Healthcare
PHI Redaction on Every API Response
Healthcare APIs return patient data that not every system is cleared to process. RequestRocket intercepts the response and removes PHI fields before they reach unauthorised consumers — no upstream changes required.
The Challenge
Clinical APIs Return Patient Data to Systems That Shouldn't See It
A healthcare SaaS platform integrated with EHR systems, lab APIs, and clinical data providers. Many internal services — billing, analytics, scheduling — called the same upstream APIs as clinical applications, but were not HIPAA-cleared to process patient health information. The upstream APIs had no fine-grained field-level access controls.
PHI in Responses to Non-Clinical Systems
Analytics services received full patient records including diagnoses, medication lists, and encounter notes — data they had no authorised need to process.
Shared Upstream Credentials
All services shared the same credential, making it impossible to enforce different data access policies per consumer.
Compliance Evidence Gaps
Auditors required evidence of which systems accessed which patient data and when. The existing logging infrastructure provided no per-consumer visibility.
Upstream APIs Could Not Be Modified
The EHR and lab API vendors did not offer field-level filtering — every response included the full patient record regardless of what the caller needed.
The Solution
Insert RequestRocket Between Every Consumer and the EHR APIs
The team proxied all EHR and clinical API traffic through RequestRocket. Non-clinical services received credentials scoped to proxies with active response filters removing PHI fields. Clinical services received unfiltered responses via separately scoped proxies with full PHI access. All traffic is logged with credential identity.
How it works
- 1
Create RequestRocket proxies for each clinical API — EHR system, lab API, clinical data provider — storing the real upstream credential in RequestRocket's encrypted credential vault.
- 2
Define two credential tiers: clinical (full access, PHI permitted) and non-clinical (filtered access, PHI removed). Each tier maps to its own proxy or proxy configuration.
- 3
Configure response filters on non-clinical proxies using JSON path rules to remove or mask PHI fields: patient name, date of birth, diagnosis codes, encounter notes, and medication lists.
- 4
Issue per-service JWTs from AD and bind each service to the appropriate proxy tier based on its authorisation status.
- 5
Stream all proxy request logs (metadata and telemetry) to the client's log store, including which credential accessed which clinical API endpoint and whether PHI filters were applied.
The Results
Measurable Impact
PHI removed from all non-clinical API responses
Response filters on non-clinical proxies remove all PHI fields before the payload reaches billing, analytics, or scheduling services. No PHI has reached an unauthorised system since deployment.
Per-consumer audit trail for compliance evidence
Every proxied call is logged with the service credential identity, clinical API endpoint, response status, and PHI filter status — providing the per-consumer access evidence required by HIPAA auditors.
Compliance posture achieved without upstream changes
The EHR and lab API vendors required no changes. RequestRocket's response filters operate on the outbound side of the proxy, transparently to the upstream API.
Clinical and non-clinical access fully separated
Credential-level access tiers ensure that non-clinical services cannot call clinical proxy configurations, even if they attempt to use the wrong endpoint.
FAQ
Frequently Asked Questions
Add outbound API security
without changing code
Start on your own or talk to our team about improving the security of every API call you make.