Use Case #29: Edge Function Audit

HIPAA audit in 3 weeks. The auditor would ask: "How do you handle PHI in your serverless functions?"

I needed a good answer.

The Scope

23 Supabase Edge Functions. Some handled patient data. Some didn't. Some maybe did - I wasn't sure.

The Audit Process

Claude reviewed each function against a compliance checklist:

Data Classification - What data does this function access? PHI, PII, or neither?

Data Handling - Does it store PHI? Transmit PHI? Log PHI (bad)?

Authentication - Does it verify caller identity? Check permissions?

Encryption - Data encrypted in transit? At rest if stored?

Logging - What gets logged? Are PHI elements excluded?

Error Handling - Do error messages expose sensitive data?

The Findings

Compliant: 18 functions - Properly handled data, no PHI logging, correct auth checks.

Needs Fixes: 4 functions - Logged request bodies (might include PHI), insufficient auth for the data accessed.

Critical: 1 function - Returned full patient record in error messages. Had to fix immediately.

The Remediation

Claude fixed each issue. Added PHI scrubbing to loggers. Enhanced auth checks. Sanitized error responses.

The Audit Result

Passed. Auditor specifically noted the thoroughness of our function-level documentation.

The Deliverable

Each function now has a compliance card: data classification, handling summary, security measures, audit date.

---

Audit preparation for EDF-Pro, November 2025.