Computer Use and PHI Compliance

Many think that simply signing a computer‑use policy is enough to satisfy phi regulations, but the reality is far stricter.

In most organizations, engineers log into shared workstations, use remote‑desktop tools, or spin up temporary containers without a clear record of who did what. A policy document may state that protected health information must not be exposed, yet the technical controls to prove compliance are missing. Auditors ask for concrete evidence: timestamps, command‑level logs, and proof that any accidental disclosure was prevented or at least detected.

Why phi compliance demands more than a signed policy

Regulations such as HIPAA require that any access to protected health information be both authorized and auditable. The authorization part is usually handled by identity providers, group memberships, and role‑based access control. The audit part, however, is often left to ad‑hoc logging solutions that are either incomplete or sit inside the application that processes the data. When the audit trail lives on the same host that the engineer controls, it can be altered, deleted, or simply never generated for certain commands.

Consequently, a typical compliance gap looks like this:

• Identity federation grants a user the right to open a remote‑desktop session.
• The session connects directly to the target server, bypassing any central guard.
• No independent system records the exact keystrokes, queries, or file accesses.
• If a breach occurs, the organization cannot demonstrate who accessed which PHI, when, or whether protective filters were applied.

Addressing the gap requires a control surface that sits between the identity token and the actual resource. That surface must be able to enforce policies, capture evidence, and apply data‑level protections without exposing credentials to the end user.

How an access gateway creates audit evidence for phi

The first step is to define the setup. Users authenticate through a trusted OIDC or SAML provider. The gateway reads the token, extracts group membership, and decides whether the request may proceed. This step determines who is making the request, but it does not enforce any runtime guard.

The next step is the data path. An access gateway sits on the network edge, intercepting every protocol‑level request before it reaches the target system. Because the gateway is the only point where traffic flows, it can apply uniform policies regardless of the underlying resource, whether a PostgreSQL database, an SSH host, or a Kubernetes pod.

All enforcement outcomes stem from that gateway. hoop.dev records each session, timestamps every command, and stores the logs in a storage backend that you control. It masks PHI fields in query results, ensuring that downstream tools never see raw identifiers. It blocks commands that match a deny list, such as attempts to export full tables of patient data. When a high‑risk operation is detected, hoop.dev routes the request to a human approver and only forwards it after explicit consent.

Because the gateway holds the credential for the target system, the engineer never sees the secret. This design satisfies the principle that the agent never sees the credential, reducing the risk of credential leakage while still allowing just‑in‑time access.

These capabilities generate the exact artifacts auditors look for:

• A complete log of who accessed which resource, when, and what commands were run.
• Redacted response payloads that demonstrate PHI was never exposed in plain text.
• Approval records that show a privileged operation was reviewed and authorized.
• Session recordings that can be replayed for forensic analysis.

All of these artifacts are produced automatically by the gateway, without requiring developers to instrument each application individually.

Getting started with the gateway

To adopt this model, begin by deploying the gateway in your network. The official getting‑started guide walks you through a Docker Compose deployment, OIDC configuration, and connection registration for common targets. The learn section provides deeper coverage of policy definition, masking rules, and approval workflows.

Once the gateway is running, register your computer‑use resources, SSH hosts, RDP machines, or database endpoints as connections. The gateway will store the service credentials, enforce the policies you define, and start emitting audit evidence for every session.

Open source and community involvement

Because the solution is open source, you can review the code, extend the policy engine, or contribute new connectors. Visit the repository on GitHub to explore the implementation and submit pull requests.

Explore hoop.dev on GitHub

FAQ

Does the gateway replace existing identity providers?

No. The gateway consumes identity assertions from your existing OIDC or SAML provider. It adds a layer of enforcement and evidence generation on top of the authentication you already have.

Can I use the gateway for non‑PHI workloads?

Absolutely. The same architecture works for any sensitive data, such as financial records or intellectual property. The masking and approval rules are configurable per connection.

How is the audit data stored securely?

The gateway writes logs to a storage backend that you control. Access to that backend is governed by the same identity framework, ensuring that only authorized auditors can retrieve the evidence.