Kainos HL7 Editor Companion — Browser Extension
Privacy & Data-Handling Statement
Version 1.1 · Effective date: June 24, 2026
Plain-Language Summary
The Kainos HL7 Editor Companion is a browser extension that helps clinical users edit HL7 v2 messages that appear in web-based applications. All HL7 data stays entirely on your device. The extension never sends patient data — or any page content — to any remote server, cloud service, or third party. There is no analytics, no tracking, and no account required to use the extension.
When you focus on a field containing an HL7 message, the extension shows a small “Edit with HL7 Editor” button. Clicking it sends the HL7 text to the Kainos HL7 Editor desktop app running on your own computer — not to the internet. The edited message comes back the same way and is written into the field. Nothing leaves your machine.
1. What Data the Extension Accesses
1.1 HL7 Message Content (PHI-adjacent)
When a user focuses on or pastes text into a field on a web page, a lightweight script checks whether the text looks like an HL7 v2 message. This check occurs entirely in the browser’s memory. Three signals are evaluated: whether the text opens with MSH|, whether at least two known HL7 segment identifiers appear in the first 20 lines, and whether the pipe character density exceeds 3%. The text is never transmitted, stored, or logged by the extension — it is inspected and released.
If the text is confirmed as HL7 and the user clicks the affordance, the HL7 content is passed exclusively to the Kainos HL7 Editor desktop application on the same machine via a loopback WebSocket connection (see §3). The edited result returns by the same path and is written back into the originating field. At no point does the HL7 content leave the device.
1.2 Extension Settings and Session State
The extension stores the following in browser.storage.local (on-device browser storage):
| Data stored | Purpose |
|---|---|
Detection scope (all-pages or opt-in) | Where auto-detection is enabled |
| Allowed / blocked origins | Per-site override rules |
Activation mode (auto or manual) | Whether triggers attach automatically |
| SPA observer toggle | Whether to watch for dynamically-mounted editors |
Communications mode (auto or clipboard) | Preferred round-trip transport |
| Debug logging flag | Opt-in diagnostics (off by default; no PHI logged) |
Session active flag (hl7SessionActive) | Boolean keepalive state — whether an edit session is in progress |
HL7 content and Protected Health Information (PHI) are never written to extension storage. This is a hard design constraint documented in the source code (HE-355).
1.3 Clipboard (Offline Fallback Only)
If the Kainos HL7 Editor desktop app is not running or the bridge is not connected, the extension presents a clipboard fallback option to the user. On user action, the HL7 text is copied to the operating system clipboard so the user can paste it into the desktop editor manually. This uses the OS clipboard — an on-device operation with no network involvement.
2. Where Data Goes — and What Never Leaves the Device
| Data | Destination | Leaves Device? |
|---|---|---|
| HL7 message content | Local desktop app via loopback WebSocket (ws://127.0.0.1 / ws://localhost) | No |
| Edited HL7 result | Returned from local desktop app via same loopback | No |
| Extension settings | browser.storage.local (on-device browser storage) | No |
| Session active flag | browser.storage.local (on-device browser storage) | No |
| Offline HL7 (clipboard fallback) | OS clipboard, same machine, user-triggered | No |
| Analytics or telemetry | Not collected | N/A — not collected |
| Web page content (all pages) | Content script inspects focused-field text in-memory only — not transmitted, not exfiltrated | Content script has all-pages access; inspects only the focused field’s text, in-memory |
The extension’s Content Security Policy (CSP) enforces the loopback constraint at the platform level. The connect-src directive is:
connect-src 'self' ws://127.0.0.1:* ws://localhost:* http://127.0.0.1:* http://localhost:*No external host is reachable from any extension code path. This constraint is enforced by the browser.
3. Desktop Bridge — Security Posture
The extension communicates with the Kainos HL7 Editor desktop app through a local WebSocket bridge with six layered security controls.
3.1 Off by Default
The bridge is disabled by default. No local listener starts until an administrator explicitly enables it in the desktop app’s Settings panel.
3.2 Loopback-Only Binding
When enabled, the bridge binds exclusively to 127.0.0.1 (IPv4) and ::1 (IPv6 loopback) on port 7651 (default; configurable 7651–7660). Never 0.0.0.0 or any routable interface. Remote connections are structurally impossible.
3.3 Origin Allowlist — Anti-Drive-By Protection
The bridge validates the browser-enforced Origin header. Only connections from registered extension origins are accepted (chrome-extension://, moz-extension://, safari-web-extension://). Web-page Origins are rejected with HTTP 403.
3.4 Per-Connection Session Token
A cryptographically random session token (secrets.token_urlsafe(32)) is issued at connection and verified with constant-time comparison on every subsequent frame.
3.5 Denial-of-Service Limits (HE-362)
| Limit | Value |
|---|---|
| Maximum simultaneous connections | 8 |
| Maximum in-flight pending edits | 64 |
| Open-HL7 requests/sec (per connection) | 10 |
| TTL for abandoned pending edits | 300 seconds |
On TTL expiry, the HL7 reference is explicitly zeroed (item.hl7 = "").
3.6 PHI Never Logged
Audit log events record only connection metadata (request IDs, timestamps, origin identifiers). HL7 body content is never included in any log entry.
4. Browser Permissions
| Permission | Why It Is Required |
|---|---|
activeTab | Grants access to the currently active tab when the user explicitly invokes the extension (toolbar icon or context menu). Required to read the focused field and inject the affordance UI on demand. |
scripting | Required to inject the “Edit with HL7 Editor” button into the page and to write the edited HL7 result back to the originating field. |
storage | Stores extension configuration preferences and a boolean session state flag locally on-device. HL7 content and PHI are never written here. |
contextMenus | Powers the right-click “Edit with HL7 Editor” context menu item, always available as a manual trigger regardless of auto-detection settings. |
clipboardRead / clipboardWrite | Used exclusively for the on-device offline fallback (HE-354): when the desktop app is not reachable, the extension can copy HL7 to the OS clipboard and read an edited result back. No network activity is involved. |
alarms | Powers the ~30-second background reconnect keepalive (HE-381). Required because some browsers (notably Safari on macOS) throttle or unload background service workers during idle periods. This permission does not broaden data access. |
Content script + editor-bridge.js on all pages (matches: *://*/*) | The extension injects a content script into all web pages (*://*/*) at page load (document_idle) so it can detect HL7 v2 content in fields you focus or paste into. This constitutes broad host access and is disclosed accordingly. The content script inspects field text in-memory only — it performs a lightweight signature check (no continuous background scanning), never transmits page content anywhere, and only acts on an explicit user gesture. No remote network access is possible (CSP pins connect-src to loopback only). A companion script (editor-bridge.js) is web-accessible on all pages solely to write edited HL7 back into the focused editor via on-device window.postMessage. |
optional_host_permissions: *://*/* | Separate from the content script above. This optional grant is not active at install time. It is requested at runtime via the browser permissions API only when the user takes an explicit action to enable per-site features. |
5. Data Retention
- HL7 payload held in RAM only for the duration of an active editing session.
- On timeout (300-second TTL) or bridge shutdown, the HL7 reference is explicitly zeroed.
- HL7 content is never written to disk by the extension or the bridge.
browser.storage.localcontains only configuration settings and a boolean session flag.- No server-side retention exists because no data reaches a server.
6. Cookies, Tracking, and Analytics
- No cookies are set or read by this extension.
- No analytics are collected. There is no integration with Google Analytics, Mixpanel, Sentry, Segment, or any equivalent service.
- No telemetry is transmitted to Kainos Healthcare or any third party.
- No user accounts are required or created by the extension.
- The Firefox manifest explicitly declares
data_collection_permissions: { required: ["none"] }— the authoritative Firefox AMO data-collection disclosure, confirmed in the built artifact.
7. Healthcare & HIPAA Compliance Notes
This extension is designed for use in clinical and healthcare environments where HL7 v2 messages may contain Protected Health Information (PHI) as defined under HIPAA.
- PHI never leaves the device. HL7 content is not transmitted to, stored on, or accessible by any remote system — including Kainos Healthcare’s infrastructure.
- The extension is a local editing tool. It facilitates a user’s own workflow on their own machine, analogous to a locally installed text editor. It does not process PHI on behalf of a covered entity.
- Audit trail without PHI exposure. Bridge audit events log only connection metadata — not HL7 content — supporting HIPAA audit trail requirements.
- Zero telemetry. The CSP enforces this structurally.
Organizations deploying this extension in regulated environments should ensure the Kainos HL7 Editor desktop application is deployed in accordance with their institution’s HIPAA Business Associate Agreement (BAA) with Kainos Healthcare Solutions, LLC.
8. Scope
This statement covers the Kainos HL7 Editor Companion browser extension only. For the privacy policy governing the desktop application, web application, and related services, refer to the Kainos Healthcare Solutions Privacy Policy at kainoshealthcare.com/privacy.
This extension is available for Chrome, Edge, Firefox, and Safari.
9. Contact
For privacy inquiries related to this extension:
Email: info@kainoshealthcare.com
Website: kainoshealthcare.com