Healthcare PHI Query Bot

Description

A clinical query bot may read de-identified PHI only if phi_read_deid is present, trust ≥ 90, and the patient consent & clinician role are satisfied. All accesses are logged.

Policies can require purpose-of-use tags, cohort size minimums to prevent re-identification, and locality constraints. Every access is one-shot and logged with dataset, fields, purpose, and consent state, satisfying HIPAA reqs.

Business Value

Enable safe analytics while reducing PHI exposure and simplifying audits:

• Privacy by design: Enforce de-identification and consent every time, not just by convention.
• Audit simplicity: A single log answers who accessed what, on which legal basis.
• Safer analytics: Block small cohort queries or sensitive joins automatically.
• Adaptable governance: Adjust trust floors or allowed fields centrally as policy or law evolves.

Why Not With Alternatives?

Standard RBAC cannot reliably capture per-request consent + de-identification constraints with DID-verified agent identity and audit lineage:

• EHR role-based controls are coarse and can’t reliably enforce per-query consent, cohort size, or field-level de-identification.
• Custom middleware quickly becomes brittle and inconsistent across integrations. This way you'll independently support any legacy and future systems across the board.
• Policy without DID can’t bind access to a cryptographically verifiable agent identity.

Policy

default allow = false

allow if {
  input.action == "phi_read_deid" ## agent/bot will need to have this capability in its VC
  input.resource == "db://ehr/phi_deidentified"
  input.context.patient_consent == true
  input.context.requestor_role == "clinician"
  input.trust >= 90
}