openevidence-prod-checklist

# OpenEvidence Production Checklist ## Overview OpenEvidence provides clinical decision support backed by peer-reviewed medical literature. A production integration handles Protected Health Information (PHI) subject to HIPAA, serves evidence-based answers where accuracy directly impacts patient outcomes, and must maintain complete audit trails for regulatory review. Misconfigurations can expose PHI in logs, serve stale clinical guidance, or fail compliance audits that shut down your integration entirely. This checklist enforces HIPAA-grade security, citation verification, and the SLA discipline required for healthcare-adjacent systems. ## Prerequisites - Production OpenEvidence API credentials (not trial/sandbox keys) - Secrets manager configured (Vault, AWS Secrets Manager, or GCP Secret Manager) - HIPAA-compliant monitoring stack (no PHI in log aggregators without BAA) - Business Associate Agreement (BAA) executed with OpenEvidence - Compliance officer sign-off on data flow architecture ## Authentication & Secrets - [ ] API keys stored in vault/secrets manager (never in code, env files, or CI logs) - [ ] Key rotation schedule configured (every 90 days, with zero-downtime swap) - [ ] Separate keys for staging vs production (staging keys cannot reach production data) - [ ] Service account permissions scoped to query-only (no admin endpoints) - [ ] API key exposure detection automated (scan logs/repos for leaked credentials) ## API Integration - [ ] Base URL points to prod...