Governance & Auditability
Enterprise governance posture: deterministic execution, full audit trail, PHI-aware telemetry boundaries, and synthetic-first demonstrations. Designed for regulated healthcare environments.
Governance Principles
Determinism
Same input + same guideline + same configuration = same output. Always. Clinical evaluation is rule-based, not statistical.
Traceability
Every output references source guideline (e.g., ADA 2024 §6.3), configured rule, and FHIR resource path.
Reproducibility
Results can be reproduced from source data and configuration version. Supports regulatory audits and dispute resolution.
Fail-Closed
Invalid input is rejected. Authentication failures return nothing. Rate limits block rather than degrade. Safe defaults.
Least Privilege
Per-tenant API keys. Managed Identity for Azure services. No shared credentials. Constant-time key comparison.
Configuration as Code
Clinical guidelines, deployment config, and infrastructure defined in version-controlled files with full change history.
Audit Trail
| Artifact | Retention | Access |
|---|---|---|
| Pipeline execution logs | Configurable (default 30 days) | Azure Log Analytics KQL |
| API access logs | Configurable | Application Insights |
| Configuration change history | Full git history (permanent) | GitHub repository |
| Clinical guideline versions | Git-tracked | Repository clinical_guidelines/ |
| Deployment history | Slot swap logs | Azure App Service |
| Security events | Security event log | Azure Monitor / Log Analytics |
PHI-Aware Boundaries
Patient health information never reaches telemetry, logs, or analytics. Three-layer enforcement protects against accidental PHI exposure:
- Key sanitization — Patient identifier fields are never included in log payloads.
- Allowlist enforcement — Only predefined operational keys pass through the telemetry gate.
- Truncation — Free-text fields are capped at 500 characters to prevent accidental PHI leakage.
Synthetic-First Demonstrations
All public demonstrations, screenshots, and marketing materials use synthetic patient data generated via Synthea or similar tools. No real patient data appears in any public-facing artifact. Each screenshot is reviewed to confirm no real MRNs, TCKNs, NHI numbers, provider names, or dates of service are visible.