| name | hipaa-compliance |
| description | Implement HIPAA security and privacy rules. Configure PHI protections and BAA requirements. Use when handling healthcare data. |
| license | MIT |
| metadata | {"author":"devops-skills","version":"1.0"} |
HIPAA Compliance
Implement HIPAA Security Rule, Privacy Rule, and Breach Notification Rule requirements for systems that create, receive, maintain, or transmit electronic Protected Health Information (ePHI).
When to Use
- Building or operating systems that handle electronic Protected Health Information
- Configuring cloud infrastructure for HIPAA-eligible workloads
- Establishing Business Associate Agreements with vendors
- Implementing technical safeguards for PHI protection
- Preparing for HIPAA compliance audits or OCR investigations
HIPAA Rules and Safeguards
security_rule:
administrative_safeguards:
164.308_a_1: "Security Management Process"
actions:
- Conduct risk analysis (required)
- Implement risk management program (required)
- Apply sanction policy for violations (required)
- Review information system activity (required)
164.308_a_3: "Workforce Security"
actions:
- Authorization/supervision procedures (addressable)
- Workforce clearance procedure (addressable)
- Termination procedures (addressable)
164.308_a_4: "Information Access Management"
actions:
- Access authorization policies (addressable)
- Access establishment and modification (addressable)
- Isolate healthcare clearinghouse functions (required)
164.308_a_5: "Security Awareness and Training"
actions:
- Security reminders (addressable)
- Protection from malicious software (addressable)
- Log-in monitoring (addressable)
- Password management (addressable)
164.308_a_6: "Security Incident Procedures"
actions:
- Response and reporting procedures (required)
164.308_a_7: "Contingency Plan"
actions:
- Data backup plan (required)
- Disaster recovery plan (required)
- Emergency mode operation plan (required)
- Testing and revision procedures (addressable)
- Applications and data criticality analysis (addressable)
164.308_a_8: "Evaluation"
actions:
- Periodic technical and nontechnical evaluation (required)
physical_safeguards:
164.310_a: "Facility Access Controls"
164.310_b: "Workstation Use"
164.310_c: "Workstation Security"
164.310_d: "Device and Media Controls"
technical_safeguards:
164.312_a: "Access Control"
actions:
- Unique user identification (required)
- Emergency access procedure (required)
- Automatic logoff (addressable)
- Encryption and decryption (addressable)
164.312_b: "Audit Controls"
actions:
- Implement hardware/software/procedural mechanisms to record and examine access (required)
164.312_c: "Integrity"
actions:
- Mechanism to authenticate ePHI (addressable)
164.312_d: "Person or Entity Authentication"
actions:
- Verify identity of person/entity seeking access (required)
164.312_e: "Transmission Security"
actions:
- Integrity controls (addressable)
- Encryption (addressable)
privacy_rule:
minimum_necessary: "Limit PHI use, disclosure, and requests to minimum necessary"
individual_rights: "Access, amendment, accounting of disclosures, restrictions"
notice_of_practices: "Provide notice of privacy practices to individuals"
breach_notification_rule:
individual_notification: "Within 60 days of discovery"
hhs_notification: "Annual for <500 records; within 60 days for 500+"
media_notification: "Required when 500+ individuals in a state/jurisdiction"
Technical Safeguards Implementation Checklist
encryption_requirements:
at_rest:
standard: AES-256
aws_services:
- [ ] RDS encryption enabled (KMS managed key)
- [ ] S3 bucket default encryption (SSE-KMS)
- [ ] EBS volume encryption enabled
- [ ] DynamoDB table encryption (KMS)
- [ ] ElastiCache encryption at rest enabled
- [ ] Redshift cluster encryption enabled
- [ ] EFS encryption enabled
azure_services:
- [ ] Azure SQL TDE enabled (customer-managed key)
- [ ] Storage Account encryption (CMK)
- [ ] Managed Disk encryption (SSE with CMK)
- [ ] Cosmos DB encryption at rest
gcp_services:
- [ ] Cloud SQL encryption (CMEK)
- [ ] Cloud Storage encryption (CMEK)
- [ ] BigQuery encryption (CMEK)
- [ ] Persistent Disk encryption (CMEK)
in_transit:
standard: TLS 1.2 or higher
checks:
- [ ] TLS 1.2+ enforced on all load balancers
- [ ] HTTP-to-HTTPS redirect enabled
- [ ] Internal service-to-service mTLS configured
- [ ] Database connections use SSL/TLS
- [ ] API gateways enforce TLS minimum version
- [ ] Email encryption for PHI (S/MIME or TLS)
- [ ] VPN or private connectivity for admin access
key_management:
- [ ] Customer-managed KMS keys for PHI data stores
- [ ] Key rotation enabled (annual minimum)
- [ ] Key access restricted to authorized roles only
- [ ] Key usage audited via CloudTrail / audit logs
- [ ] Key deletion protection enabled
access_control:
unique_user_identification:
- [ ] Individual user accounts (no shared credentials)
- [ ] MFA enforced for all users accessing PHI systems
- [ ] Service accounts with unique identities and audited usage
- [ ] Federated identity with SSO (SAML/OIDC)
role_based_access:
- [ ] Least privilege roles defined per job function
- [ ] PHI access restricted to need-to-know
- [ ] Separate roles for data access vs. administration
- [ ] Privileged access requires just-in-time approval
session_management:
- [ ] Automatic session timeout (15 minutes idle for workstations)
- [ ] Re-authentication for sensitive operations
- [ ] Concurrent session limits
- [ ] Session tokens secured (HttpOnly, Secure, SameSite)
emergency_access:
- [ ] Break-glass procedure documented and tested
- [ ] Emergency access credentials stored securely
- [ ] All emergency access usage audited and reviewed
- [ ] Emergency access automatically expires
audit_controls:
logging_requirements:
- [ ] All PHI access logged (read, write, delete)
- [ ] User authentication events logged
- [ ] Administrative actions logged
- [ ] Failed access attempts logged
- [ ] Log integrity protection (hash chaining or WORM storage)
- [ ] Logs retained for minimum 6 years
- [ ] Regular log review process documented
monitoring:
- [ ] Real-time alerting on unauthorized PHI access attempts
- [ ] Anomaly detection for unusual data access patterns
- [ ] Privileged action monitoring
- [ ] Data export/download alerting
AWS HIPAA-Eligible Architecture
aws ec2 create-vpc --cidr-block 10.100.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=phi-vpc},{Key=Compliance,Value=HIPAA}]'
aws ec2 create-flow-log \
--resource-type VPC \
--resource-ids vpc-XXXXXXXX \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name /vpc/phi-flow-logs \
--deliver-logs-permission-arn arn:aws:iam::123456789012:role/VPCFlowLogsRole
aws rds create-db-instance \
--db-instance-identifier phi-database \
--db-instance-class db.r6g.large \
--engine postgres \
--master-username admin \
--master-user-password "USE_SECRETS_MANAGER" \
--storage-encrypted \
--kms-key-id arn:aws:kms:us-east-1:123456789012:alias/phi-rds-key \
--vpc-security-group-ids sg-XXXXXXXX \
--db-subnet-group-name phi-subnet-group \
--backup-retention-period 35 \
--multi-az \
--deletion-protection \
--enable-cloudwatch-logs-exports '["postgresql","upgrade"]' \
--tags Key=Compliance,Value=HIPAA Key=DataClassification,Value=PHI
aws s3api create-bucket --bucket phi-data-bucket --region us-east-1
aws s3api put-bucket-encryption --bucket phi-data-bucket \
--server-side-encryption-configuration '{
"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/phi-s3-key"}, "BucketKeyEnabled": true}]
}'
aws s3api put-public-access-block --bucket phi-data-bucket \
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
aws s3api put-bucket-versioning --bucket phi-data-bucket \
--versioning-configuration Status=Enabled
aws s3api put-bucket-logging --bucket phi-data-bucket \
--bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "phi-access-logs", "TargetPrefix": "phi-data-bucket/"}}'
aws cloudtrail put-event-selectors --trail-name hipaa-audit-trail \
--advanced-event-selectors '[{
"Name": "PHI-S3-DataEvents",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::S3::Object"]},
{"Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::phi-data-bucket/"]}
]
}]'
Business Associate Agreement Tracking
baa_tracking:
required_when:
- Vendor creates, receives, maintains, or transmits PHI on your behalf
- Subcontractor of a business associate handles PHI
- Cloud service provider stores or processes PHI
not_required_for:
- Conduit exception (postal service, ISP carrying encrypted data)
- Treatment providers sharing PHI for treatment purposes
- Plan sponsor receiving summary health information
baa_registry:
format:
vendor_name: ""
baa_execution_date: ""
baa_expiration_date: ""
phi_types_shared: []
services_provided: ""
subcontractors_identified: []
breach_notification_sla: "hours"
last_risk_assessment: ""
next_review_date: ""
status: "active | pending | expired"
cloud_provider_baas:
aws:
- Sign AWS BAA via AWS Artifact in the console
- Applies to all HIPAA-eligible services in the account
- Must restrict PHI to eligible services only
azure:
- Microsoft BAA is part of Online Services Terms
- Automatically applies when using qualifying services
gcp:
- Sign Google Cloud BAA via Google Workspace Admin or Cloud console
- Covers HIPAA-eligible GCP services
review_schedule:
- [ ] Annual review of all active BAAs
- [ ] Verify vendor compliance certifications are current
- [ ] Confirm subcontractor BAAs are in place
- [ ] Update BAA registry with any vendor changes
- [ ] Assess vendor security posture annually
Risk Analysis Automation
#!/usr/bin/env bash
echo "=== HIPAA Technical Safeguard Checks ==="
echo "--- Encryption at Rest ---"
UNENCRYPTED_RDS=$(aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text)
[ -z "$UNENCRYPTED_RDS" ] && echo "PASS: All RDS instances encrypted" || \
echo "FAIL: Unencrypted RDS: $UNENCRYPTED_RDS"
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
enc=$(aws s3api get-bucket-encryption --bucket "$bucket" 2>/dev/null)
[ -z "$enc" ] && echo "FAIL: S3 bucket $bucket has no default encryption"
done
UNENCRYPTED_EBS=$(aws ec2 describe-volumes \
--query 'Volumes[?Encrypted==`false`].VolumeId' --output text)
[ -z "$UNENCRYPTED_EBS" ] && echo "PASS: All EBS volumes encrypted" || \
echo "FAIL: Unencrypted EBS: $UNENCRYPTED_EBS"
echo "--- Access Control ---"
aws iam generate-credential-report > /dev/null 2>&1 && sleep 5
aws iam get-credential-report --output text --query Content | base64 -d | \
awk -F, '$4=="true" && $8=="false" {print "FAIL: User without MFA: "$1}'
THRESHOLD=$(date -d '90 days ago' +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -v-90d +%Y-%m-%dT%H:%M:%S)
aws iam get-credential-report --output text --query Content | base64 -d | \
awk -F, -v t="$THRESHOLD" 'NR>1 && $11!="N/A" && $11<t {print "WARN: Stale access key for "$1}'
echo "--- Audit Controls ---"
CT_STATUS=$(aws cloudtrail get-trail-status --name hipaa-audit-trail --query 'IsLogging' --output text)
[ "$CT_STATUS" = "True" ] && echo "PASS: CloudTrail active" || echo "FAIL: CloudTrail not logging"
for vpc in $(aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text); do
fl=$(aws ec2 describe-flow-logs --filter "Name=resource-id,Values=$vpc" --query 'FlowLogs[0].FlowLogId' --output text)
[ "$fl" = "None" ] && echo "FAIL: No flow logs for VPC $vpc"
done
echo "--- Transmission Security ---"
for alb in $(aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerArn' --output text); do
HTTPS=$(aws elbv2 describe-listeners --load-balancer-arn "$alb" \
--query 'Listeners[?Protocol==`HTTPS`].ListenerArn' --output text)
[ -z "$HTTPS" ] && echo "FAIL: ALB without HTTPS: $alb"
done
echo "=== Scan complete ==="
HIPAA Compliance Checklist
hipaa_compliance_checklist:
administrative:
- [ ] Risk analysis conducted and documented
- [ ] Risk management plan implemented
- [ ] Security officer designated
- [ ] Privacy officer designated
- [ ] Workforce security awareness training completed
- [ ] Sanction policy documented and communicated
- [ ] Contingency plan (backup, DR, emergency mode) documented
- [ ] Business associate agreements signed for all applicable vendors
- [ ] Periodic evaluation/audit scheduled
technical:
- [ ] Unique user identification enforced
- [ ] MFA enabled for all PHI system access
- [ ] Automatic logoff configured (15-minute timeout)
- [ ] Encryption at rest (AES-256) for all PHI stores
- [ ] Encryption in transit (TLS 1.2+) for all PHI transmission
- [ ] Audit logging enabled for all PHI access
- [ ] Log retention configured for 6+ years
- [ ] Integrity controls on PHI (checksums, signatures)
- [ ] Emergency access (break-glass) procedure tested
physical:
- [ ] Facility access controls documented
- [ ] Workstation use policy in place
- [ ] Device and media disposal procedures documented
- [ ] Media re-use procedures documented
breach_response:
- [ ] Breach notification procedure documented
- [ ] Breach risk assessment methodology defined
- [ ] Individual notification template prepared
- [ ] HHS notification process understood
- [ ] Breach log maintained
- [ ] Annual breach assessment reviewed
operational:
- [ ] PHI data inventory maintained
- [ ] Minimum necessary access enforced
- [ ] Access reviews conducted quarterly
- [ ] Vendor risk assessments current
- [ ] Incident response plan tested annually
- [ ] Policies reviewed and updated annually
Best Practices
- Conduct a thorough risk analysis annually and after significant system changes
- Use only HIPAA-eligible cloud services and sign BAAs before deploying PHI workloads
- Encrypt all PHI at rest and in transit with no exceptions
- Implement the minimum necessary standard: grant access only to the PHI needed for each role
- Maintain audit logs of all PHI access for a minimum of 6 years
- Train all workforce members on HIPAA policies at onboarding and annually
- Test contingency plans (backup restore, DR failover, emergency access) at least annually
- Track all Business Associate Agreements in a central registry with review dates
- Document every addressable specification decision (implement, alternative, or not applicable with rationale)
- Prepare breach notification templates and procedures before an incident occurs