Skip to main content

Essential Metadata Fields (Healthcare + Finance)

Most compliance capabilities should be driven by metadata, not paths. This document defines the minimum metadata fields required for HIPAA and FINRA compliance.

Minimum Metadata (Frontmatter + Index DB)

Identity Fields

FieldTypeDescription
doc_idUUIDStable unique identifier
titlestringDocument title
descriptionstringBrief summary
languagestringISO language code (en, es, etc.)

Classification & Sensitivity

FieldTypeDescription
security_classificationenumpublic, internal, confidential, restricted, PHI, PCI
contains_phibooleanContains Protected Health Information
contains_piibooleanContains Personally Identifiable Information
contains_financial_account_databooleanContains financial account data

Regulatory Mapping

FieldTypeDescription
regulationsstring[]Regulation codes: ["HIPAA-164.316", "GDPR-32", "SEC-17a-4"]
jurisdictionstring[]Jurisdictions: ["US", "EU", "BR"]

Lifecycle & Retention

FieldTypeDescription
document_typeenumpolicy, sop, work_instruction, clinical_protocol, product_disclosure
statusenumdraft, in_review, approved, effective, obsolete
effective_datedateWhen document became/becomes effective
review_due_datedateNext required review
expiry_datedateWhen document expires
retention_categorystringMapped to policy table (e.g., HIPAA-6Y, SEC-7Y)
retain_untildateComputed: destroy after this date

Ownership & Context

FieldTypeDescription
ownerstringUser ID of document owner
responsible_rolestringRole title (e.g., "Data Protection Officer")
business_unitstringOrganizational unit
productstringRelated product
processstringRelated business process
systemstringRelated IT system

Versioning

FieldTypeDescription
versionstringSemantic version (e.g., "3.2.1")
supersedesUUIDPrevious version doc_id
superseded_byUUIDNext version doc_id
change_reasonstringWhy this version was created

Access Policy Hints

FieldTypeDescription
allowed_rolesstring[]Roles permitted access
allowed_groupsstring[]Groups permitted access
need_to_know_tagsstring[]Fine-grained access tags (e.g., "oncology-team")

YAML Frontmatter Example

---
doc_id: "550e8400-e29b-41d4-a716-446655440000"
title: "HIPAA Privacy Officer Policy"
description: "Defines the role and responsibilities of the Privacy Officer"
language: "en"

# Classification
security_classification: "confidential"
contains_phi: true
contains_pii: true
contains_financial_account_data: false

# Regulatory
regulations:
  - "HIPAA-164.316"
  - "HIPAA-164.530"
jurisdiction:
  - "US"

# Lifecycle
document_type: "policy"
status: "effective"
effective_date: "2025-01-01"
review_due_date: "2027-01-01"
expiry_date: null
retention_category: "HIPAA-6Y"
retain_until: "2031-01-01"

# Ownership
owner: "user-123"
responsible_role: "Privacy Officer"
business_unit: "Compliance"
facility: "Hospital-A"

# Versioning
version: "3.2"
supersedes: "550e8400-e29b-41d4-a716-446655440001"
superseded_by: null
change_reason: "Annual review update"

# Access
allowed_roles:
  - "privacy_officer"
  - "compliance_team"
  - "legal"
need_to_know_tags:
  - "hipaa-policies"
---

Mapping to Database

This frontmatter maps cleanly to:

  • YAML frontmatter in each Markdown file
  • Normalized relational or graph store for querying

References