GDPR Article 9: Special Category Data
Blood pressure measurements are classified as health data under GDPR Article 9(1): "processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of identifying a natural person, health data or data concerning a person's sex life or sexual orientation" requires explicit consent and heightened safeguards.
Core Requirements
What: Every explicit consent to process health data must be recorded with timestamp, consent type, version of consent text, and signature.
Implementation: Create patient_consent table with columns: id, patient_id, consent_type (e.g., "hcp_access_hcp_managed"), consent_text_version, given_at, revoked_at, ip_address, user_agent. Hash and store consent text separately to allow version tracking.
Why: GDPR Article 7 requires you to be able to prove that the individual gave consent. If questioned by regulators, you must produce the exact consent form they saw, timestamp, and method.
What: Patients can request deletion of all their health data. You must be able to erase all BP measurements, device assignments, and consent records within 30 days.
Implementation: Design data model so that erasing a patient does not cascade-delete audit logs (needed for compliance). Create a deleted_at soft-delete column on patients table. Archive audit logs separately. Support bulk deletion jobs with progress tracking.
Why: GDPR Article 17. Patients have a legal right to be forgotten. Your system must support this without manual database intervention.
What: If Hilo processes health data on behalf of the HCP (Data Controller), a signed Data Processing Agreement must be in place.
Implementation: This is a legal document, not a technical one. But the system must support it via a dpa_signed_at field on the organizations table, and must enforce that no health data is accessible until DPA is signed.
Why: GDPR Article 28 requires a contract between Controller and Processor. Without a DPA, processing is non-compliant. The HCP (controller) cannot use Hilo (processor) legally without it.
Data Residency & Geographic Requirements
EU Data Residency (GDPR)
If any patient is a natural person resident in the EU (or their data is processed in the EU), that data must remain within EU borders. This applies to:
- Database storage: Postgres instance must be in an EU Azure region (e.g.,
EU-WEST-1for Ireland, orEU-NORTH-1for Sweden) - Backups: All backups (snapshots, transaction logs) must also be stored in the same EU region
- Audit logs: Audit trail must be in the same jurisdiction
- Temporary data: Even cache, session stores, and message queues must respect residency
What: If serving both EU and US patients, you must enforce strict data isolation.
Implementation:
- Add
data_residencycolumn toorganizationstable (enum: "EU", "US") - Add
data_residencytopatientstable (inherited from org) - All database queries must include
WHERE data_residency = 'EU'orWHERE data_residency = 'US' - Provision separate Azure resources: Postgres (EU region), Postgres (US region), storage accounts (EU/US)
- API layer must route requests to correct regional backend based on user's data_residency
Why: GDPR prohibits transferring EU resident data outside the EU without explicit adequacy decisions. Violating this is a reportable breach.
US Data Residency (State Laws)
Several US states (CA, TX, VA) have state-level privacy laws (CCPA, TDPSA, VMPPA). Additional requirements:
- California (CCPA/CPRA): Residents have rights to access, delete, and opt-out. Similar to GDPR but weaker. Health data gets special treatment under some interpretations.
- Texas (TDPSA): Requires consent for processing health data. Stricter than GDPR in some areas.
Recommendation: Implement EU compliance first. US state laws are less strict, so treating all US data to EU standards (with minor additions) is practical.
HIPAA Requirements (if US-based Healthcare Entity)
If the HCP is a US-based healthcare provider (subject to HIPAA), processing patient health data triggers HIPAA obligations:
Core HIPAA Rules
- Privacy Rule (45 CFR §164.402-412): Limits use and disclosure of Protected Health Information (PHI). The dashboard must only display health data with proper authorization.
- Security Rule (45 CFR §164.302-318): Technical and administrative safeguards for PHI. Requires encryption, access controls, audit logs.
- Breach Notification Rule (45 CFR §164.400-414): If a breach occurs, you must notify affected individuals within 60 days.
What: All health data must be encrypted both when transmitted (in transit) and when stored (at rest).
Implementation:
- In Transit: All API endpoints require HTTPS (TLS 1.2+). Enable HSTS headers.
- At Rest: Postgres database with Transparent Data Encryption (TDE). Azure managed disks support this natively. Enable encryption on all storage accounts.
- Key Management: Use Azure Key Vault to manage encryption keys. Never hardcode keys in code or env files.
- Backups: Encrypted snapshots only. Backup restore must require key access.
Why: HIPAA Security Rule requires encryption. It's also the #1 defense against data breaches.
What: Every access to health data must be logged: who accessed it, when, what data, from where, and why.
Implementation:
- Create
audit_logtable:id, user_id, action, resource_type, resource_id, patient_id, result (success/failure), ip_address, user_agent, timestamp, metadata (reason for access if applicable) - Log these actions: login, logout, data access (read), data modification (write), data export, role change, consent change, user creation/deletion
- Retain audit logs for minimum 6 years (HIPAA requirement). Archive to immutable blob storage.
- Implement audit log querying UI for compliance officers. Search by: user, patient, date range, action type.
Why: HIPAA Security Rule §164.312(b). Audit logs are your proof of compliance during audits. They also help detect breach patterns.
What: Users should only have access to the minimum data needed for their role.
Implementation:
- Implement role-based access control (RBAC) with these roles: consumer (self only), hcp_user (assigned patients only), hcp_admin (org patients), hilo_admin (all, audited)
- Backend must enforce scope on every query. Frontend does not decide access.
- Implement time-based access: sessions expire after 15 minutes of inactivity (HIPAA best practice)
- For admin access: require multi-factor authentication (MFA). Log all admin actions separately with reason.
Why: HIPAA Security Rule §164.308(a)(4). Limits exposure if an account is compromised.
What: If Hilo (as a Business Associate) creates, receives, or maintains health data on behalf of a HIPAA-covered entity, a BAA must be signed.
Implementation: This is legal (not technical). But track: baa_signed_at on organizations table. Enforce that US HCPs cannot use the dashboard until BAA is signed.
Why: HIPAA §164.502(e). Without a BAA, the HCP cannot legally use a third-party service to handle health data. Violation is a significant fine (~$100-$250k per incident).
Implementation Patterns
Audit Logging Architecture
GET /api/v1/patients/:id/measurements ↓ [Authentication Middleware] Validate JWT token Extract user_id, org_id ↓ [Authorization Middleware] Check role has permission to "read:measurements" ↓ [Scope Resolution] Determine what data user can access For hcp_user: check if patient_id is assigned For hcp_admin: check if patient.org_id == user.org_id ↓ [Query] SELECT measurements FROM physiological WHERE patient_id = :patient_id AND data_residency = user.data_residency ↓ [Audit Log] INSERT INTO audit_log (user_id, action, resource_type, resource_id, patient_id, ip_address, timestamp) VALUES (:user_id, 'read_measurements', 'physiological', :measurement_id, :patient_id, :ip, NOW()) ↓ [Response] Return data to user
Consent Flow (Patient-Managed Device)
- Patient initiates sharing: "Allow HCP John to see my data"
- System creates consent record:
INSERT INTO patient_consent (patient_id, hcp_user_id, consent_type, consent_text_version, given_at) - Patient receives email: "You granted John access to your BP data on [date]"
- HCP can now query: Backend allows HCP to see this patient only after consent is recorded
- Patient revokes consent:
UPDATE patient_consent SET revoked_at = NOW() - HCP can no longer access: Query includes
WHERE revoked_at IS NULLcheck
Explicit consent is required: Patient must proactively grant access. Default is "no access". This satisfies GDPR Article 9(2)(a) and HIPAA consent requirements.
Data Residency Enforcement
// Backend middleware, run BEFORE any query
const userDataResidency = user.data_residency; // "EU" or "US"
const regionConfig = {
EU: { db: postgresEU, vault: vaultEU },
US: { db: postgresUS, vault: vaultUS },
};
const selectedDb = regionConfig[userDataResidency].db;
// All queries now use selectedDb, not a shared connection
// This prevents EU data from leaking to US queries
Regulatory Testing Checklist
| Test | How to Verify | GDPR/HIPAA Requirement |
|---|---|---|
| Consent is recorded | Grant consent, verify patient_consent table has a row with correct timestamp |
GDPR Article 7, HIPAA |
| Consent revocation works | Revoke consent, verify HCP can no longer query patient data (401) | GDPR Article 21, HIPAA |
| Audit log captures access | Access patient data, verify audit_log has a row within 1 second |
HIPAA Security Rule |
| EU/US data segregation | Create EU patient, verify US query returns 401 or empty result | GDPR Article 44 |
| Encryption in transit | Run: curl -I https://api.example.com, verify TLS version and HSTS header |
HIPAA Security Rule |
| Encryption at rest | Verify Postgres TDE is enabled: SELECT * FROM pg_stat_user_tables WHERE encrypted = true |
HIPAA Security Rule |
| RBAC enforced (not bypassed) | As hcp_user, try to access patient outside assigned list, verify 403 | HIPAA Security Rule |
| Right to erasure works | Delete patient, verify all physiological rows are gone but audit_log remains |
GDPR Article 17 |
Open Questions for Legal
These decisions are non-technical but block implementation:
- Q1: Is the HCP the Data Controller? If yes, we need a signed DPA with every HCP organization before they can access the dashboard.
- Q2: Does HIPAA apply? Only if the HCP is US-based and regulated. If they're international, GDPR applies instead.
- Q3: What is the legal basis for HCP-managed device data processing? Is it contract (doctor-patient relationship) or consent? This determines the consent flow.
- Q4: Is this a medical device? If the dashboard is used to support clinical decisions, it may be classified as a medical device (CE mark in EU, FDA in US). This triggers separate regulations.
- Q5: What is the data retention policy? After consent is revoked or patient is deleted, how long do we keep audit logs? HIPAA requires 6 years, GDPR doesn't specify.
Deployment Checklist
Before launching to any production environment:
- ☐ DPA signed with every HCP organization (if in EU or GDPR-applicable)
- ☐ BAA signed with every US HIPAA-covered entity
- ☐ Audit log infrastructure deployed and tested
- ☐ Data residency routing configured (EU/US backends separate)
- ☐ Encryption at rest enabled on all databases and storage
- ☐ HTTPS + HSTS configured on all APIs
- ☐ MFA enabled for all admin users
- ☐ Session timeout configured (15 min inactivity)
- ☐ Legal review complete on consent text and disclaimers
- ☐ Incident response plan drafted (breach notification procedure)
- ☐ Data Processing Impact Assessment (DPIA) completed (if required by jurisdiction)