🌹 Healthcare QA

Model answer

I'd create two patient records, A and B, with known data, authenticate as A (or a portal user scoped to A), and then request B's record directly by ID — GET, and also update/delete — asserting 403 or 404 every time, never B's payload. Then I'd repeat across every path the data can leave by: detail, list, search, related-records, and bulk export, because isolation usually holds on the obvious read but leaks through a search query or an export that forgot the patient scope. I'd test an off-by-one ID and adjacent IDs, since a fetch-by-ID bug can silently return the neighbouring patient with no exception raised. The framing I'd stress is that this is row-level isolation at the data layer and a cross-patient 200 is a PHI breach with patient-safety and HIPAA consequences — structurally similar to SaaS tenant isolation, but the unit is a person and the harm is regulatory and clinical, not commercial.

Model answer

Normal input testing asks 'is this a well-formed value'; clinical validation asks 'is this a possible value for a real patient', because a stored impossible value can drive a wrong clinical decision. So for date of birth I test format and plausibility: a future date, an implausibly old age, and the boundaries are rejected at the API with a clinical-validation error, not accepted with a 201. For dosage I test negative, zero where non-zero is required, and values above a safe maximum. For lab results I test out-of-physiological-range values. The assertion is a 422 with a clear error, and that the record is not persisted. I'd seed the minimum valid, maximum valid, and at least one impossible value per field. The reason this is its own category is the consequence: an out-of-range value accepted into a clinical record is a safety hazard, so validation here is a safety control, not a UX nicety.

Model answer

I'd treat consent as a state machine and test the transitions against the actual data-access path, not the UI label. Grant consent for integration X, confirm data flows; withdraw it, then immediately call X's data-access endpoint and assert it's denied — that's the key assertion, that withdrawal takes effect at the data layer without waiting for a cache to expire. I'd specifically probe the caching bug: if consent is cached, a withdrawal must invalidate it now, so I assert no data is shared in the window right after withdrawal. I'd test the other states too: expired consent denies, never-granted denies, and re-granting restores access. The in-flight case matters — a data request that starts before the withdrawal commits — and I assert deterministic behaviour. The signal is that consent is a live, data-layer-enforced lifecycle, and a withdrawn consent still honoured is a HIPAA-class bug, not a UX lag.

Model answer

Completeness means every read produces an entry, so my test pairs each access with an audit assertion. After a clinician reads a record, I assert an entry exists with the actor's user ID, the action READ, the patient record ID, and a timestamp. Crucially I do this for every path that can return patient data — single read, list, search, report generation, and bulk export — because the common gap is an alternative path (often bulk export) that hits the storage layer directly and bypasses the per-record logging middleware, producing a batch of unlogged reads. So I'd trigger a 500-record export and assert 500 audit entries, not zero. I'd also verify writes and deletes are logged. The framing is that in healthcare an unlogged read is itself a compliance breach regardless of whether the data was misused, so completeness across all paths is the property under test.

Model answer

Immutability means append-only at the storage layer, so I test that no actor and no path can modify or remove an entry. I'd attempt to UPDATE and DELETE audit records directly via the API and the database-facing service as the highest-privilege role available and assert both are refused — there should be no such operation at all. I'd verify that a correction is modelled as a new compensating entry, not an edit of the original. I'd check that the log can't be truncated or rotated in a way that loses entries within the legal retention period, and that timestamps are server-assigned, not client-supplied (so they can't be backdated). If the store supports it, I'd confirm tamper-evidence such as hashing or write-once storage. The point is that audit value depends on integrity, so 'can't be edited' must be a property of the storage and permission model, not just an absent UI control.

Model answer

I'd start by inventorying every path that can read patient data — interactive reads, list/search, reports, scheduled batch jobs, admin tools, and bulk export — and make audit coverage an assertion on each, rather than trusting that everything funnels through the logged service. For bulk export specifically, I'd export N records and assert exactly N audit entries with correct actor and action, because the failure mode is the export calling the storage layer directly and skipping the middleware that logs per record. To make this durable rather than a one-off catch, I'd push for the audit boundary to live at the data-access layer so no caller can bypass it, and add a contract test that fails if a new read path produces fewer audit entries than records returned. I'd also add a periodic reconciliation: compare record-access counts against audit-entry counts and alarm on divergence. The mindset is that any guarantee that depends on 'developers remembering to call the logged path' will eventually be bypassed, so I test the whole surface and prefer enforcement at a chokepoint.

Model answer

The first principle is no real PHI in test environments ever — not even 'anonymised' production data, which is hard to truly de-identify — so I generate synthetic patients with realistic but entirely fabricated identifiers. I seed the states my regulated tests need: patients in each consent state (granted, withdrawn, expired, never-granted), edge-case clinical values, and a full role matrix (clinician, admin, portal user, auditor). The strategy's gates are the domain risks: cross-patient isolation, consent enforced at the data layer, audit completeness across all paths including bulk export, and audit immutability. I add a PHI-in-logs scan after every test that touches a record, asserting no identifiers, no document filenames, and no payloads leak into logs, errors, or analytics. I layer the suite — contract tests for isolation and audit boundaries, integration for consent enforcement, a thin E2E for clinical journeys — and treat a failure in any compliance gate as a hard stop. Synthetic-by-construction data plus compliance-as-gates is the backbone.

Model answer

I'd prioritise by potential patient harm and compliance exposure rather than by how visible a bug is. The top of the hierarchy is the silent, high-harm class: cross-patient data leakage, a withdrawn consent still being honoured, an impossible clinical value accepted, and audit gaps — these are release blockers because the consequence is a safety event or a HIPAA breach, even though none of them throws a visible error. Below that sit functional defects in clinical workflows, then accessibility (which in healthcare is functional — an inaccessible intake form means a patient can't complete their record), then cosmetic issues that don't block shipping. I operationalise this by mapping each gate to a harm level and making the top tier non-negotiable, so a red isolation or consent gate stops the release regardless of schedule. As a lead, the hard part is holding that line under pressure and being able to defend it, so I keep the hierarchy explicit and agreed with clinical and compliance stakeholders in advance. The axis is harm, not symptom visibility.