← Missions

HIPAA / PCI-DSS Compliance Review of a Data Ingestion Platform's Masking Engine

Budget: $250.0 FIXED / ⭐ 4.67 (32) United States

python

HIPAA / PCI-DSS Compliance Review of a Data Ingestion Platform's Masking Engine Project Overview We've built a data ingestion platform that ingests structured, semi-structured, unstructured, streaming, and IoT data — including healthcare data from sources like FHIR, HL7v2, DICOM, and pharmacy/e-prescribing feeds — and applies PHI/PCI masking inline at ingestion time, before data is written anywhere downstream. The masking engine is built and covered by an extensive automated test suite (30 tests, all passing), but it has not yet been reviewed by a licensed compliance professional. We need that review before representing the platform as HIPAA/PCI compliant to any client. This is a code-and-documentation review engagement, not a build engagement — the masking logic already exists; we need a qualified opinion on whether it actually satisfies the relevant regulatory standards, and a clear list of gaps if it doesn't. Scope of Work Review the compliance engine's source code (Python — regex-based content detection plus field-name-based detection, deterministic HMAC-token masking, audit-record signing) against HIPAA's Privacy Rule, specifically the Safe Harbor de-identification standard (the 18 identifier categories). Review the PCI cardholder-data redaction logic (Luhn-validated card-number detection and redaction) against PCI-DSS requirements relevant to how this data is stored and transmitted downstream. Assess whether deterministic (same-input-produces-same-output) masking is an appropriate de-identification approach for our use case, or whether its re-identification properties are a problem worth flagging. Review the existing automated test suite (we'll provide it) and identify any regulatory-relevant scenarios it doesn't cover. Deliver a written report: pass/fail-style findings per requirement, specific gaps if any, and concrete remediation recommendations we can hand to our engineers. Optional/bonus: light familiarity with ITAR/EAR export-control classification, in case a small subset of ingested data ever needs that tagging reviewed too. This is NOT required — please apply even if this isn't your area. Deliverables A written compliance review report (HIPAA Safe Harbor + PCI-DSS at minimum) A prioritized list of any gaps found, with severity A short call to walk through findings with our engineering team What We'll Provide Read-only access to the relevant source code and test files (under NDA) A spreadsheet mapping our current automated test coverage to compliance areas Written documentation of the engine's design and known limitations Required Qualifications Demonstrated professional experience with HIPAA compliance review (Privacy Rule / Security Rule), ideally including de-identification methodology (Safe Harbor and/or Expert Determination) Demonstrated professional experience with PCI-DSS requirements, ideally QSA or ISA credentialed, or equivalent hands-on assessment experience Comfortable reading Python code well enough to evaluate what it actually does, not just documentation about it Available for a short scoping call before starting Experience reviewing healthcare data pipelines specifically (FHIR, HL7v2, DICOM familiarity) ITAR/EAR export-control classification experience Prior experience producing compliance documentation used in actual client-facing certifications My be willing to sign our NDA
Ouvrir sur Upwork