI is encrypted at rest, and PHI access must be logged (see below) to satisfy the minimum-necessary standard.
GDPR / data privacy
Capabilities exposed to users and administrators:
| Capability | What it does |
|---|---|
| Consent | Record granting or withdrawing consent. Valid types: marketing, analytics, essential, third_party, data_processing. The IP and user agent are captured on grant. |
| Privacy preferences | Toggle marketingEmails, analyticsTracking, thirdPartySharing, dataProcessing. |
| Data-access request (Article 15) | Submit an access request; it's recorded as pending for admin processing. |
| Data-erasure request (Article 17) | Submit a right-to-be-forgotten request; recorded as pending and processed within 30 days as required by GDPR. |
| Privacy report | Generate a data-subject privacy report. |
| GDPR status / requests | Check the user's GDPR compliance status and list their submitted requests with statuses. |
Administrator-only:
| Admin capability | What it does |
|---|---|
| Review all records | Paginated list of all data-compliance records, filterable by request status and compliance type. |
| Process a request | Set a data-subject request to a new status with a response; completed stamps a completion time. |
| Record a data breach | Log a breach against a user with description, affected data, and impact; opens as investigating. |
| Statistics | Totals and rates: records, GDPR-compliant count and rate, pending requests, active breaches, and per-type consent stats. |
HIPAA / PHI
Capabilities:
| Capability | What it does |
|---|---|
| PHI records | Create a HIPAA compliance record for a patient; PHI data is validated and encrypted before storage. (Admin or Environment Manager.) |
| Authorizations | Grant a HIPAA authorization by purpose: treatment, payment, healthcare_operations, research, marketing, other, with version and signature. |
| Access logging | Log PHI access for the minimum-necessary standard. Access types: view, create, update, delete, export, print, with PHI fields, purpose, and justification. |
| Access logs | Retrieve a patient's PHI access logs, filterable by user, access type, and date range. |
| Breach recording | Record a breach (types unauthorized_access, unauthorized_disclosure, loss, theft, hacking, other; risk low/medium/high). Breaches affecting 500 or more individuals return hhsNotificationRequired: true, flagging HHS notification. (Admin.) |
| BAAs | Record a Business Associate Agreement (BA types include cloud_provider, software_vendor, consulting, billing, laboratory, pharmacy, other; PHI access none/limited/full). (Admin.) |
| Safeguards | Record administrative, physical, or technical security safeguards. (Admin.) |
| Compliance / report | Check a patient's HIPAA compliance status and risk level, and generate a HIPAA compliance report. |
| Patient access requests | Patients can request access to their PHI (processed within 30 days); admins approve/deny with format, fee, or reason. |
| Admin statistics & records | Breach statistics and a paginated list of HIPAA records filterable by status and risk level. |
Troubleshooting / Notes
- "Compliance record not found" — breach, BAA, and safeguard operations require an existing record for that user/patient; create the record first.
- Access denied on admin operations — you need access_settings_section (creating PHI patient records also accepts assign_environment_access).
- Invalid type errors — consent type, authorization purpose, access type, breach type, risk level, BA type, and safeguard type must be one of the exact values listed above.
- These features are exercised by administrators and via the platform API rather than through a single settings screen. Every action is audit-logged.
- Pair with Role Permissions and Audit Logs to control and evidence access.
Related articles
Related articles
- Administration Settings · Product documentation
- Server Connection · Product documentation
- Proxy Settings · Product documentation
- License Management · Product documentation
- User Management · Product documentation
- Role Permissions · Product documentation
Next steps
- Getting started · Install + connect your spec
- Configuration fundamentals · Stabilize runs
- Initial configuration · Users, licensing, projects
- Release notes · Updates and fixes
Still stuck?
Tell us what you’re trying to accomplish and we’ll point you to the right setup—installation, auth, or CI/CD wiring.