Security & Access Control

HIPAA compliance

When building healthcare applications that handle protected health information (PHI), following proper data handling practices is essential. This guide covers the requirements for using Zep in HIPAA-compliant environments.

Understanding HIPAA compliance with Zep

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting sensitive patient health information. When using Zep as part of a healthcare application, you must ensure that identifiers used within the system do not expose PHI.

Zep offers Business Associate Agreements (BAAs) for Enterprise customers. A BAA is a contract that establishes the responsibilities of each party regarding PHI and is required when a covered entity works with a service provider that may access PHI.

Zep can sign BAAs for Enterprise customers. Contact our Enterprise team to learn more about HIPAA-compliant deployments and BAA options.

Identifier requirements

User IDs, thread IDs, and graph IDs in Zep must never contain personally identifiable information (PII). This requirement is critical for HIPAA compliance and good security hygiene in general.

Why this matters

Identifiers are used throughout the system for logging, debugging, and operational purposes. If these identifiers contain PII such as names, email addresses, or medical record numbers, this information could be inadvertently exposed in logs, error messages, or analytics data.

Required approach

Use opaque, randomly generated identifiers that have no inherent meaning:

1import uuid
2
3# Good - opaque identifier with no PII
4user_id = str(uuid.uuid4())  # e.g., "550e8400-e29b-41d4-a716-446655440000"
5thread_id = str(uuid.uuid4())
6graph_id = str(uuid.uuid4())
7
8# Bad - contains PII
9user_id = "[email protected]"  # Contains email
10user_id = "patient-12345"  # Contains medical record number
11thread_id = "session-jane-smith"  # Contains name

Identifier requirements

Identifier typeRequirement
User IDUse UUIDs or internal system identifiers. Do not use email addresses, names, or patient identifiers.
Thread IDUse UUIDs. Do not embed user information or session details that could identify a person.
Graph IDUse UUIDs or descriptive names that do not contain PII.

Mapping identifiers

Maintain a secure mapping between your opaque Zep identifiers and your internal user records in your own database:

1# In your application database, maintain a mapping
2# Your internal patient record links to the opaque Zep user ID
3patient_record = {
4    "internal_patient_id": "MRN-12345",
5    "name": "Jane Doe",
6    "zep_user_id": "550e8400-e29b-41d4-a716-446655440000"  # Opaque ID
7}
8
9# Use the opaque ID when interacting with Zep
10zep_client.user.add(user_id=patient_record["zep_user_id"])

This approach ensures that even if Zep identifiers are logged or exposed, no PHI is compromised.

Summary

  • Use opaque, randomly generated identifiers (UUIDs) for user IDs, thread IDs, and graph IDs
  • Never embed PII such as names, emails, or medical record numbers in identifiers
  • Maintain secure mappings between Zep identifiers and internal records in your own systems
  • Contact Zep about Enterprise plans for BAA options and HIPAA-compliant deployments