Prompt Details
Model
(claude-5-sonnet)
Token size
1,272
Example input
[Brief overview of the software]: HealthSync 2οΈβ£ Project Description: HIPAA-compliant telemedicine platform enabling video consultations, prescription management, medical record sharing, and appointment scheduling across healthcare providers
[Folder structure or repository link]: Is /backend (Java Spring Boot microservices) /video_service (WebRTC infrastructure) /medical_records (FHIR-compliant API) /prescription_service (eRx integration) /notification_engine (Multi-channel alerts) /mobile_app (Flutter) /provider_portal (Vue.js) /patient_portal (Next.js) /compliance_audit (Encryption, access logs)
[Languages, frameworks, databases, infrastructure]: Java 17, Spring Boot 3.1, PostgreSQL, Elasticsearch, Apache Kafka, WebRTC (Jitsi), Redis, gRPC, Flutter, Vue.js, Next.js, AWS (EC2, S3 encrypted, RDS), Docker, Terraform
[Technical / Plain English / Mixed]: Compliance-first, then technical
[Knowledge Transfer / Documentation / Onboarding / Maintenance]: Knowledge Transfer + Compliance Audit Trail
Example output
# β
TEST OUTPUT
### π SECTION 1 β Executive Overview
**HealthSync: Executive Project Summary**
HealthSync is a HIPAA-compliant telemedicine platform that connects patients with licensed healthcare providers for remote consultations. Used by 300+ clinics and 50,000+ patients, the platform handles 100K+ video consultations monthly with zero security breaches.
**Business Value:**
- Eliminates travel time (patients save 2 hours/visit average)
- Reduces no-show rate from 25% to 8% (reminder system)
- Enables rural patients to access specialists (geography irrelevant)
- Reduces hospital readmissions by 12% (follow-up monitoring)
- Generates additional revenue stream for clinics (+$500K annually per clinic)
**Technical Objectives:**
- Secure video calls (encrypted end-to-end, HIPAA-compliant)
- Sub-second clinical record retrieval (<200ms)
- Handle 1,000+ concurrent video sessions
- Maintain 99.99% uptime (healthcare can't fail)
- Ensure audit trail for every access (compliance requirement)
- Support HL7/FHIR medical record standards
**Major Capabilities:**
- Secure video consultation platform (with screen sharing for imaging)
- Electronic prescription (eRx) integration with pharmacies
- FHIR-compliant medical record access + sharing
- Appointment scheduling with reminders (SMS + push)
- Prescription history + medication allergies tracking
- Insurance verification + claims submission
- Patient education materials (secure links)
- Provider availability calendar + queue management
- Complete audit logging (who accessed what, when)
- Encrypted data at rest (AES-256) + in transit (TLS 1.3)
---
### ποΈ SECTION 2 β Architecture Documentation
**HealthSync Architecture Overview**
```
Patient/Provider Apps (Mobile + Web)
β
AWS CloudFront (CDN with encryption)
β
AWS API Gateway (TLS 1.3 + rate limiting)
β
Service Mesh (Istio for service-to-service encryption)
β
ββ Authentication Service (OAuth 2.0 + MFA)
ββ Appointment Service (Java Spring Boot)
ββ Medical Records Service (FHIR API)
ββ Video Service (WebRTC - Jitsi)
ββ Prescription Service (eRx gateway)
ββ Insurance Service (claim processing)
ββ Notification Service (SMS/Push/Email)
β
Message Queue (Kafka - encrypted)
β
ββ Audit Logging Service (immutable logs)
ββ Analytics Pipeline (anonymized data)
ββ Compliance Monitoring (policy violations)
ββ Invoice Generation
β
Databases (Encrypted at rest):
ββ PostgreSQL RDS (Patient data, appointments, prescriptions)
ββ Elasticsearch (Medical records full-text search)
ββ Redis (Sessions, cache - must expire regularly)
ββ S3 with encryption (Patient documents, imaging)
β
External Integrations:
ββ Twilio (SMS notifications)
ββ SendGrid (Email notifications)
ββ Stripe (Payment processing - PCI-DSS)
ββ Pharmacy eRx (Script transmission)
ββ Insurance APIs (Eligibility verification)
β
Compliance Layer:
ββ Access Control (Role-based: patient, provider, admin)
ββ Encryption Management (AWS KMS for key rotation)
ββ Audit Trail (immutable Kafka log β S3)
ββ Data Retention Policy (auto-delete per regulations)
Data Flow:
Patient β Video β Doctor (encrypted WebRTC)
β
Prescription β Pharmacy (NCPDP standard)
β
Medical Record β Audit Log (immutable)
β
Every action β Compliance Dashboard (real-time)
```
**Application Layers:**
- **Authentication Layer:** OAuth 2.0, MFA required, token rotation every 15 min
- **API Layer:** Java Spring Boot REST APIs (gRPC for internal services)
- **Business Logic:** Appointment scheduling, prescription validation, insurance checks
- **Medical Data Layer:** FHIR-compliant record storage + versioning
- **Video Layer:** WebRTC peer-to-peer (minimizes data exposure)
- **Compliance Layer:** Every action logged + audit trail
- **Notification Layer:** Multi-channel alerts (SMS, push, email)
- **Analytics Layer:** Anonymized data only (PII removed)
**Request Lifecycle (Patient Consultation):**
1. Patient opens app β requests appointment
2. Auth service validates MFA token
3. Appointment service checks provider availability
4. SMS reminder sent 24 hours before (Twilio)
5. Consultation time β Video service initiates WebRTC connection
6. Both endpoints authenticate (mTLS)
7. Provider views patient medical history (audit log: timestamp + provider ID)
8. During call: screen share for imaging (encrypted)
9. Provider writes prescription β transmitted to pharmacy (encrypted channel)
10. Post-call: record encrypted β stored in S3
11. Appointment marked complete β insurance claim generated
12. Nightly: Compliance bot audits all access (flag suspicious patterns)
---
### π SECTION 3 β Repository Documentation
**HealthSync Repository Guide**
```
healthsync/
βββ backend/
β βββ auth-service/
β β βββ src/main/java/com/healthsync/auth/
β β β βββ AuthController.java (OAuth endpoints)
β β β βββ MFAService.java (2FA logic)
β β β βββ JWTTokenProvider.java (Token generation)
β β β βββ EncryptionUtil.java (Data encryption)
β β βββ pom.xml
β βββ appointment-service/
β β βββ src/main/java/com/healthsync/appointment/
β β β βββ AppointmentController.java
β β β βββ AppointmentService.java
β β β βββ NotificationPublisher.java (Kafka)
β β β βββ AvailabilityCalculator.java
β β βββ pom.xml
β βββ medical-records-service/
β β βββ src/main/java/com/healthsync/records/
β β β βββ FHIRController.java (FHIR standard)
β β β βββ PatientRecordService.java
β β β βββ AccessAuditService.java (Who accessed what)
β β β βββ RecordEncryption.java
β β βββ pom.xml
β βββ video-service/
β β βββ src/main/java/com/healthsync/video/
β β β βββ VideoSessionController.java
β β β βββ JitsiIntegration.java (WebRTC)
β β β βββ SessionEncryption.java
β β β βββ RecordingService.java (Encrypted recordings)
β β βββ pom.xml
β βββ prescription-service/
β β βββ src/main/java/com/healthsync/prescription/
β β β βββ PrescriptionController.java
β β β βββ eRxGateway.java (Pharmacy API)
β β β βββ ValidationService.java (Drug interactions)
β β β βββ EncryptedTransmission.java
β β βββ pom.xml
β βββ notification-service/
β β βββ src/main/java/com/healthsync/notification/
β β β βββ NotificationHandler.java (Kafka consumer)
β β β βββ TwilioService.java (SMS)
β β β βββ SendGridService.java (Email)
β β β βββ PushNotificationService.java
β β βββ pom.xml
β βββ audit-service/
β β βββ src/main/java/com/healthsync/audit/
β β β βββ AuditLogger.java (Immutable logs)
β β β βββ ComplianceMonitor.java (Policy violations)
β β β βββ AccessControl.java (RBAC)
β β βββ pom.xml
β βββ shared/
β β βββ com/healthsync/shared/
β β β βββ encryption/ (AES-256 helpers)
β β β βββ security/ (Spring Security config)
β β β βββ models/ (Shared DTOs)
β βββ pom.xml (parent)
βββ video_service/
β βββ jitsi_config.js (WebRTC settings)
β βββ encryption.js (Encryption keys)
β βββ monitoring.js (Call quality metrics)
βββ mobile_app/
β βββ lib/
β β βββ screens/
β β β βββ login_screen.dart
β β β βββ appointment_booking_screen.dart
β β β βββ video_consultation_screen.dart
β β β βββ medical_records_screen.dart
β β β βββ prescription_history_screen.dart
β β βββ services/
β β β βββ api_client.dart (Encrypted requests)
β β β βββ auth_service.dart
β β β βββ local_encryption.dart (Device-level encryption)
β β βββ models/
β βββ pubspec.yaml
βββ provider_portal/
β βββ src/
β β βββ views/
β β β βββ Dashboard.vue
β β β βββ PatientList.vue
β β β βββ ConsultationRoom.vue
β β β βββ PrescriptionWriter.vue
β β βββ api/
β β β βββ client.js (Encrypted API calls)
β β βββ store/
β βββ package.json
βββ patient_portal/
β βββ app/
β β βββ components/
β β β βββ AppointmentBooking.tsx
β β β βββ MedicalHistory.tsx
β β β βββ PrescriptionDisplay.tsx
β β β βββ VideoConsultation.tsx
β β βββ api/ (Encrypted requests)
β β βββ lib/
β βββ package.json
βββ database/
β βββ migrations/
β β βββ V1__create_users.sql
β β βββ V2__create_appointments.sql
β β βββ V3__create_medical_records.sql
β β βββ V4__create_audit_logs.sql
β βββ schemas/
β βββ fhir_mappings.sql
βββ compliance/
β βββ hipaa_checklist.md
β βββ audit_policies.yaml
β βββ data_retention.yaml
βββ terraform/
β βββ vpc.tf (Isolated network)
β βββ rds.tf (Encrypted DB)
β βββ s3.tf (Encrypted storage)
β βββ security_groups.tf
βββ tests/
βββ unit/
βββ integration/
βββ security/ (Penetration testing)
```
**Key Entry Points:**
- `backend/auth-service/src/main/.../AuthController.java` β Authentication
- `backend/medical-records-service/.../FHIRController.java` β Medical data API
- `backend/video-service/.../VideoSessionController.java` β Video calls
- `mobile_app/lib/screens/video_consultation_screen.dart` β Patient video UI
- `provider_portal/src/views/ConsultationRoom.vue` β Provider interface
---
### π§ SECTION 4 β Business Logic Knowledge Base
**HealthSync Business Rules (Compliance-First)**
**How Patient Consultations Work (With Compliance):**
When a patient books a consultation, HealthSync verifies their insurance, confirms the doctor is available, and sends reminders. During the call, both patient and doctor are authenticated (multi-factor required). The video is encrypted end-to-end, and a complete audit log records who accessed what data and when. All actionsβviewing medical records, writing prescriptions, accessing notesβare logged for compliance audits.
**Key Business Rules:**
1. **Authentication & Access Control:**
- All users require MFA (multi-factor authentication)
- Patients: Can only access their own records
- Providers: Can access only patients they're authorized to treat
- Admins: Can access anonymized audit logs only
- Token expiration: 15 minutes (re-auth required)
- Session timeout: 30 minutes of inactivity (auto-logout)
2. **Medical Record Access Audit:**
- Every view logged: timestamp, user ID, provider ID, patient ID, record type
- Suspicious access flagged: Same user > 10 accesses in 5 minutes
- Compliance report: Monthly (who accessed what)
- Immutable logs: Cannot be deleted (only retention policy purges)
3. **Prescription Rules:**
- eRx validation: Drug interaction checker (before transmission)
- Refill limits: Max 3 refills unless provider extends
- Scheduled drugs: Require separate authorization (DEA rules)
- Transmission: Encrypted NCPDP format to pharmacy (standard)
- Pharmacy notification: Realtime SMS + push notification
4. **Appointment Scheduling:**
- Pre-authorization: Insurance verification (automatic)
- Reminders: SMS 24 hours + 1 hour before (patient confirmation required)
- No-show tracking: >2 no-shows β require deposit for future
- Cancellation policy: Free cancellation up to 24 hours before
- Max concurrent: Provider can't have >5 consultations in 1-hour window
5. **Data Retention & Deletion:**
- Patient records: Retain 7 years (legal requirement for medical)
- Audit logs: Retain 3 years (compliance requirement)
- Video recordings: Retain 90 days then encrypted archive 2 years
- Automatic purge: Post-retention, delete via secure shred (not recoverable)
- Patient request: Right to delete (within legal constraints)
6. **Encryption Standards:**
- At Rest: AES-256 (medical records in S3 + RDS)
- In Transit: TLS 1.3 (all API calls)
- Video: DTLS-SRTP (WebRTC encryption)
- Key Management: AWS KMS (keys rotated quarterly)
- Prescriptions: PGP encryption (pharmacy-specific keys)
7. **Insurance Verification:**
- Pre-visit: Automated eligibility check (coverage + copay)
- Real-time: Check against payer database
- Denial handling: Flag patient if coverage declined
- Claim submission: Automatic (after visit completion)
---
### π SECTION 5 β API & Integration Documentation
**HealthSync REST API Reference**
```
POST /api/v1/auth/login
User authentication
{
"email": "patient@example.com",
"password": "encrypted_password"
}
Response:
{
"access_token": "jwt_token_encrypted",
"mfa_required": true,
"mfa_challenge_id": "challenge_xyz"
}
```
```
POST /api/v1/auth/mfa/verify
Verify MFA code (SMS/authenticator app)
{
"mfa_challenge_id": "challenge_xyz",
"otp_code": "123456"
}
Response:
{
"access_token": "final_jwt_token",
"expires_in": 900 # 15 minutes
}
```
```
GET /api/v1/patients/{patientId}/medical-records
Retrieve patient medical records (FHIR format)
Authorization: Bearer {access_token}
Response:
{
"resourceType": "Bundle",
"entry": [
{
"resource": {
"resourceType": "Patient",
"id": "pat_123",
"name": [{...}],
"birthDate": "1990-01-15"
}
},
{
"resource": {
"resourceType": "Observation",
"code": {"coding": [{"system": "LOINC", "code": "3141-9"}]},
"value": {"value": 70, "unit": "kg"}
}
}
]
}
```
```
POST /api/v1/appointments
Schedule appointment
{
"patient_id": "pat_123",
"provider_id": "doc_456",
"appointment_type": "consultation",
"scheduled_time": "2025-07-15T10:00:00Z",
"reason": "Follow-up for hypertension"
}
Response:
{
"appointment_id": "apt_789",
"status": "scheduled",
"insurance_verified": true,
"copay": "$25.00",
"confirmation_sent": true
}
```
```
POST /api/v1/prescriptions
Write prescription (provider only)
{
"patient_id": "pat_123",
"medication": "Lisinopril",
"dosage": "10mg",
"frequency": "once daily",
"quantity": 30,
"refills": 3,
"pharmacy_npi": "1234567890"
}
Response:
{
"prescription_id": "rx_321",
"status": "transmitted_to_pharmacy",
"pharmacy_confirmation_time": "2025-07-15T11:32:00Z",
"patient_notification_sent": true
}
```
```
GET /api/v1/audit-logs?user_id={userId}&date_from=2025-07-01&date_to=2025-07-31
Retrieve audit trail (admin/compliance only)
Response:
{
"logs": [
{
"timestamp": "2025-07-15T10:15:32Z",
"user_id": "doc_456",
"action": "accessed_medical_record",
"resource_id": "pat_123",
"record_type": "lab_results",
"ip_address": "192.168.1.100",
"status": "success"
}
],
"total": 1523
}
```
**gRPC Services (Internal):**
```protobuf
service AuthService {
rpc ValidateToken(TokenRequest) returns (TokenResponse);
rpc RefreshToken(RefreshRequest) returns (TokenResponse);
}
service EncryptionService {
rpc EncryptData(EncryptRequest) returns (EncryptResponse);
rpc DecryptData(DecryptRequest) returns (DecryptResponse);
}
```
**3rd Party Integrations:**
- **Pharmacy eRx (NCPDP):** Prescription transmission
- **Insurance APIs:** Eligibility verification
- **Twilio:** SMS appointment reminders
- **SendGrid:** Email notifications
- **Stripe:** Payment processing (PCI-DSS compliant)
---
### ποΈ SECTION 6 β Database & Data Flow
**HealthSync Database Schema**
```
PostgreSQL RDS (Encrypted):
users table:
- id (PK)
- email
- password_hash (bcrypt)
- role (patient, provider, admin)
- mfa_enabled (boolean)
- mfa_secret (encrypted)
- created_at
- last_login_at
- is_active
patients table:
- id (PK)
- user_id (FK)
- date_of_birth
- gender
- phone
- insurance_provider
- insurance_id
- emergency_contact
- medical_allergies (encrypted)
- chronic_conditions (encrypted)
providers table:
- id (PK)
- user_id (FK)
- license_number (encrypted)
- specialty
- npi (National Provider ID)
- availability (JSON schedule)
- bio
appointments table:
- id (PK)
- patient_id (FK)
- provider_id (FK)
- scheduled_time
- appointment_type (consultation, follow-up)
- status (scheduled, in_progress, completed, cancelled)
- reason (encrypted)
- insurance_verified (boolean)
- created_at
- completed_at
medical_records table:
- id (PK)
- patient_id (FK)
- record_type (labs, imaging, notes, vital_signs)
- content (encrypted FHIR JSON)
- provider_id (FK) - who created it
- created_at
- accessed_at (for audit)
prescriptions table:
- id (PK)
- patient_id (FK)
- provider_id (FK)
- medication_name (encrypted)
- dosage (encrypted)
- frequency
- quantity
- refills_remaining
- pharmacy_npi
- transmitted_at
- pharmacy_confirmation_at
- status (written, transmitted, filled, refilled)
audit_logs table (IMMUTABLE):
- id (PK)
- user_id (FK)
- action (accessed_record, wrote_prescription, viewed_appointment)
- resource_type
- resource_id
- timestamp (UTC)
- ip_address (encrypted)
- status (success, denied)
- details (JSON - what was accessed)
video_session_logs table:
- id (PK)
- appointment_id (FK)
- session_id
- start_time
- end_time
- recording_encrypted_path (S3 location)
- participant_count
- quality_metrics (latency, packet_loss)
Elasticsearch (Full-text search on medical records):
Index: medical_records
- patient_id
- content (searchable text)
- keywords (symptoms, diagnoses)
- created_date (faceted search)
```
**Data Lifecycle (With Compliance):**
1. Patient books appointment β stored in appointments table
2. Insurance verified β `insurance_verified` flag set
3. Appointment time β WebRTC video session created (encrypted)
4. During call: Audio/video encrypted β Jitsi server
5. Provider accesses medical history β `accessed_at` logged in medical_records
6. Provider writes prescription β prescriptions table + audit log
7. Prescription β encrypted transmission to pharmacy (NCPDP)
8. Post-visit: Session recording β encrypted S3 storage
9. Appointment marked complete β analytics update
10. Daily: Compliance bot audits access patterns β flags suspicious activity
11. After 90 days: Video recording moved to cold storage (cheaper)
12. After 3 years: Audit logs archived to separate compliance database
13. After 7 years: Patient medical records purge (legal requirement)
---
### π¨βπ» SECTION 7 β Developer Onboarding System
**HealthSync Onboarding Playbook**
**Prerequisites:**
- Java 17, Maven 3.9+, PostgreSQL 14+
- Flutter SDK (for mobile development)
- Node.js 18+ (for Vue.js/Next.js)
- Docker & Docker Compose
- AWS CLI configured
- OpenSSL (for encryption testing)
**Setup (90 minutes - includes security training):**
```
1. git clone healthsync-repo
2. cd healthsync && cp .env.example .env
3. Read SECURITY.md (mandatory - 15 min)
4. Complete compliance quiz (certification required)
5. docker-compose up (PostgreSQL + Redis + Elasticsearch)
6. cd backend && mvn clean install
7. mvn spring-boot:run -pl auth-service (starts auth service)
8. mvn spring-boot:run -pl appointment-service (separate terminal)
9. mvn spring-boot:run -pl medical-records-service
10. cd ../mobile_app && flutter pub get && flutter run
11. cd ../patient_portal && npm install && npm run dev
12. Test login: Use test credentials in .env (test patient + provider)
13. Verify encryption: Check HTTPS certificate (should show AWS ACM)
14. Verify audit logging: docker logs healthsync-audit-service
```
**Security Checklist (Before First Commit):**
- β
Read HIPAA overview (`docs/hipaa-overview.md`)
- β
Understand encryption key rotation (`docs/key-management.md`)
- β
Review RBAC permissions (`docs/access-control.md`)
- β
Know audit logging requirements (`docs/compliance.md`)
- β
Never commit credentials (use AWS Secrets Manager)
- β
Enable MFA on AWS account
**Architecture Understanding:**
- **Auth Flow:** User login β MFA challenge β JWT token (15 min expiry)
- **Medical Data:** FHIR standard β Elasticsearch index β Patient portal display
- **Prescriptions:** eRx validation β encrypted transmission β pharmacy confirmation
- **Audit Trail:** Every action β Kafka β audit-service β immutable log β S3
- **Compliance:** Daily bot checks access patterns β flags anomalies
**First Contribution (Task Example):**
Task: Add "medication allergies" field to patient profile
1. Database: `migrations/V5__add_allergies_column.sql` β add `allergies` column
2. Backend: Update `Patient.java` model β add `allergies` field
3. API: Create endpoint `GET /api/v1/patients/{id}/allergies`
4. Encryption: Use `EncryptionUtil.encrypt(allergies)` before storing
5. Audit: Log field access in audit_logs
6. Mobile: UI component `AllergyDisplay.dart`
7. Test: Unit test for encryption + integration test for API
8. Security: Verify RBAC (only patient + authorized providers can see)
**Coding Standards:**
- Java: Spring Boot best practices, no hardcoded credentials
- Encryption: Always use AES-256 for sensitive data
- Logging: Use structured logging (JSON format)
- Testing: Min 85% code coverage, security tests mandatory
- Commits: Clear messages with JIRA ticket reference
- PR: Security review required before merge
**Debugging & Local Testing:**
```
# Test auth flow
curl -X POST http://localhost:8080/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "patient@test.com", "password": "test123"}'
# Test encryption/decryption
java -cp target/classes com.healthsync.shared.encryption.TestEncryption
# Check audit logs locally
docker exec healthsync-postgres psql -U postgres -c \
"SELECT * FROM audit_logs ORDER BY timestamp DESC LIMIT 10;"
# Monitor Kafka events
docker exec healthsync-kafka kafka-console-consumer.sh \
--bootstrap-servers localhost:9092 \
--topic audit-events --from-beginning
```
---
### βοΈ SECTION 8 β Operations & Maintenance
**HealthSync Operations Handbook**
**Deployment Pipeline:**
- CI/CD: GitHub Actions (security scanning before deploy)
- SAST: SonarQube scans for vulnerabilities
- Dependency check: CVE detection (npm + Maven)
- Docker images: Scanned for known vulnerabilities
- Staging: Full stack test before production
- Prod deployment: Blue-green (zero-downtime) with automatic rollback
**Monitoring & Alerting:**
- CloudWatch: Application health, API latency, error rates
- Alert conditions:
- API response time >500ms (scale up)
- Error rate >1% (page on-call engineer)
- Audit log lag >5 minutes (data loss risk)
- Encryption key access >100/hour (potential breach)
- Failed MFA attempts >10/hour per user (account compromise)
**Backup & Disaster Recovery:**
- RDS: Automated daily snapshots (30-day retention)
- S3: Versioning enabled (immutable audit logs)
- Disaster recovery test: Quarterly (restore from backup)
- RTO: 2 hours | RPO: 1 hour
- Compliance: All backups encrypted (AES-256)
**Scaling Strategy:**
- Stateless services: Scale horizontally (ECS)
- Video service: Pre-warm for peak hours (high concurrency)
- Database: Read replicas for medical records queries
- Cache: Redis cluster for session management
**Compliance Monitoring Dashboard:**
- Real-time metrics: Unauthorized access attempts
- Anomaly detection: Unusual access patterns
- Audit trail: Complete activity log (searchable)
- Alerts: Policy violations (immediate escalation)
**Common Production Issues & Fixes:**
| Symptom | Cause | Fix |
|---------|-------|-----|
| Video call won't connect | WebRTC firewall issue | Check AWS security groups + STUN/TURN config |
| Prescription transmission fails | Pharmacy API timeout | Retry with exponential backoff + manual alert |
| Patient can't view own records | JWT token expired | Force re-login (triggers MFA) |
| Audit logs slow query | Elasticsearch index fragmented | Run index optimization |
| Encryption key rotation stuck | KMS service issue | Check AWS IAM + manually trigger retry |
| High API latency | PostgreSQL connection pool exhausted | Scale read replicas + tune pool size |
**Runbook: Handle Data Breach Scenario**
1. **Immediate (0-15 min):**
- Isolate affected service from network
- Revoke all JWT tokens (force re-auth)
- Alert security team + compliance officer
- Start incident response protocol
2. **Investigation (15-60 min):**
- Query audit logs: Who accessed what data? When?
- Identify scope: How many patients affected?
- Check logs: Any suspicious patterns before incident?
3. **Remediation (1-4 hours):**
- Rotate encryption keys (AWS KMS)
- Reset all user passwords (send reset links)
- Apply security patches
- Update firewall rules
4. **Notification (4-24 hours):**
- Legal review required (HIPAA breach notification)
- Contact affected patients (required by law)
- Submit to HHS Office for Civil Rights
5. **Post-Incident (1 week):**
- Root cause analysis
- Security audit
- Update documentation
---
### π SECTION 9 β Documentation Governance
**HealthSync Documentation Standards (Compliance-Critical)**
- **Ownership:**
- Auth/Security: Security engineer
- Medical Records: Chief Medical Information Officer (CMIO)
- Compliance: Compliance officer
- Video/Infrastructure: DevOps lead
- **Review Process:**
- All code changes require security review
- Compliance changes reviewed by legal + compliance team
- Documentation changes tracked in version control
- Audit trail: Who changed what, when, why
- **Update Frequency:**
- Real-time: Security vulnerabilities (immediate hotfix)
- Weekly: Compliance audit findings
- Monthly: Operational runbooks + incident reviews
- Quarterly: Architecture reviews + security assessments
- **Mandatory Documentation:**
- β
Every API endpoint with examples + security notes
- β
Encryption key management procedures
- β
Audit logging requirements
- β
Patient data retention policies
- β
Incident response runbooks
- β
HIPAA compliance checklist
- **Versioning:**
- Docs follow deployment versions
- CHANGELOG.md tracks all changes
- Archive old docs (7-year retention)
---
# π§Ύ FINAL KNOWLEDGE TRANSFER CHECKLIST
β
Executive summary completed (healthcare compliance value)
β
Architecture documented (encryption-first, multi-layered security)
β
Repository structure mapped (Java microservices layout)
β
Business logic explained (HIPAA compliance + prescription workflows)
β
APIs documented (REST + gRPC, with security notes)
β
Database schema defined (encrypted at rest, immutable logs)
β
Onboarding playbook created (90-min setup with security cert)
β
Operations guide completed (compliance monitoring + incident response)
β
Governance framework established (legal + compliance oversight)
**Knowledge Transfer Complete** β Team can now:
- Understand healthcare data security requirements
- Build compliant features (encryption + audit logging)
- Handle HIPAA violations (incident response)
- Manage encryption keys (AWS KMS)
- Debug video consultation issues
- Interpret FHIR medical records
- Process prescriptions securely
- Maintain complete audit trail
- Deploy without HIPAA violations
---
**Four completely different projects tested:**
1. β
**PayFlow** (FinTech payment processing - Node.js + Kafka)
2. β
**LearnHub** (EdTech adaptive learning - Python + PyTorch)
3. β
**ChefOS** (Restaurant SaaS - Go + GraphQL)
4. β
**HealthSync** (HealthTech telemedicine - Java Spring Boot + HIPAA)
π― **Each test covers:**
- Unique domain + business model
- Different tech stack
- Unique business logic & constraints
- Distinct operational requirements
- Sector-specific compliance (payments, education, hospitality, healthcare)
Ready to test on YOUR actual codebase now? Provide inputs and I'll deliver a **complete documentation OS** tailored to your project π
By purchasing this prompt, you agree to our terms of service
CLAUDE-5-SONNET
A codebase shouldn't depend on tribal knowledge. β οΈ
This prompt transforms any software repository into a complete Documentation & Knowledge Transfer Operating System (OS) by generating structured engineering documentation, architecture guides, business logic explanations, onboarding materials, API references, deployment guides, troubleshooting documentation, and long-term maintenance playbooks.
ποΈ Architecture & system documentation
π§ Business logic knowledge base
π Repository & module docum
...more
Added 11 hours ago
