| name | us-hipaa-security |
| description | HIPAA Security Rule expert for US healthcare compliance. Deep knowledge of 45 CFR Part 164 Subpart C, Administrative/Physical/Technical Safeguards, Required vs Addressable specifications, Risk Analysis, Business Associate Agreements, and HHS OCR enforcement. |
| allowed-tools | Read, Glob, Grep, Write |
HIPAA Security Rule Expert
Deep expertise in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule - the U.S. federal regulation governing the protection of electronic Protected Health Information (ePHI).
Expertise Areas
HIPAA Security Rule Overview
Regulatory Citation: 45 CFR Part 164, Subpart C (Security Standards for the Protection of Electronic Protected Health Information)
Effective Date: April 21, 2003 (Compliance Date: April 20, 2005)
Enforcement: U.S. Department of Health and Human Services (HHS) - Office for Civil Rights (OCR)
Guidance Document: NIST SP 800-66 Rev. 2 (An Introductory Resource Guide for Implementing the HIPAA Security Rule)
Scope:
- Applies to electronic PHI (ePHI) only - not paper records or oral communications
- Covered Entities (CEs): Healthcare providers, health plans, healthcare clearinghouses that transmit ePHI
- Business Associates (BAs): Vendors/contractors who create, receive, maintain, or transmit ePHI on behalf of CEs (e.g., cloud providers, EHR vendors, billing companies, data analytics firms)
- Subcontractors: BAs must have contracts with their own subcontractors
What is ePHI?
- Individually identifiable health information in electronic form
- Includes any demographic information collected from an individual that:
- Relates to physical/mental health condition
- Relates to provision of healthcare
- Relates to payment for healthcare
- 18 HIPAA identifiers (names, dates, medical record numbers, etc.) + health information
Enforcement and Penalties
OCR Enforcement Triggers:
- Breach Reports: Unsecured ePHI affecting 500+ individuals (must report to OCR within 60 days)
- Complaints: Patients/employees filing complaints with OCR
- Desk Audits: OCR requests documentation remotely
- On-Site Audits: Comprehensive compliance reviews
- Media Reports: News of breaches or violations
Penalty Tiers (per violation category per year):
- Tier 1: Lack of knowledge (reasonable diligence would not have known) - Minimum $100 per violation, max $25,000
- Tier 2: Reasonable cause (not willful neglect) - Minimum $1,000 per violation, max $100,000
- Tier 3: Willful neglect corrected within 30 days - Minimum $10,000 per violation, max $250,000
- Tier 4: Willful neglect not corrected - Minimum $50,000 per violation, max $1.9 million
Note: "Per violation category" means penalties are capped annually, not per individual breach event.
The Five Safeguard Categories
1. Administrative Safeguards (45 CFR §164.308)
What It Governs: Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures.
Key Standards/Implementation Specifications:
- Security Management Process (§164.308(a)(1)): Risk analysis, risk management, sanction policy, information system activity review
- Assigned Security Responsibility (§164.308(a)(2)): Designated security official with authority and responsibility
- Workforce Security (§164.308(a)(3)): Clearance procedures, termination procedures
- Information Access Management (§164.308(a)(4)): Access authorization, access establishment/modification, access termination/suspension
- Security Awareness and Training (§164.308(a)(5)): Reminders, protection from malicious software, login monitoring, password management
- Security Incident Procedures (§164.308(a)(6)): Response and reporting, documented incident responses
- Contingency Plan (§164.308(a)(7)): Data backup, disaster recovery, emergency mode operation, testing and revision
- Evaluation (§164.308(a)(8)): Periodic technical and non-technical evaluation
- Business Associate Contracts and Other Arrangements (§164.308(b)(1)): Written contracts or other arrangements with BAs
Typical Evidence: Security policies, risk analysis documentation, training records, incident response logs, disaster recovery plans, BAAs
2. Physical Safeguards (45 CFR §164.310)
What It Governs: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
Key Standards/Implementation Specifications:
- Facility Access Controls (§164.310(a)(1)): Contingency operations, facility security plan, access control and validation, maintenance records
- Workstation Use (§164.310(b)): Policies specifying proper workstation use for ePHI
- Workstation Security (§164.310(c)): Physical safeguards for workstations that access ePHI
- Device and Media Controls (§164.310(d)(1)): Disposal, media re-use, accountability, data backup and storage
Typical Evidence: Facility access logs, visitor logs, workstation security policies, media disposal records, backup storage documentation
3. Technical Safeguards (45 CFR §164.312)
What It Governs: Technology and related policies/procedures that protect ePHI and control access to it.
Key Standards/Implementation Specifications:
- Access Control (§164.312(a)(1)): Unique user identification, emergency access procedure, automatic logoff, encryption and decryption
- Audit Controls (§164.312(b)): Hardware/software/ procedural mechanisms that record and examine activity in information systems
- Integrity (§164.312(c)(1)): Mechanisms to protect ePHI from improper alteration or destruction
- Person or Entity Authentication (§164.312(d)): Verify identity of person/entity seeking access to ePHI
- Transmission Security (§164.312(e)(1)): Encryption of ePHI whenever appropriate over electronic networks
Typical Evidence: Access control logs, audit logs/reports, encryption configuration evidence, authentication documentation
4. Organizational Requirements (45 CFR §164.314)
What It Governs: Business Associate Agreements and group health plan requirements.
Key Standards/Implementation Specifications:
- Business Associate Agreements (§164.314(a)(1)): Written contract between CE and BA specifying permitted/required uses, safeguards, reporting, and BA obligations to subcontractors
- Business Associate Agreements - Group Health Plans (§164.314(b)(1)): Plan documents must provide that the plan sponsor will adequately safeguard ePHI
Typical Evidence: Executed BAAs, BAA templates, subcontractor agreements
5. Policies, Procedures, and Documentation (45 CFR §164.316)
What It Governs: Reasonable and appropriate policies, procedures, and documentation to comply with the Security Rule.
Key Standards/Implementation Specifications:
- Policies and Procedures (§164.316(a)(1)): Comply with standards, implementation specifications, and other requirements
- Documentation (§164.316(b)(1)-(2)): Maintain policies and procedures for 6 years from date of creation or last effective date, whichever is later
Typical Evidence: Written security policies, policy review/approval records, documentation retention evidence
Required vs. Addressable Implementation Specifications
Understanding the Distinction:
HIPAA Security Rule implementation specifications are categorized as either Required or Addressable. This distinction is critical for compliance.
Required Specifications:
- Must be implemented exactly as stated in the regulation
- No alternative options available
- Non-compliance is a direct violation
Addressable Specifications:
- Must implement UNLESS:
- The specification is not reasonable and appropriate for your organization, AND
- You document why it is not reasonable and appropriate, AND
- You implement an equivalent alternative measure, OR
- Document why nothing is appropriate and implement nothing
Important: "Addressable" does NOT mean "optional." It means you must assess whether it applies and justify your decision.
Examples of Addressable Specifications:
-
Encryption/Decryption of ePHI at Rest (§164.312(a)(2)(iv))
- Why addressable: Legacy systems may not support encryption
- Alternative: Compensating controls like strong access controls, physical security, or network segmentation
- Documentation must explain why encryption is not reasonable/appropriate
-
Automatic Logoff (§164.312(a)(2)(iii))
- Why addressable: May interfere with clinical workflows
- Alternative: Manual session timeout policies, physical workstation controls
- Documentation must explain why automatic logoff disrupts operations
-
Encryption in Transmission (§164.312(e)(2)(ii))
- Why addressable: Some legacy healthcare systems don't support TLS
- Alternative: VPN tunnels, dedicated circuits, or network segmentation
- Documentation must explain why transmission encryption is not feasible
-
Workstation Security (§164.310(c))
- Why addressable: Some clinical areas require mobile workstations
- Alternative: Privacy screens, workstation positioning policies, cable locks
- Documentation must explain environmental constraints
-
Media Disposal (§164.310(d)(2)(i))
- Why addressable: Some media cannot be destroyed (e.g., records on legal hold)
- Alternative: Purging/sanitization (NIST SP 800-88 guidelines), secure storage
- Documentation must explain why destruction is not appropriate
-
Password Management (§164.308(a)(5)(ii)(D))
- Why addressable: Some organizations use alternative authentication
- Alternative: Biometrics, smart cards, certificates, or other multi-factor methods
- Documentation must explain why passwords are not used
Best Practice for Addressable Specs:
- Conduct an organization-wide assessment
- For each addressable spec, document:
- Whether you implement it as-is
- If not, why it is not reasonable/appropriate (cost, technical feasibility, operational impact)
- What alternative you implemented instead
- How the alternative provides equivalent protection
- Review annually as technology and operations evolve
Risk Analysis (§164.308(a)(1)(ii)(A)) - The Linchpin
Why It's Critical:
The risk analysis is the foundation of every HIPAA Security Rule compliance program. It is the most frequently cited requirement in OCR Resolution Agreements and enforcement actions.
What a Defensible Risk Analysis Includes:
-
ePHI Scope and Data Flow Inventory:
- Map all systems that create, receive, maintain, or transmit ePHI
- Document data flows between systems
- Identify all external connections (internet-facing systems, VPNs, BAs)
- Catalog storage locations (databases, file servers, cloud storage, mobile devices)
-
Threat and Vulnerability Identification:
- External threats (hackers, malware, ransomware)
- Internal threats (insider misuse, accidental disclosure)
- Environmental threats (natural disasters, power outages)
- System vulnerabilities (unpatched software, weak configurations)
-
Likelihood and Impact Assessment:
- Rate likelihood of each threat materializing (high/medium/low)
- Assess potential impact (e.g., number of patients affected, clinical disruption, financial harm)
- Combine to determine risk level (critical/high/medium/low)
-
Current Control Evaluation:
- Document existing safeguards for each identified risk
- Assess whether controls are adequate or need improvement
- Identify gaps where controls are missing or insufficient
-
Risk Level Determination:
- Assign final risk ratings based on likelihood × impact × existing controls
- Prioritize risks for remediation
-
Risk Management/Mitigation Plan:
- Document remediation actions for high/critical risks
- Assign timelines, owners, and resources
- Implement mitigation measures
- Reassess residual risk after mitigation
Common OCR Findings:
- "Failure to conduct an adequate risk analysis" - Most common enforcement finding
- Risk analysis limited to certain systems or locations (not "organization-wide")
- Risk analysis not updated after significant changes (new systems, mergers, breaches)
- Risk analysis not documented or lacks specificity
- Risk analysis does not address all threats to ePHI
Best Practices:
- Use NIST SP 800-30 (Risk Assessment) as a methodology guide
- Update annually or after significant changes
- Maintain documentation for 6 years
- Obtain senior management sign-off
- Use risk analysis results to inform security policies and budget
Business Associate Agreements (BAAs)
When a BAA is Required:
A BAA is required when a Covered Entity or Business Associate:
- Creates, receives, maintains, or transmits ePHI on behalf of another CE or BA
- Provides services that involve access to ePHI
Common Examples Requiring BAAs:
- Cloud service providers (AWS, Azure, GCP, Salesforce, etc.)
- EHR/EMR software vendors (Epic, Cerner, etc.)
- Medical billing/claims clearinghouses
- Data analytics firms
- IT managed service providers
- Shredding/document disposal companies
- Email/calendar/office productivity services (Microsoft 365, Google Workspace)
- Fax/telecommunications services
- Transcription/medical scribe services
- Health information exchanges
What a BAA Must Obligate the BA to Do (§164.314(a)(2)(i)):
- Implement Appropriate Safeguards: Ensure ePHI is protected per Security Rule requirements
- Report Breaches: Notify CE of any security incident or breach (within 60 days for 500+ individuals)
- Report Security Violations: Inform CE of any Security Rule violations by subcontractors
- Authorize CE Access: Allow CE or OCR to access BAA and related records
- Ensure Subcontractor Compliance: Require subcontractors to agree to same restrictions (via BAAs)
Common BAA Failure Modes:
- Missing BAAs: Cloud services or SaaS vendors used without signed BAAs
- Incomplete BAAs: BAA lacks required provisions or is outdated
- Subcontractor Chains: BA's subcontractors don't have their own BAAs
- Oral Agreements: BAAs must be in writing
- Vendor-Provided Templates: Using vendor templates that don't meet HIPAA requirements
BAA vs. Other Agreements:
- Data Use Agreement (DUA): Often separate from BAA, covers specific research uses
- Non-Disclosure Agreement (NDA): Not sufficient - does not cover HIPAA Security Rule requirements
- Service Level Agreement (SLA): Covers uptime/performance, not ePHI protection
SCF Crosswalk Context
Framework Mapping: This HIPAA Security Rule plugin maps to SCF ID usa-federal-law-hipaa-security-rule-2013.
The /grc-engineer:gap-assessment command supports this framework via SCF crosswalk.
Key SCF Domain Overlaps:
- PRI (Data Privacy): ePHI handling, minimum necessary, disclosure prohibitions
- IAC (Identity and Access Control): Unique user IDs, access authorization, least privilege
- IRO (Incident Response Operations): Security incident procedures, breach notification
- CPL (Contingency Planning): Data backup, disaster recovery, emergency mode operation
- RSK (Risk Management): Risk analysis, risk management, evaluation
- CFG (Configuration Management): System configuration, change management, security settings
- PES (Physical Environment Security): Facility access controls, workstation security, media controls
When Using /grc-engineer:gap-assessment:
/grc-engineer:gap-assessment HIPAA
This will map HIPAA Security Rule requirements to SCF controls and generate findings grouped by safeguard category.
Assessment Approach Guidance
When performing a HIPAA Security Rule assessment:
a. Confirm Entity Type:
- Covered Entity: Healthcare provider, health plan, or healthcare clearinghouse
- Business Associate: Vendor that handles ePHI on behalf of a CE
- Hybrid Organization: Single legal entity that is both a CE and a BA (must designate which components are which)
- Associate Subcontractor: BA's subcontractor handling ePHI
b. Confirm ePHI Systems in Scope:
- Clinical Systems: EHR/EMR, electronic prescribing, telehealth platforms
- Administrative Systems: Claims processing, billing, revenue cycle management
- Patient-Facing Systems: Patient portals, mobile health apps, remote monitoring devices
- Data Platforms: Data warehouses, health information exchanges, analytics platforms
- Infrastructure: Cloud storage (S3, Azure Blob, GCS), databases, file servers
- Endpoints: Workstations, laptops, mobile devices, tablets
- Communication: Email systems, fax servers, secure messaging platforms
c. Ask for Recent Risk Analysis:
- Date of last organization-wide risk analysis
- Whether it covers all ePHI systems and locations
- Whether it's been updated since major changes (new systems, mergers, breaches)
- Whether senior management has approved it
- Whether high/critical risks have been addressed
d. Identify Breach History or OCR Investigations:
- Any past ePHI breaches (investigation findings, remediation completed)
- Any OCR complaints or investigations (findings, corrective action plans)
- Any state attorney general actions
- Lessons learned and improvements implemented
e. Surface Addressable Specification Implementation Status:
- For each addressable spec, check:
- Is it implemented as-is?
- If not, is there documented rationale explaining why it's not reasonable/appropriate?
- Is there an equivalent alternative measure?
- Is the documentation up-to-date and signed off?
Common Addressable Spec Gaps:
- Encryption at rest not enabled for databases or cloud storage
- Automatic logoff not configured for workstations
- Encryption in transit not enforced for all external connections
- Media disposal procedures not documented or followed
- Password management not formalized (written policy)
f. Flag Missing Business Associate Agreements:
- Cloud providers (AWS, Azure, GCP) - check for BAA addendum
- SaaS applications (Office 365, Google Workspace, Salesforce, etc.)
- EHR/EMR vendors
- IT service providers (MSPs, managed security, help desk)
- Billing/clearinghouse services
- Data analytics/analytics vendors
- Email/fax/telecommunication services
- Shredding/disposal vendors
- Health information exchanges
- Mobile app/telehealth platforms
Note: Even vendors that claim HIPAA compliance often require you to execute their BAA separately - check each vendor's process.
Capabilities
- HIPAA Security Rule gap assessments and analysis
- Risk analysis evaluation (§164.308(a)(1)(ii)(A))
- Required vs. addressable specification assessment
- Administrative, Physical, and Technical Safeguard evaluation
- Business Associate Agreement readiness review
- ePHI system scope identification
- Security incident and breach response evaluation
- Contingency plan review (backup/disaster recovery)
- Security awareness and training assessment
- Access control and authentication evaluation
- Encryption at rest and in transit review
- Audit control implementation validation
- Physical security measures assessment
- Policy and procedure documentation review
- OCR enforcement and penalty guidance
- HHS OCR audit preparation
- NIST SP 800-66 implementation guidance
- SCF crosswalk mapping (usa-federal-law-hipaa-security-rule-2013)
- Multi-framework compliance analysis (HIPAA + PCI-DSS, NIST, etc.)
Evidence Checklist Command
The /us-hipaa-security:evidence-checklist command generates comprehensive evidence request lists organized by safeguard category:
Category Short Codes (use with --category flag):
admin - Administrative Safeguards (§164.308)
physical - Physical Safeguards (§164.310)
technical - Technical Safeguards (§164.312)
org - Organizational Requirements (§164.314)
policies - Policies and Documentation (§164.316)
Usage Examples:
/us-hipaa-security:evidence-checklist # All categories (default)
/us-hipaa-security:evidence-checklist --category=admin # Administrative only
/us-hipaa-security:evidence-checklist --format=csv # Export to spreadsheet
/us-hipaa-security:evidence-checklist --audience=internal # Simplified checklist
Output Formats: table (default Markdown table), markdown (detailed list), csv (spreadsheet)
Audience Options: auditor (external/OCR with CFR references), internal (simplified readiness check)