# Privacy Compliance Checklist — Boojee Companion Care

**DRAFT — for legal review, not legal advice.** Maps each legal obligation to a concrete product control and its current status. Status legend: **[HAVE]** = a supporting control exists in the backend/design today; **[PARTIAL]** = exists but incomplete/unverified; **[MISSING]** = not yet built; **[POLICY]** = satisfied by document/process rather than code. Backend reference: `companion-care/backend/care_config.json`, DynamoDB tables `boojee-care-{checkins,screenings,alerts,consent,audit,alerts-outbox}` (account 060276830882, us-east-1).

> Nothing here asserts the product *is* compliant. This is a gap map for counsel + engineering.

---

## A. Consent & lawful basis

| # | Obligation (source) | Product control | Status |
|---|---|---|---|
| A1 | Separate, opt-in, GDPR-grade consent to collect/share consumer health data (MHMDA, NV SB370, state sensitive-data laws) | Dedicated Care-Mode **Informed Consent / Enrollment Agreement** flow, distinct from ToS; consent recorded before any health action | **[PARTIAL]** consent table + `grant/withdraw/get_consent` API exist; a distinct, plain-language UI consent screen must be the gate |
| A2 | Consent NOT bundled into general ToS (MHMDA "separate and distinct") | Consent screen separated from ToS acceptance; own record | **[PARTIAL]** design specified in informed-consent.md; UI must enforce |
| A3 | Explicit consent for special-category health data (GDPR Art. 9(2)(a)) | Explicit checkbox/e-signature; recorded scope + timestamp | **[PARTIAL]** consent record supports scope; explicit-consent wording added |
| A4 | Separate authorization to SELL consumer health data (MHMDA/NV) | **Do not sell health data** — no sale path exists | **[HAVE]** (by policy — no sale) **[POLICY]** |
| A5 | Written (e-signature OK) consent before voice processing (BIPA belt-and-suspenders / MHMDA biometric) | Voice-processing consent clause in enrollment agreement | **[PARTIAL]** clause drafted; UI capture needed |
| A6 | Right to withdraw consent easily (all regimes) | `withdraw_consent(user_id)` API + UI control | **[HAVE]** API; **[MISSING]** user-facing withdraw button |
| A7 | Capacity / surrogate-consent path for older adults lacking capacity | Eligibility/capacity gate; capture surrogate authority (POA/proxy/guardian) + relationship | **[MISSING]** |

## B. Notice / transparency

| # | Obligation | Product control | Status |
|---|---|---|---|
| B1 | Dedicated **Consumer Health Data Privacy Policy** linked from homepage (MHMDA/NV) | Separate policy page under `/companion-care/legal/privacy/` + homepage link | **[PARTIAL]** policy drafted; homepage link to add |
| B2 | CCPA **Notice at Collection** (categories, purposes, retention, sale/share) at/ before collection | Notice-at-collection block in privacy policy + at signup | **[PARTIAL]** in privacy-policy.md |
| B3 | List of third parties/affiliates data is shared with (MHMDA/NV right) | Maintained sharing list; disclosed + available on request | **[PARTIAL]** current list = AWS (processor) only; document + keep current |
| B4 | AI disclosure — user is talking to an AI, not a human/clinician (FTC §5, state AI laws) | Prominent AI disclosure in ToS, consent, and in-product | **[PARTIAL]** in ToS/consent; ensure in-product banner |
| B5 | Retention period disclosed (CCPA) | Retention schedule stated in policy | **[PARTIAL]** stated; must match actual TTL config |

## C. Consumer/data-subject rights

| # | Obligation | Product control | Status |
|---|---|---|---|
| C1 | Right to **delete** (MHMDA, NV, CCPA, state laws, GDPR erasure) incl. downstream notice | Backend **delete** endpoint purging checkins/screenings/alerts/consent for a user; propagate to any recipient | **[MISSING]** the `care_client.py` wrapper exposes consent grant/withdraw + outcome-report export, but **no data-subject delete/erasure action** — a dedicated per-user purge endpoint across all tables must be built and verified. (Note: `withdraw_consent` ≠ deletion.) |
| C2 | Right to **access / export** data (CCPA, GDPR, portability) | Backend **export** endpoint returning the user's records | **[MISSING]** the existing `outcome_report`/`get_trend` are analytics summaries, **not a data-subject access/portability export** of the individual's raw records — build a distinct DSAR export endpoint |
| C3 | Right to **correct** inaccurate data (CCPA, state laws, GDPR rectification) | Correction request path (edit check-in/profile) | **[MISSING]** correction workflow |
| C4 | Right to **opt out of sale/share / targeted ads** + honor Global Privacy Control (CCPA/state) | No sale/share; GPC honored on web surfaces | **[HAVE]** no ad trackers **[POLICY]**; **[MISSING]** GPC signal handling |
| C5 | Right to **limit use of sensitive PI** (CPRA) | Sensitive-data used only for the requested service | **[HAVE]** by design **[POLICY]** |
| C6 | Right to confirm collection/sharing (MHMDA/NV) | Access endpoint + policy contact | **[PARTIAL]** |
| C7 | Identity verification for rights requests | Verify requester before delete/export | **[MISSING]** verification step |

## D. Data minimization, retention, de-identification

| # | Obligation | Product control | Status |
|---|---|---|---|
| D1 | Collect only minimum necessary (all regimes / HIPAA min-necessary) | Schema limited to mood/sleep/meds/ate/pain/note + screening answers; no extraneous PII | **[HAVE]** narrow schema |
| D2 | Retention limits with automated deletion | **DynamoDB TTL** on records per retention schedule | **[MISSING]** TTL attributes not confirmed set |
| D3 | Discard raw voice audio quickly (BIPA/MHMDA) | Transcribe-then-discard; no server-side audio retention | **[MISSING]/UNVERIFIED** — confirm no audio persisted |
| D4 | No voiceprint / speaker-recognition template created (BIPA/CUBI/WA) | Speech-to-text only; no biometric enrollment/matching | **[HAVE]** by design — document the negative |
| D5 | De-identify to strictest standard for payer/labs analytics; bar re-identification | HIPAA Safe Harbor + aggregate; contractual no-reID | **[PARTIAL]** outcome_report exists — must run on de-identified/aggregate data |

## E. Security

| # | Obligation | Product control | Status |
|---|---|---|---|
| E1 | Encryption in transit (all regimes) | TLS on Function URL / API Gateway | **[HAVE]** HTTPS endpoints |
| E2 | Encryption at rest (HIPAA Security Rule; reasonable security) | DynamoDB encryption at rest (KMS) | **[PARTIAL]** confirm KMS-CMK vs default |
| E3 | Least-privilege access / unique IDs | Scoped IAM role `boojee-care-engine-role` | **[PARTIAL]** review scope |
| E4 | **Audit logging** (HIPAA audit controls; accountability) | `boojee-care-audit` table records actions | **[HAVE]** audit table |
| E5 | Secrets not in code | Secrets Manager | **[POLICY]** verify |
| E6 | Written incident-response / breach runbook | IR plan satisfying shortest clock (72h GDPR / 60d FTC-HIPAA) | **[MISSING]** |
| E7 | Reasonable safeguards program / risk analysis (DPIA/DPA) | Written DPIA for sensitive-data processing + automated crisis-flagging | **[MISSING]** |

## F. No prohibited practices

| # | Obligation | Product control | Status |
|---|---|---|---|
| F1 | No ad/analytics trackers or third-party SDKs receiving health data (FTC HBNR unauthorized-disclosure = breach; MHMDA; CCPA no-sale) | Companion surfaces carry no ad pixels/analytics SDKs | **[PARTIAL]** audit the pages to confirm |
| F2 | No geofencing around health facilities (MHMDA/NV) | Product uses no geofencing/precise location | **[HAVE]** by design — document |
| F3 | No sale/share of consumer health data (MHMDA/NV/CCPA) | No sale path; contracts bar processor reuse | **[HAVE]** **[POLICY]** |
| F4 | No false "HIPAA compliant / diagnoses / medical / anonymous" claims (FTC §5) | Marketing + policy language reviewed against code | **[PARTIAL]** enforce across site copy |

## G. Vendor / cross-border / population

| # | Obligation | Product control | Status |
|---|---|---|---|
| G1 | BAA with AWS (payer channel) + downstream flow-down | Execute AWS BAA via AWS Artifact | **[MISSING]** `baa_status: NOT_EXECUTED` |
| G2 | BAA with each covered-entity client before PHI flows (payer channel) | Contract gate | **[MISSING]** |
| G3 | Processor/DPA contracts with all vendors (state laws / GDPR Art. 28) | Written DPA with AWS + any vendor | **[PARTIAL]** |
| G4 | Cross-border transfer mechanism if EU/UK (GDPR) | Geo-restrict to US now; SCCs later | **[POLICY]** state US-only |
| G5 | Scoped, revocable caregiver access (elder protection) | Caregiver dashboard shows alerts/trends, not raw transcripts; consented + revocable | **[PARTIAL]** scope the caregiver view |

## H. Breach notification readiness

| # | Obligation | Product control | Status |
|---|---|---|---|
| H1 | FTC HBNR: individuals+FTC ≤60d, media ≥500, disclosure counts as breach | IR runbook with HBNR notice template + 60-day clock | **[MISSING]** |
| H2 | HIPAA (BA): ≤60d up-chain + 4-factor risk test | IR runbook + 4-factor assessment form | **[MISSING]** |
| H3 | State breach laws: notify residents (some 30–60d) + AG | State-matrix in runbook | **[MISSING]** |
| H4 | GDPR: authority ≤72h; individuals if high risk | EU section in runbook (if EU launch) | **[MISSING]** |

---

## Highlights — what we already have vs what's missing

**Already have (code/design):**
- Consent lifecycle API (grant/withdraw/get) + dedicated `consent` table (A1–A3, A6 backend).
- Audit log table (E4).
- Narrow, minimized data schema — no SSN/financial/extraneous PII (D1).
- No-voiceprint, speech-to-text-only design; no geofencing; no sale path (D4, F2, F3) — these are strong, defensible negatives; document them.
- HTTPS everywhere (E1).

**Missing / must build before a real launch with real users:**
- **Data-subject delete (erasure) and access/export (DSAR) endpoints** — currently absent from the client; the backend has consent + analytics only (C1–C2). This is the single most important missing privacy control.
- Plain-language, **separate** consent UI screen that actually gates data collection (A1–A2, A5) + user-facing withdraw/delete/export buttons (A6, C1–C2).
- **Capacity gate + surrogate-consent path** for older adults (A7).
- **Retention TTL** on DynamoDB records + **confirmed audio-discard** (D2, D3).
- **Correction** workflow + **identity verification** for rights requests (C3, C7).
- **GPC** opt-out signal handling (C4).
- **DPIA/DPA** documents + **incident-response/breach runbook** (E6, E7, H1–H4).
- **AWS BAA** (and client BAAs) before any PHI/payer channel (G1–G2).
- Confirm **encryption-at-rest KMS config**, IAM least-privilege review, and **no trackers** on companion pages (E2–E3, F1).
- Keep the **third-party sharing list** current and honest (B3).

**Overriding rule:** build to the **strictest** applicable regime (MHMDA + BIPA + FTC HBNR). Doing so largely satisfies the state comprehensive laws and Nevada by construction. Never publish a "compliant" claim — publish accurate practices and let counsel certify.
