All posts
June 18, 20263 min read

HIPAA for non-human identities: governing machine access end to end (on Postgres)

An automated data‑pipeline job runs nightly, using a shared service account to pull patient records from a PostgreSQL database in a way that must satisfy hipaa requirements. The credential lives in a CI secret store, is copied into multiple build agents, and never changes. When a new version of the pipeline is promoted, the same password is pushed again, and the operations team trusts that the job will only read what it needs. There is no per‑run audit, no way to see which query extracted protec

Free White Paper

End-to-End Encryption + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An automated data‑pipeline job runs nightly, using a shared service account to pull patient records from a PostgreSQL database in a way that must satisfy hipaa requirements. The credential lives in a CI secret store, is copied into multiple build agents, and never changes. When a new version of the pipeline is promoted, the same password is pushed again, and the operations team trusts that the job will only read what it needs. There is no per‑run audit, no way to see which query extracted protected health information, and no mechanism to prevent an accidental UPDATE that could overwrite a patient’s record. Because the job is a non‑human identity, HIPAA’s audit and integrity requirements remain unfilled.

Many teams try to fix the problem by creating a dedicated service account for each pipeline and rotating its password daily. That step improves credential hygiene, but it does not add visibility into what the job actually does. The request still travels straight from the CI runner to PostgreSQL, bypassing any point where a policy could inspect the query, mask sensitive columns, or require an explicit approval before a potentially destructive command runs. In other words, the setup fixes identity management while leaving the data path unchecked.

Why identity alone does not satisfy HIPAA

HIPAA expects continuous evidence that every access to ePHI is authorized and recorded. When a non‑human identity connects directly to the database, PostgreSQL’s native logs provide only basic connection details. Those logs often lack context such as the originating CI job, the exact code version, or the business purpose of the query. They also cannot mask fields that should never leave the trusted zone, nor can they enforce a "just‑in‑time" approval step before a write operation. As a result, an audit reviewer may see a series of SELECT statements but cannot prove that each one was part of an approved workflow. If a bug causes the pipeline to issue an UPDATE, the event may be buried in the raw log and go unnoticed until a compliance audit discovers the discrepancy.

hoop.dev as the enforceable gateway

Enter hoop.dev, an open‑source Layer 7 gateway that sits between the non‑human identity and PostgreSQL. You deploy the gateway as a network‑resident agent; the service account never sees the database credentials. When the CI job initiates a connection, hoop.dev authenticates the request via OIDC, extracts the service‑account identity, and then proxies the traffic to the database.

Because hoop.dev occupies the data path, it can apply HIPAA‑relevant controls on every request:

  • Continuous audit: hoop.dev records each session, capturing the full SQL statement, the issuing identity, and the timestamp. The audit trail lives outside the database, providing reliable evidence for inspectors.
  • Inline masking: hoop.dev filters response rows in real time so that protected columns (for example, Social Security Numbers) are redacted before they ever reach the CI environment.
  • Just‑in‑time approval: hoop.dev routes any command that could modify ePHI, such as INSERT, UPDATE, or DELETE, to an approval workflow. A designated compliance officer can approve or reject the operation before it reaches PostgreSQL.
  • Command‑level blocking: hoop.dev automatically blocks known dangerous patterns (e.g., "DROP TABLE"), preventing accidental data loss.

All of these outcomes exist only because hoop.dev inspects the protocol. The underlying identity system (OIDC, service accounts) decides who may start a request, but without the gateway there is no place to enforce masking, approval, or recording.

Continue reading? Get the full guide.

End-to-End Encryption + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How continuous evidence satisfies HIPAA

HIPAA’s Security Rule requires covered entities to "implement hardware, software, and/or procedural mechanisms that record and examine activity" on systems handling ePHI. hoop.dev generates that evidence automatically:

  • Every session receives a unique identifier, enabling auditors to trace a specific pipeline run back to the exact code version and CI job.
  • Masked fields never persist in logs, ensuring that the audit trail itself does not become a source of PHI leakage.
  • Approval records store alongside the session, providing proof that a human authorized any write operation.
  • Replay capability lets security teams replay a session to verify that the observed behavior matches the recorded intent.

Because the evidence collects continuously, organizations no longer need separate, manual logging agents on each CI runner. The audit data already matches HIPAA’s required "audit controls" and can feed directly into existing compliance dashboards.

Getting started

Begin with the getting‑started guide. Deploy the hoop.dev gateway in the same network segment as your PostgreSQL instance, configure an OIDC client for your CI system, and define a connection that stores the database credentials inside the gateway. The documentation also explains how to create masking policies for specific columns and how to enable just‑in‑time approval workflows.

For deeper details on masking, audit, and approval features, explore the learn section. These pages walk through policy design, role mapping, and best practices for maintaining HIPAA‑ready evidence.

FAQ

Q: Does hoop.dev replace the need for database‑level logging?
A: No. hoop.dev complements database logs by adding context, masking, and approval records that the database itself cannot provide. Together they give a fuller audit trail.

Q: Can I use hoop.dev with existing CI pipelines without code changes?
A: Yes. The pipeline continues to use its standard PostgreSQL client; hoop.dev acts as a transparent proxy, so no application‑level modifications are required.

Q: How do I protect the audit data?
A: You store audit records outside the database, in a location you configure (object storage, SIEM, or a log aggregation service). This separation ensures that even if the database is compromised, the audit trail remains intact.

Explore the open‑source repository on GitHub to see the implementation details and contribute.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot