HIPAA-09: PII Scrubbing in Logs
HIPAA-09: PII Scrubbing in Logs
Compliance control: HIPAA-09
Introduced in: v0.1.161
Overview
Prior to v0.1.161, the platform's structured logger and error capture pipeline forwarded log data and error payloads to external endpoints without first removing personally identifiable information (PII). This created a risk that validation errors, serialised request bodies, or other diagnostic messages could inadvertently expose sensitive data such as names, dates of birth, email addresses, or phone numbers in error reports and log streams.
To address HIPAA-09, a PII scrubbing layer has been added to both the logger and the error capture module.
What Changed
src/lib/logger.ts — scrubPii() and sanitizeLogData()
A scrubPii() function was added that applies pattern-based redaction to string values before they leave the application. The following PII categories are covered:
| PII Type | Example (before) | After scrubbing |
|---|---|---|
| Full name | John Smith | [NAME REDACTED] |
| Date of birth | 1985-03-15 | [DOB REDACTED] |
| Email address | john@example.com | [EMAIL REDACTED] |
| Phone number | +44 7700 900123 | [PHONE REDACTED] |
A sanitizeLogData() transform wraps this function and is applied to the data field inside the logger's emit() method, ensuring every outbound log event is scrubbed automatically.
capture-error.ts — Body serialisation
scrubPii() is now applied to request body serialisations inside capture-error.ts before the payload is forwarded to any external error-reporting endpoint.
How It Works
Application code
│
▼
logger.emit(data) capture-error(err, body)
│ │
sanitizeLogData(data) scrubPii(body)
│ │
└──────────┬───────────────────┘
▼
External log / error endpoint
(PII-free payload)
- Logger path — Every call to
logger.emit()passes thedatafield throughsanitizeLogData(), which internally callsscrubPii()on all string values within the object. - Error capture path —
capture-error.tscallsscrubPii()on the serialised request body before constructing the outbound error report.
Impact on Existing Behaviour
- No functional changes — scrubbing is transparent to application logic; only the outbound log and error payloads are affected.
- Existing log consumers should expect redacted placeholders (e.g.
[EMAIL REDACTED]) wherever PII previously appeared in error messages or metadata fields. - Debugging — When investigating issues locally, developers may wish to set a
LOG_PII_SCRUBBING=falseenvironment variable (if exposed) to retain full fidelity in development-only environments. Check your environment configuration before doing so in any environment that handles real user data.
Compliance Notes
This change directly addresses HIPAA-09, which requires that audit logs and error reports do not contain unprotected PHI (Protected Health Information). Organisations subject to HIPAA audits should reference v0.1.161 as the version at which this control was implemented.