Z3 — Healthcare / HealthTech Reference Platform
Asset: Z3 | Workstream:
[GTM][A]| Ownership:[SO→CO]| Owner: Sagar Status: drafted (sales-doc form valid now; full deploy tracks M4) | = Z1 + deltaHIPAA-aligned PHI posture for HealthTech. Z1 + delta per Z0. Covers the HIPAA Security Rule Technical Safeguards; Administrative + Physical safeguards are process/physical and out of SnowOps's technical scope (Y7 §6).
1. BOM — Z1 base + Healthcare delta
Base: the full Z1 BOM (all 🟦 today).
Delta (the PHI / HIPAA additions):
| Layer | Added asset(s) | HIPAA tie | Status |
|---|---|---|---|
| Encryption everywhere | M1 (deny unencrypted), M2 (CMK), M3 (TLS floor) | §164.312(a)(2)(iv), (e)(1) | roadmap (M2a/M4) |
| PHI classification | M4 (Purview), M5 (DLP) | data inventory, leak prevention | roadmap (M4) |
| Immutable audit logs | J6 (WORM forwarding), J1 (LAW) | §164.312(b) audit controls | roadmap (M2a) |
| Integrity | D4 (signed images — base), J6 (WORM) | §164.312(c)(1) | 🟦 / roadmap |
| Access controls | H1–H3 (base), H6 (access reviews) | §164.312(a)(1), (d) | 🟦 / roadmap (M4) |
| Data residency | M6 (allowed regions) | data locality | roadmap (M2a) |
| Network privacy | N5 (private-endpoint enforce), N7 (zero-trust) | transmission security | roadmap (M2a/M4) |
| DSAR / privacy | M7 (GDPR/CCPA evidence + DSAR template) | data-subject rights | roadmap (M4) |
Honesty: Z1 base ships today; the PHI delta is largely roadmap (M4). Sales-doc form valid now; scope engagements to the shipped floor + explicit delta roadmap. PHI-handling assumptions documented (§3).
2. Diagram (delta vs Z1)
Z1 topology, plus: all data stores CMK-encrypted; Purview cataloging PHI;
DLP at egress; every audit log forwarded WORM-immutable; zero-trust private path
end-to-end (no public route to the data plane). (d2 with V2.)
3. PHI-handling assumptions (documented — the Z3 DoD)
- PHI never transits SnowOps systems. SnowOps engineers the platform + reads posture metadata (read-only audit, G0) — not PHI. The DPA (Y12) states this; SnowOps is a limited processor at most.
- PHI stays in the client tenant + chosen region (M6 enforces residency).
- Encryption-everywhere + immutable logging are the technical floor; the client's BAA with its customers references these controls.
- Administrative (§164.308) + Physical (§164.310) safeguards are the client's program (+ a vCISO) — SnowOps provides templates (V1 policy library) but does not "cover" them as platform controls.
4. Compliance mapping (HIPAA Security Rule technical + SOC 2)
See Y7 §4. The Z3 delta covers §164.312(a)–(e) technical safeguards; §164.308/§164.310 are out of technical scope (§3).
5. Cost estimate (delta vs Z1)
Z1 base + PHI additions:
| Addition | Illustrative $/mo ⚠️ |
|---|---|
| CMK / Managed HSM | $[~1,000+] |
| Purview | $[200–800] |
| Immutable log storage + extended retention | $[100–500] |
| Zero-trust network (extra PE/private DNS) | $[50–200] |
DoD (Z3)
- BOM validates against §4. (Met — delta lines resolve; status flagged.)
- HIPAA Security Rule mapping (Y7) attached. (Met — §4.)
- PHI-handling assumptions documented. (Met — §3.)
- Unshipped assets flagged with milestone. (Met — §1.)