← Docs

Recipe: PHI (health data) storage design

A reference architecture for storing protected health information under HIPAA-compatible controls using Meridian primitives.

1. Threat model

  • Database breach — attacker obtains raw rows
  • Insider access — authorized staff query PHI directly
  • Backup exfiltration — unencrypted snapshots leaked

2. Encryption at rest

Every PHI column is encrypted with AES-256-GCM using a per-row data key. The data key is wrapped with a customer-specific KEK stored in a KMS. No plaintext PHI ever touches disk.

3. Access control

Row-level security enforced at the application layer. Each query includes a signed capability token scoped to patient ID and operation. Tokens expire after 5 minutes and are bound to the requesting session.

4. Audit log

Every PHI access is logged to an append-only ledger with actor ID, timestamp, patient ID, and operation type. Logs are hashed into a Merkle tree hourly and the root published to a public transparency log.

5. Backup strategy

Backups are encrypted with a separate offline key held in a hardware security module. Restore requires quorum approval from two security officers. Backup integrity is verified via HMAC before any restore.

This recipe assumes Meridian KMS, capability tokens, and audit ledger are already provisioned. See the getting started guide for setup.