Security & Compliance

HIPAA compliance

When building healthcare applications that handle protected health information (PHI), you must ensure that identifiers used within Zep do not expose PHI.

Zep offers Business Associate Agreements (BAAs) for Enterprise customers. Contact our Enterprise team to learn more about HIPAA-compliant deployments.

Identifier requirements

To maintain HIPAA compliance when using Zep, user IDs, thread IDs, and graph IDs must not contain personally identifiable information (PII). Identifiers appear in logs, error messages, and analytics data, so embedding PII in them risks inadvertent exposure.

Identifier typeRequirement
User IDUse UUIDs or internal system identifiers. Do not use email addresses, names, or patient identifiers.
Thread IDUse UUIDs. Do not embed user information or session details that could identify a person.
Graph IDUse UUIDs or descriptive names that do not contain PII.
1import uuid
2
3# Correct: opaque identifier with no PII
4user_id = str(uuid.uuid4())  # e.g., "550e8400-e29b-41d4-a716-446655440000"
5
6# Incorrect: contains PII
7user_id = "[email protected]"  # Contains email
8user_id = "patient-12345"  # Contains medical record number

Mapping identifiers

Maintain a secure mapping between opaque Zep identifiers and internal user records in your own database:

1# Your internal patient record links to the opaque Zep user ID
2patient_record = {
3    "internal_patient_id": "MRN-12345",
4    "name": "Jane Doe",
5    "zep_user_id": "550e8400-e29b-41d4-a716-446655440000"
6}
7
8# Use the opaque ID when interacting with Zep
9zep_client.user.add(user_id=patient_record["zep_user_id"])