HIPAA-aligned technical safeguards for nSelf deployments that handle protected health information (PHI). Enforces encryption at rest, session timeout policies, automatic logoff, audit controls, and minimum necessary access — the technical side of a HIPAA compliance program running on your own infrastructure.
This plugin enforces technical safeguards. HIPAA compliance also requires administrative and physical safeguards, staff training, and a Business Associate Agreement with your hosting provider.
nself plugin install hipaa
nself build
nself start| Safeguard | HIPAA requirement | What the plugin does |
|---|---|---|
| Encryption at rest | §164.312(a)(2)(iv) | Verifies pgcrypto column encryption on PHI tables; alerts on unencrypted columns |
| Automatic logoff | §164.312(a)(2)(iii) | Enforces configurable session idle timeout and absolute session duration |
| Audit controls | §164.312(b) | Integrates with nself-audit for PHI access logging with user, timestamp, and record ID |
| Minimum necessary | §164.502(b) | Enforces role-based field-level access masks on PHI columns via Hasura column permissions |
| Integrity controls | §164.312(c)(1) | Checksums on PHI records; tamper detection via audit chain verification |
| Transmission security | §164.312(e)(1) | Validates TLS configuration; blocks HTTP (non-TLS) access to PHI endpoints |
| Variable | Required | Default | Description |
|---|---|---|---|
HIPAA_SESSION_IDLE_MINUTES | No | 15 | Minutes of inactivity before automatic session termination |
HIPAA_SESSION_MAX_HOURS | No | 8 | Maximum session duration regardless of activity |
HIPAA_PHI_TABLES | No | — | Comma-separated list of table names containing PHI for encryption verification |
HIPAA_AUDIT_WEBHOOK | No | — | Webhook URL for PHI access alerts |
Pro Plugin — ɳSelf+ | v1.0.0