Skip to main content
openevidence-data-handling Implement HIPAA-compliant PHI data handling for OpenEvidence integrations.
Use when implementing data protection, configuring retention policies,
or ensuring compliance for clinical AI data flows.
Trigger with phrases like "openevidence phi", "openevidence data",
"openevidence hipaa data", "clinical data handling", "patient data protection".
npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill openevidence-data-handling ai automation claude-code devops mcp ai-agents
OpenEvidence Data Handling
Overview
OpenEvidence provides AI-powered clinical evidence synthesis for healthcare professionals. Data types include clinical queries (potentially containing PHI), evidence citations from medical literature, patient-contextualized responses, research paper references, and usage analytics. All data handling must comply with HIPAA (PHI safeguards, minimum necessary standard, BAA requirements), GDPR for EU clinicians, and FDA guidance on clinical decision support. Query data may contain patient identifiers, diagnoses, or treatment details that require de-identification before storage or analytics.
Data Classification
Data Type Sensitivity Retention Encryption Clinical queries (may contain PHI) Critical De-identify within 24h, purge raw in 7 days AES-256 + TLS, field-level for PHI Evidence citations Low Indefinite (public literature) TLS in transit Patient-contextualized responses High (derived PHI) 30 days max, then de-identify AES-256 at rest Research paper metadata Low Indefinite TLS in transit Clinician usage analytics
Data Import interface ClinicalQuery {
queryId: string; clinicianId: string; queryText: string;
patientContext?: { age?: number; sex?: string; conditions?: string[] };
timestamp: string;
}
async function submitClinicalQuery(query: ClinicalQuery): Promise<string> {
const sanitized = { ...query, queryText: deidentifyPHI(query.queryText) };
const res = await fetch('https://api.openevidence.com/v1/query', {
method: 'POST',
headers: { Authorization: `Bearer ${process.env.OPENEVIDENCE_API_KEY}`, 'Content-Type': 'application/json' },
body: JSON.stringify(sanitized),
});
return (await res.json()).evidenceId;
}
function deidentifyPHI(text: string): string {
return text
.replace(/\b(MRN|mrn)[:\s]?\d{6,}\b/g, '[MRN_REDACTED]')
.replace(/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN_REDACTED]')
.replace(/\b(DOB|dob)[:\s]?\d{1,2}\/\d{1,2}\/\d{2,4}\b/g, '[DOB_REDACTED]')
.replace(/\b[A-Z][a-z]+ [A-Z][a-z]+, (MD|DO|NP|PA)\b/g, '[PROVIDER_REDACTED]');
}
Data Export async function exportEvidenceSummary(queryIds: string[]) {
const summaries = [];
for (const id of queryIds) {
const res = await fetch(`https://api.openevidence.com/v1/evidence/${id}`, {
headers: { Authorization: `Bearer ${process.env.OPENEVIDENCE_API_KEY}` },
});
const data = await res.json();
summaries.push({ queryId: id, citations: data.citations,
summary: deidentifyPHI(data.summary), confidence: data.confidenceScore });
}
return summaries;
}
Data Validation function validateClinicalQuery(q: ClinicalQuery): string[] {
const errors: string[] = [];
if (!q.queryId) errors.push('Missing query ID');
if (!q.clinicianId) errors.push('Missing clinician identifier');
if (!q.queryText || q.queryText.length < 10) errors.push('Query too short for meaningful evidence retrieval');
if (q.queryText.length > 5000) errors.push('Query exceeds 5000 char limit');
if (/\b\d{3}-\d{2}-\d{4}\b/.test(q.queryText)) errors.push('CRITICAL: SSN detected in query text');
if (/\b(MRN|mrn)[:\s]?\d{6,}\b/.test(q.queryText)) errors.push('CRITICAL: MRN detected in query text');
if (q.timestamp && isNaN(Date.parse(q.timestamp))) errors.push('Invalid timestamp');
return errors;
}
Compliance
Error Handling Issue Cause Fix PHI detected in stored query De-identification regex missed a pattern Add pattern to deidentifyPHI, re-scan stored queries API 403 on query submission BAA not on file or expired API credentials Verify BAA status, rotate API key Evidence response contains patient name Upstream model hallucinated PHI Post-process all responses through de-identification before display Audit log gap Logging service outage during query window Replay from API request logs, flag gap in compliance report Export exceeds size limit Too many citations in bulk export Paginate export, limit to 50 evidence summaries per request
Resources
Next Steps See openevidence-security-basics.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).