Product documentation
Updated July 6, 2026

Compliance and HIPAA

Data-privacy (GDPR) and HIPAA/PHI capabilities—consent, data-subject access and erasure requests, PHI records and access logs, breach recording, and admin compliance reporting.

Overview

Shift-Left Studio includes two compliance subsystems — GDPR / data privacy and HIPAA / PHI. These are administrator- and API-driven governance capabilities, not a single settings screen: users exercise their own rights (consent, data-access, erasure) through the platform, and administrators process requests, record breaches, and pull statistics. Every action is written to the audit log. Explore the related capability at HIPAA & GDPR compliance.

Availability: governance capability for enterprise deployments. The reporting, processing, breach, BAA, and safeguard operations require administrator access (the access_settings_section permission; creating PHI patient records also accepts assign_environment_access, held by Environment Managers).

Before you begin

  • These operations run against the compliance API (/api/compliance/* and /api/hipaa/*) — plan to drive them programmatically or through administrator tooling rather than expecting one configuration page.
  • User-scoped actions (consent, privacy preferences, data-access/erasure requests) act on the signed-in user's own record; admin actions act across all records and require the admin permission above.
  • PHI is encrypted at rest, and PHI access must be logged (see below) to satisfy the minimum-necessary standard.

GDPR / data privacy

Capabilities exposed to users and administrators:

CapabilityWhat it does
ConsentRecord granting or withdrawing consent. Valid types: marketing, analytics, essential, third_party, data_processing. The IP and user agent are captured on grant.
Privacy preferencesToggle marketingEmails, analyticsTracking, thirdPartySharing, dataProcessing.
Data-access request (Article 15)Submit an access request; it's recorded as pending for admin processing.
Data-erasure request (Article 17)Submit a right-to-be-forgotten request; recorded as pending and processed within 30 days as required by GDPR.
Privacy reportGenerate a data-subject privacy report.
GDPR status / requestsCheck the user's GDPR compliance status and list their submitted requests with statuses.

Administrator-only:

Admin capabilityWhat it does
Review all recordsPaginated list of all data-compliance records, filterable by request status and compliance type.
Process a requestSet a data-subject request to a new status with a response; completed stamps a completion time.
Record a data breachLog a breach against a user with description, affected data, and impact; opens as investigating.
StatisticsTotals and rates: records, GDPR-compliant count and rate, pending requests, active breaches, and per-type consent stats.

HIPAA / PHI

Capabilities:

CapabilityWhat it does
PHI recordsCreate a HIPAA compliance record for a patient; PHI data is validated and encrypted before storage. (Admin or Environment Manager.)
AuthorizationsGrant a HIPAA authorization by purpose: treatment, payment, healthcare_operations, research, marketing, other, with version and signature.
Access loggingLog PHI access for the minimum-necessary standard. Access types: view, create, update, delete, export, print, with PHI fields, purpose, and justification.
Access logsRetrieve a patient's PHI access logs, filterable by user, access type, and date range.
Breach recordingRecord a breach (types unauthorized_access, unauthorized_disclosure, loss, theft, hacking, other; risk low/medium/high). Breaches affecting 500 or more individuals return hhsNotificationRequired: true, flagging HHS notification. (Admin.)
BAAsRecord a Business Associate Agreement (BA types include cloud_provider, software_vendor, consulting, billing, laboratory, pharmacy, other; PHI access none/limited/full). (Admin.)
SafeguardsRecord administrative, physical, or technical security safeguards. (Admin.)
Compliance / reportCheck a patient's HIPAA compliance status and risk level, and generate a HIPAA compliance report.
Patient access requestsPatients can request access to their PHI (processed within 30 days); admins approve/deny with format, fee, or reason.
Admin statistics & recordsBreach statistics and a paginated list of HIPAA records filterable by status and risk level.

Troubleshooting / Notes

  • "Compliance record not found" — breach, BAA, and safeguard operations require an existing record for that user/patient; create the record first.
  • Access denied on admin operations — you need access_settings_section (creating PHI patient records also accepts assign_environment_access).
  • Invalid type errors — consent type, authorization purpose, access type, breach type, risk level, BA type, and safeguard type must be one of the exact values listed above.
  • These features are exercised by administrators and via the platform API rather than through a single settings screen. Every action is audit-logged.
  • Pair with Role Permissions and Audit Logs to control and evidence access.

Related articles

Next steps

Still stuck?

Tell us what you’re trying to accomplish and we’ll point you to the right setup—installation, auth, or CI/CD wiring.