openevidence-prod-checklist
Prod Checklist for OpenEvidence. Trigger: "openevidence prod checklist".
Best use case
openevidence-prod-checklist is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Prod Checklist for OpenEvidence. Trigger: "openevidence prod checklist".
Teams using openevidence-prod-checklist should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/openevidence-prod-checklist/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How openevidence-prod-checklist Compares
| Feature / Agent | openevidence-prod-checklist | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Prod Checklist for OpenEvidence. Trigger: "openevidence prod checklist".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# OpenEvidence Production Checklist
## Overview
OpenEvidence provides clinical decision support backed by peer-reviewed medical literature. A production integration handles Protected Health Information (PHI) subject to HIPAA, serves evidence-based answers where accuracy directly impacts patient outcomes, and must maintain complete audit trails for regulatory review. Misconfigurations can expose PHI in logs, serve stale clinical guidance, or fail compliance audits that shut down your integration entirely. This checklist enforces HIPAA-grade security, citation verification, and the SLA discipline required for healthcare-adjacent systems.
## Prerequisites
- Production OpenEvidence API credentials (not trial/sandbox keys)
- Secrets manager configured (Vault, AWS Secrets Manager, or GCP Secret Manager)
- HIPAA-compliant monitoring stack (no PHI in log aggregators without BAA)
- Business Associate Agreement (BAA) executed with OpenEvidence
- Compliance officer sign-off on data flow architecture
## Authentication & Secrets
- [ ] API keys stored in vault/secrets manager (never in code, env files, or CI logs)
- [ ] Key rotation schedule configured (every 90 days, with zero-downtime swap)
- [ ] Separate keys for staging vs production (staging keys cannot reach production data)
- [ ] Service account permissions scoped to query-only (no admin endpoints)
- [ ] API key exposure detection automated (scan logs/repos for leaked credentials)
## API Integration
- [ ] Base URL points to production endpoint (not sandbox/staging)
- [ ] Request timeout set to 15 seconds for clinical queries (evidence synthesis is compute-heavy)
- [ ] Response time SLA monitored: p95 < 3 seconds per contractual agreement
- [ ] Pagination implemented for evidence result sets (token-based cursor)
- [ ] Clinical query payloads never include patient identifiers (de-identify before sending)
- [ ] Citation URLs in responses validated before displaying to clinicians
- [ ] Fallback behavior defined when evidence confidence score is below threshold (0.7)
## Error Handling & Resilience
- [ ] Circuit breaker configured for OpenEvidence API calls (open after 3 consecutive failures)
- [ ] Retry logic with exponential backoff for 429 (rate limit) and 5xx responses
- [ ] Clinical query failures surface explicit "no evidence available" (never silent failure)
- [ ] Timeout responses distinguished from empty-result responses in UI
- [ ] Stale cache clearly labeled with retrieval timestamp when serving cached evidence
- [ ] Degraded mode displays disclaimer: "Results may not reflect latest evidence"
- [ ] All API errors logged with correlation ID (without PHI in the log entry)
## Monitoring & Alerting
- [ ] API latency tracked (p50, p95, p99) with 3s p95 SLA threshold
- [ ] Error rate alerts configured (threshold: >0.5% over 5-minute window — stricter for clinical)
- [ ] Evidence citation link validity checked daily (alert on broken DOI/PubMed links)
- [ ] Query volume anomalies detected (sudden spike may indicate misuse or bot traffic)
- [ ] Response confidence score distribution tracked (alert if median drops below 0.8)
- [ ] Audit log completeness verified daily (every query must have a log entry)
## Security
- [ ] PHI never included in API request payloads (queries de-identified before transmission)
- [ ] PHI never written to application logs, error reports, or monitoring dashboards
- [ ] All data in transit encrypted via TLS 1.2+ (certificate pinning recommended)
- [ ] All cached clinical responses encrypted at rest (AES-256)
- [ ] Access to clinical query history restricted by role (clinician-only, auditor read-only)
- [ ] Audit log captures: user ID, query timestamp, evidence IDs returned, confidence scores
- [ ] Data retention policy enforced: clinical query logs retained per HIPAA minimum (6 years)
- [ ] Annual HIPAA risk assessment includes OpenEvidence integration scope
## Validation Script
```typescript
async function validateOpenEvidenceProduction(apiKey: string): Promise<void> {
const base = process.env.OPENEVIDENCE_API_URL ?? 'https://api.openevidence.com/v1';
const headers = { Authorization: `Bearer ${apiKey}`, 'Content-Type': 'application/json' };
// 1. Connectivity check
const ping = await fetch(`${base}/health`, { headers, signal: AbortSignal.timeout(5000) });
console.assert(ping.ok, `API unreachable: ${ping.status}`);
// 2. Auth validation
const auth = await fetch(`${base}/me`, { headers });
console.assert(auth.status !== 401, 'Invalid API key');
console.assert(auth.status !== 403, 'Insufficient permissions — check scope');
// 3. Clinical query round-trip (de-identified test query)
const query = await fetch(`${base}/query`, {
method: 'POST',
headers,
body: JSON.stringify({ question: 'What is the standard treatment for hypertension?' }),
signal: AbortSignal.timeout(15000),
});
console.assert(query.ok, `Clinical query failed: ${query.status}`);
const result = await query.json();
console.assert(result.citations?.length > 0, 'No citations returned — evidence pipeline may be down');
// 4. Response time SLA
const start = Date.now();
await fetch(`${base}/query`, {
method: 'POST',
headers,
body: JSON.stringify({ question: 'Recommended dosage for metformin in type 2 diabetes?' }),
signal: AbortSignal.timeout(15000),
});
const elapsed = Date.now() - start;
console.assert(elapsed < 3000, `Response time ${elapsed}ms exceeds 3s SLA`);
// 5. Audit log endpoint accessible
const audit = await fetch(`${base}/audit-log?limit=1`, { headers });
console.assert(audit.ok, `Audit log endpoint failed: ${audit.status}`);
console.log('All OpenEvidence production checks passed');
}
```
## Risk Matrix
| Check | Risk if Skipped | Priority |
|---|---|---|
| PHI excluded from API payloads | HIPAA violation, regulatory penalty, BAA breach | Critical |
| PHI excluded from logs | Data breach via log aggregator, OCR enforcement action | Critical |
| Audit log completeness | Failed compliance audit, integration shutdown | Critical |
| Citation URL validation | Clinicians follow broken links, lose trust in evidence | High |
| Confidence score monitoring | Low-quality answers served without clinician awareness | High |
## Resources
- [OpenEvidence Platform](https://www.openevidence.com)
## Next Steps
See `openevidence-security-basics`.Related Skills
workhuman-prod-checklist
Workhuman prod checklist for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman prod checklist".
wispr-prod-checklist
Wispr Flow prod checklist for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr prod checklist".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
webflow-prod-checklist
Execute Webflow production deployment checklist — token security, rate limit hardening, health checks, circuit breakers, gradual rollout, and rollback procedures. Use when deploying Webflow integrations to production or preparing for launch. Trigger with phrases like "webflow production", "deploy webflow", "webflow go-live", "webflow launch checklist", "webflow production ready".
vercel-prod-checklist
Vercel production deployment checklist with rollback and promotion procedures. Use when deploying to production, preparing for launch, or implementing go-live and instant rollback procedures. Trigger with phrases like "vercel production", "deploy vercel prod", "vercel go-live", "vercel launch checklist", "vercel promote".
veeva-prod-checklist
Veeva Vault prod checklist for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva prod checklist".
vastai-prod-checklist
Execute Vast.ai production deployment checklist for GPU workloads. Use when deploying training pipelines to production, preparing for large-scale GPU jobs, or auditing production readiness. Trigger with phrases like "vastai production", "deploy vastai", "vastai go-live", "vastai launch checklist".
twinmind-prod-checklist
Complete production deployment checklist for TwinMind integrations. Use when preparing to deploy, auditing production readiness, or ensuring best practices are followed. Trigger with phrases like "twinmind production", "deploy twinmind", "twinmind go-live checklist", "twinmind production ready".
together-prod-checklist
Together AI prod checklist for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together prod checklist".
techsmith-prod-checklist
TechSmith prod checklist for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation. Trigger: "techsmith prod checklist".
supabase-prod-checklist
Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies. Use when deploying to production, preparing for launch, or auditing a live Supabase project for security and performance gaps. Trigger with "supabase production", "supabase go-live", "supabase launch checklist", "supabase prod ready", "deploy supabase", "supabase production readiness".
stackblitz-prod-checklist
Production checklist for WebContainer apps: headers, browser support, fallbacks. Use when working with WebContainers or StackBlitz SDK. Trigger: "stackblitz production".