A protocol that adds three structural moments of privacy oversight to every PHI-touching Epic — without adding friction on every ticket. Verified by privacy lead at predefined checkpoints, sampled in between, reassessed at 90 or 180 days. Implementable today; designed to scale with IRIS later.
Tech lead affirms which PbD controls will be embedded in the design, on the Epic itself. Five fields, two minutes per Epic, captured as part of normal sprint planning.
Privacy lead reviews at three predefined moments for high-risk Epics: kickoff, pre-production, and any new vendor or data-sharing change. Targeted oversight, not blanket review.
Reassessment at 90 or 180 days confirms the attested controls are operating. 10% sampling of standard Epics catches the long tail. Failed reassessments open remediation tickets.
The tech lead affirms — on the Epic itself, once, at design time — which PbD controls will be embedded in the work. Five fields. Two minutes. Captured as part of the same sprint planning that already happens.
What the tech lead sees on every PHI-touching Epic. Controls in scope is a multi-select; checking the attestation box is what activates the rest of the protocol. The selected controls determine what the privacy lead verifies at checkpoints and reassessment.
Enable adult caregivers (with explicit patient consent) to view a limited subset of patient data — medication list, upcoming appointments, visit summaries — and send secure messages to the care team on behalf of the patient.
Includes new consent flow, Auth0 identity verification for the caregiver, and audit log capture of caregiver-mediated actions separate from the patient's own actions.
New data sharing, new vendor, new system, or PHI+Sensitive categories (behavioral health, SUD, reproductive health, minors).
→ Attestation + kickoff checkpoint + pre-prod checkpoint + 90-day reassessment.
Routine PHI work: new features on existing data flows, refactors, UI changes, internal tooling.
→ Attestation + 10% random sampling within 30 days + 180-day reassessment of sampled subset.
Privacy lead reviews HIGH-tier Epics at three defined moments: kickoff to confirm the attestation makes sense, pre-production to verify the controls landed, and any time the Epic introduces a new vendor or data-sharing change. Targeted oversight where it matters most, not blanket review.
Auto-created from the parent Epic's attestation when the Epic enters "Ready for Production" status. The privacy lead has 5 business days to complete it; the Epic cannot transition to "Live" until the checkpoint passes. This is the only hard gate in the protocol.
Rosa Aldana attested on 2026-05-12 that the following controls would be embedded in this Epic:
· Minimum necessary · Access scoped · No PHI in logs
· Audit log capture · Consent flow · 42 CFR Part 2 carve-out
Reviewing each attested control before production go-live:
☑ Minimum necessary — confirmed: proxy view limited to meds, appts, visit summaries (last 12mo)
☑ Access scoped — confirmed: caregiver Auth0 role distinct from patient role; query layer enforces
☑ No PHI in logs — confirmed: sampled 3 service logs, all clean
☑ Audit log capture — confirmed: caregiver actions tagged with actor_type=proxy
☑ Consent flow — confirmed via product spec review & QA walkthrough
☐ Pending: 42 CFR Part 2 carve-out — need to confirm BH/SUD encounters excluded at query layer, not just UI
30-min conversation between privacy lead & tech lead within 5 days of attestation. Sanity-check the attested controls; flag anything missing before code is written.
Hard gate. Privacy lead verifies each attested control is implemented before the Epic can transition to "Live." Pass / Pass with findings / Fail.
Triggered by any new vendor, new BAA, or new external data flow added mid-Epic. Privacy lead reviews regardless of the original attestation tier.
Reassessment confirms the attested controls are operating, not just designed. HIGH-tier Epics are reassessed at 90 days; STANDARD-tier Epics are sampled at 10% and reassessed at 180 days. Failed reassessments open remediation tickets with executive visibility.
Auto-created 90 days after a HIGH-tier attestation. Pre-populates the controls the team committed to. Privacy lead spot-checks live behavior — sometimes a 15-minute conversation with the tech lead, sometimes by inspecting access logs or sampling production data flows.
Original Epic: OLH-EPIC-218 · attested 2026-05-12 by Rosa Aldana
Tier: HIGH · Reassessment due: 2026-08-10
Verifying each attested control is operating in production:
☑ Minimum necessary — sampled 10 caregiver sessions; all returned only the attested data scope
☑ Access scoped — caregiver role permissions reviewed; no privilege creep detected
☑ No PHI in logs — automated log inspection (manual grep until IRIS is approved) found 0 violations
☑ Audit log capture — proxy actions correctly tagged in 100% of sampled events
⚠ Consent flow — passing, but found 3 cases where caregiver permission persisted after patient deactivation. Opening follow-up.
☑ 42 CFR Part 2 carve-out — query layer enforces correctly
Designed to fit ~6 hrs/week of privacy lead time at 30+ Epics/month. Sampling rate adjusts up or down as capacity allows.
The attestation protocol is implementable today using the privacy lead's capacity — manual checkpoints for HIGH-risk Epics, 10% sampling for STANDARD. But as engineering grows, sampling becomes the bottleneck. IRIS (built, awaiting approval) replaces sampling with continuous, automated detection. RETINA aggregates IRIS findings, Jira events, and checkpoint outcomes into one measurement layer.
Bundling makes the decision bigger than it needs to be. The protocol can ship on its own and start producing audit evidence within the first sprint. IRIS — once approved — strengthens the protocol but isn't required for it to function. Sequencing the approvals separately means Sr. Leaders get a small, low-risk decision now, and a larger, better-informed decision later (with real evidence from the protocol's first 60-90 days operating).
Approve the attestation protocol. 4–6 hours of Jira admin work to add fields, build the checkpoint automation, set up the reassessment cadence, and ship a 2-page policy doc. No new tooling. No new vendors. Existing privacy lead capacity.
Approve IRIS deployment. Separate business case. The 90-day reassessment data from the protocol's first quarter will tell us what IRIS would catch that manual sampling missed — making that approval decision evidence-based rather than speculative.
The decision in front of you is whether to formalize how Open Loop's engineering teams attest to PbD controls and how privacy verifies them. The protocol uses Jira and your existing privacy lead capacity — no new vendors, no new licenses, no changes to IRIS or RETINA (both come back for separate approvals later). It is implementable within a sprint and produces audit evidence from day one.
Post your decision in #privacy on Slack. A short message is enough — for example:
The privacy lead and engineering champion are subscribed to #privacy and will respond there.