Skip to content

Security & Compliance: OpenEvidence API / Hermes Integration

Review status

Not started. Required before any PHI, PII, production, or vendor-contracted use.

Data classification

Initial exploration: non-sensitive public/vendor information only.

PHI / PII considerations

  • Do not send PHI or patient-specific data.
  • Verify BAA, data retention, logging, subprocessors, and training-on-data policies.

Vendor / API considerations

  • Need official API/enterprise access confirmation.
  • Need terms of use and security documentation.
  • Need authentication, rate limits, audit logging, and citation structure.

Required approvals

  • Security/legal review for vendor/API terms.
  • Clinical review for product or doctor-facing use.

Open security questions

  • Does OpenEvidence sign a BAA?
  • Are requests/responses retained or used for training?
  • Can logging be disabled or scoped?
  • What access controls and audit logs are available?