Appearance
Security & Compliance
Status: Living document. Last updated April 7, 2026.
HIPAA Compliance Strategy
What We Handle
| Data Phase | Data Type | HIPAA Classification | How We Handle |
|---|---|---|---|
| Quote browsing | Zip, ages, income | Not PHI (anonymous) | Not stored, stateless |
| Account creation | Email, password | PII | Hashed, encrypted at rest |
| Enrollment | SSN, name, DOB, address | PHI | Field-level encryption (KMS) |
| Documents | Income verification | PHI | Encrypted at rest (S3 + KMS) |
| Broker access | Viewing consumer PII | PHI access event | Audit logged, time-limited |
Day-One HIPAA Checklist
What this costs: $0 in additional tooling. MongoDB Atlas M10 ($57/mo) is the minimum HIPAA-eligible tier. AWS BAA is free. Everything else is configuration and documentation.
Encryption Architecture
What Field-Level Encryption Means
// What the API sees (before encryption):
{
name: "John Smith",
ssn: "123-45-6789",
dob: "1990-01-15",
plan_id: "18126CA0010003"
}
// What MongoDB stores (after CSFLE):
{
name: Binary("xK8f2...encrypted...a9Ej"),
ssn: Binary("mP3q7...encrypted...bR2k"),
dob: Binary("nL5w9...encrypted...cT4m"),
plan_id: "18126CA0010003" // Not PII, stored plaintext
}
// What a database breach yields:
// Encrypted blobs. Useless without KMS key access.
// KMS keys are in a separate AWS account with separate IAM.Access Control Model
Audit Logging
Every access to PHI is logged to both CloudWatch and MongoDB:
typescript
interface AuditEntry {
timestamp: Date;
actor_id: string; // Who (broker_id, system, consumer_id)
actor_role: string; // "broker", "system", "consumer"
action: string; // "view_enrollment", "decrypt_ssn", "submit_enrollment"
resource_type: string; // "enrollment", "consumer", "plan"
resource_id: string; // The specific record accessed
ip_address: string; // Source IP
user_agent: string; // Browser/client info
result: string; // "success", "denied", "error"
metadata: object; // Additional context
}Retention: Audit logs retained for 7 years (HIPAA minimum is 6 years). Archived to S3 Glacier after 1 year.
EDE Security Requirements (12-Month Horizon)
The NIST 294-control audit required for EDE covers:
| Control Family | # Controls | Our Current Status |
|---|---|---|
| Access Control | 25 | ✅ IAM + role-based + MFA |
| Audit & Accountability | 14 | ✅ CloudWatch + MongoDB audit |
| Security Assessment | 7 | ❌ Need third-party audit |
| Configuration Management | 11 | ⚠️ Partially (IaC needed) |
| Identification & Authentication | 16 | ⚠️ Need ID proofing integration |
| Incident Response | 10 | ⚠️ Plan written, not tested |
| System & Comms Protection | 22 | ✅ TLS + encryption + VPC |
| System & Info Integrity | 16 | ⚠️ Need vulnerability scanning |
Estimated gap to close: $150K-$400K for the third-party security audit itself. Most technical controls are already in place or straightforward to add with this architecture.
Incident Response Plan (Summary)
- Detection — CloudWatch alarms on anomalous access patterns, failed auth spikes, bulk data access attempts
- Containment — Automated: revoke compromised credentials, isolate affected services. Manual: page on-call engineer.
- Assessment — What data was accessed? Which consumers affected? Scope of exposure.
- Notification — Within 60 days per HIPAA Breach Notification Rule. State AG notification if >500 individuals.
- Remediation — Rotate keys, patch vulnerability, update access controls.
- Post-mortem — Document root cause, update risk assessment, implement preventive measures.
Full incident response plan to be maintained as a separate internal document.