FeaturesMaking Tax DigitalUpdated March 8, 2026
HIPAA Compliance Controls
HIPAA Compliance Controls
This platform implements a set of security controls aligned to the HIPAA framework. This page summarises the controls that have been formally addressed as part of the product's compliance posture.
HIPAA-06: Encryption Key Management
Status: Implemented — v1.0.328
The platform stores sensitive PII indefinitely, including HMRC OAuth tokens and National Insurance Numbers. Periodic rotation of the application encryption key is required.
Controls in Place
| Control | Implementation |
|---|---|
| Key rotation tooling | src/scripts/rotate-encryption-key.ts — transactional CLI |
| Rotation enforcement | Inngest cron alerts operators after 90 days without rotation |
| Rotation procedure | Documented in this platform's docs and docs/KEY-ROTATION.md |
| Audit trail | Config table tracks last_rotation_date; operators must log rotations |
For full rotation instructions, see Encryption Key Rotation.
Encrypted Data in Scope
The following categories of data are encrypted at rest and are subject to key rotation:
- Bank account PII (account numbers, sort codes)
- HMRC OAuth tokens (access and refresh tokens)
- Organisation database connection strings
Additional HIPAA controls will be documented here as they are implemented.