All API calls must be logged with sufficient detail for audit trails - PHI must be encrypted in transit (TLS 1.2+) and at rest - Access must follow minimum necessary principle - Break-the-glass access must be logged and reviewed - API tokens must have appropriate scope restrictions