Trust Center

Workforce

HIPAA Security

Standards for the protection of electronic protected health information (ePHI)

15
Total Controls
7
Implemented
5
Partial
50.0%
Coverage

Control Families

administrative — Administrative Safeguards

164.308 — Administrative actions, policies, and procedures
0.0%
8 controls
ID Title Status Evidence Sources Notes
164.308(a)(1)(i) Security Management Process partial security_policy guardduty cloudtrail GuardDuty + CloudTrail provide detection; formal security policy needed
164.308(a)(1)(ii)(A) Risk Analysis (R) not started risk_assessment Formal risk assessment planned for Sprint 7
164.308(a)(1)(ii)(B) Risk Management (R) partial iam_policies kms_keys scp_policies Technical controls implemented; formal risk management plan needed
164.308(a)(3)(i) Workforce Security partial iam_policies agent_config Agent-level tool allowlists, IAM scoping; workforce access policy needed
164.308(a)(4)(i) Information Access Management partial iam_policies approval_queue Approval queue controls external data access; access authorization policy needed
164.308(a)(5)(i) Security Awareness and Training not applicable AI agents — no human workforce training required. Customer responsible for their staff.
164.308(a)(6)(i) Security Incident Procedures not started incident_response_plan Incident response plan needed — Sprint 7
164.308(a)(7)(i) Contingency Plan partial dynamodb_pitr s3_versioning DynamoDB PITR enabled, S3 versioning on; formal contingency plan needed

technical — Technical Safeguards

164.312 — Technology and processes for protecting ePHI
100.0%
7 controls
ID Title Status Evidence Sources Notes
164.312(a)(1) Access Control implemented iam_policies secrets_manager api_gateway IAM roles per service, Secrets Manager for credentials, API Gateway authentication
164.312(a)(2)(i) Unique User Identification (R) implemented iam_users agent_ids Each IAM user and agent has a unique identifier
164.312(a)(2)(iv) Encryption and Decryption (A) implemented kms_keys dynamodb_encryption s3_encryption KMS encryption on all data stores — DynamoDB, S3, Secrets Manager
164.312(b) Audit Controls implemented cloudtrail cloudwatch_logs cost_tracker CloudTrail for API audit (tamper-proof), structured application logging, cost tracking
164.312(c)(1) Integrity implemented dynamodb_pitr s3_versioning approval_queue DynamoDB PITR, S3 versioning, approval queue prevents unauthorized modifications
164.312(d) Person or Entity Authentication implemented iam_policies oidc_provider slack_signing_secret OIDC for CI/CD, Slack signing secret verification, IAM authentication
164.312(e)(1) Transmission Security implemented tls_enforcement All communications over TLS 1.2+; AWS enforces TLS on all API endpoints

Gaps Requiring Remediation (7)

Control Family Title Status Cross-Mappings Notes
164.308(a)(1)(i) Administrative Safeguards Security Management Process partial nist_csf:GV.RM-01 GuardDuty + CloudTrail provide detection; formal security policy needed
164.308(a)(1)(ii)(A) Administrative Safeguards Risk Analysis (R) not started soc2:CC3.2, nist_csf:ID.RA-01 Formal risk assessment planned for Sprint 7
164.308(a)(1)(ii)(B) Administrative Safeguards Risk Management (R) partial Technical controls implemented; formal risk management plan needed
164.308(a)(3)(i) Administrative Safeguards Workforce Security partial Agent-level tool allowlists, IAM scoping; workforce access policy needed
164.308(a)(4)(i) Administrative Safeguards Information Access Management partial Approval queue controls external data access; access authorization policy needed
164.308(a)(6)(i) Administrative Safeguards Security Incident Procedures not started Incident response plan needed — Sprint 7
164.308(a)(7)(i) Administrative Safeguards Contingency Plan partial DynamoDB PITR enabled, S3 versioning on; formal contingency plan needed
← Back to Overview