Every scan check. Every Security Rule section. One map.
HIPAA Shield reports every finding with an explicit 45 CFR Part 164 citation. This page is the full coverage map — the same document we deliver to your procurement team, OCR auditor, or BAA counterparty, upgraded with our scan technique for each standard.
Reading this map
The Security Rule labels every specification as Standard, Required, or Addressable. Addressable does not mean optional — 45 CFR § 164.306(d) requires a covered entity to implement the addressable specification if reasonable and appropriate, or document why not and implement an equivalent alternative.
Administrative Safeguards
Policy, process, and governance controls. This section is the most frequently cited in OCR resolution agreements — the Risk Analysis standard alone accounts for the majority of enforcement actions.
13 individual standards & specifications below
Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations.
How we cover it: Assessment reviews your documented security program, sampling evidence that policies are followed in production.
Risk Analysis
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
How we cover it: The HIPAA Security Risk Assessment engagement produces the formal Risk Analysis document. This standard is satisfied outright by our Risk Assessment deliverable.
Risk Management
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
How we cover it: Remediation roadmap ranks every finding by likelihood × impact, with a path to bring residual risk below your risk tolerance.
Sanction Policy
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.
How we cover it: Policy sample review — not a scan check, but included in the Risk Assessment deliverable as evidence guidance.
Information System Activity Review
Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
How we cover it: Continuous Monitoring tier delivers the recurring activity review this standard contemplates. Audit-log completeness is tested in every tier.
Assigned Security Responsibility
Identify the security official responsible for development and implementation of the required policies and procedures.
How we cover it: Documentation sample review — we confirm a named Security Official exists and has appropriate authority.
Workforce Security
Implement policies to ensure workforce members have appropriate access to ePHI and to prevent those without access from obtaining it.
How we cover it: Authenticated testing role-maps every workforce role against ePHI access, surfacing over-privileged accounts and abandoned sessions.
Information Access Management
Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of Subpart E.
How we cover it: Access-model testing exercises user, role, and tenant boundaries. IDOR and cross-tenant reads are the dominant findings in this section.
Security Awareness and Training
Implement a security awareness and training program for all workforce members.
How we cover it: Evidence-review item — training records are sampled, not pen-tested.
Security Incident Procedures
Implement policies and procedures to address security incidents — identification, response, mitigation, and documentation.
How we cover it: Incident response retainer in the Continuous Monitoring tier is scoped against this standard.
Contingency Plan
Establish policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI.
How we cover it: Backup integrity, DR runbook review, and synthetic restore validation where the environment supports it.
Evaluation
Perform a periodic technical and non-technical evaluation in response to environmental or operational changes affecting ePHI security.
How we cover it: The Annual HIPAA Pentest is structured to satisfy the periodic evaluation this standard contemplates.
Business Associate Contracts and Other Arrangements
A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI only if the covered entity obtains satisfactory assurances via a BAA.
How we cover it: BAA scope-gap analysis maps every sub-processor that touches ePHI and flags those without an executed BAA — the most common HHS enforcement action pattern.
Physical Safeguards
Physical controls over facilities, workstations, and device media. For cloud-hosted systems, most of this section is inherited through the hyperscaler's SOC 2 Type II and HIPAA attestations — we verify coverage and document the inheritance.
12 individual standards & specifications below
Facility Access Controls
Limit physical access to electronic information systems while ensuring properly authorized access is allowed.
How we cover it: Cloud-hosted systems inherit this through the hyperscaler. On-premise and co-located systems are reviewed via evidence sampling.
Contingency Operations
Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan.
How we cover it: DR runbook review — included in the Annual Pentest deliverable.
Facility Security Plan
Implement policies to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.
How we cover it: Evidence review of physical facility plans and audit logs.
Access Control and Validation Procedures
Control and validate a person's access to facilities based on role or function.
How we cover it: Cloud: reviewed through hyperscaler documentation. On-premise: evidence review.
Maintenance Records
Document repairs and modifications to the physical components of a facility related to security.
How we cover it: Evidence review.
Workstation Use
Specify the proper functions to be performed, the manner of performance, and the physical attributes of workstations that can access ePHI.
How we cover it: Endpoint policy review + sample device audit if workstations are in scope.
Workstation Security
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
How we cover it: MDM/EPP configuration review if workstations are in scope.
Device and Media Controls
Implement policies governing the receipt and removal of hardware and electronic media that contain ePHI.
How we cover it: Disposal and media-handling policy review. Cloud disposal is verified via provider attestation.
Disposal
Implement policies to address final disposition of ePHI and the hardware or electronic media on which it is stored.
How we cover it: Cryptographic erasure and secure-delete procedures verified in the Annual Pentest.
Media Re-use
Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
How we cover it: Disposal process review.
Accountability
Maintain a record of the movements of hardware and electronic media and any person responsible.
How we cover it: Asset inventory and movement-log review.
Data Backup and Storage
Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
How we cover it: Backup integrity validation — synthetic restore tested where environment allows.
Technical Safeguards
The heaviest scan coverage. Access control, audit logging, integrity, authentication, and transmission security are the sections where our AI swarm does the bulk of its work — and where OCR enforcement most often finds technical failures.
12 individual standards & specifications below
Access Control — Standard
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to persons or software programs that have been granted access rights.
How we cover it: Core scan coverage. Authenticated cross-role, cross-tenant, and cross-user testing with brain-guided IDOR sequences.
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity.
How we cover it: Account-model review confirms every authenticated actor has a unique identifier. Shared-credential findings escalate to Critical.
Emergency Access Procedure
Establish procedures for obtaining necessary ePHI during an emergency.
How we cover it: Break-glass access procedure review.
Automatic Logoff
Implement procedures that terminate an electronic session after a predetermined time of inactivity.
How we cover it: Session timeout testing on all authenticated endpoints. Session-fixation tested alongside.
Encryption and Decryption
Implement a mechanism to encrypt and decrypt ePHI.
How we cover it: Storage encryption validation — at rest at the storage layer and at the application layer where applicable. Key management review.
Audit Controls
Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
How we cover it: Audit-log completeness is tested on every authenticated action that touches ePHI. Tamper-resistance of audit storage is validated separately.
Integrity — Standard
Implement policies and procedures to protect ePHI from improper alteration or destruction.
How we cover it: Write-side testing — can an unauthorized actor modify or destroy ePHI? Tested in every role boundary.
Mechanism to Authenticate ePHI
Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
How we cover it: Checksum, signing, and record-integrity mechanisms are validated on critical records (prescriptions, orders, lab results).
Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
How we cover it: Authentication flow testing — MFA enforcement, password policy, session management, OAuth/OIDC misconfigurations, impersonation via forged tokens.
Transmission Security — Standard
Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
How we cover it: TLS configuration, mTLS for BA-to-BA channels, FHIR endpoint authentication, and HL7 v2 MLLP auth where applicable.
Integrity Controls — Transmission
Implement security measures to ensure ePHI is not improperly modified without detection until disposed of.
How we cover it: TLS integrity + application-layer signing review.
Encryption — Transmission
Implement a mechanism to encrypt ePHI whenever deemed appropriate.
How we cover it: End-to-end TLS validation on every ePHI channel. Cipher suite and certificate chain review. Email-based ePHI (still common) is separately assessed.
Organizational Requirements & Documentation
Organizational and documentation requirements. BAA contract content and policy documentation retention sit here.
4 individual standards & specifications below
Business Associate Contracts or Other Arrangements
Specific contract language required between covered entities and business associates.
How we cover it: BAA template review and sub-processor mapping (included in BAA-Ready Assessment tier).
Requirements for Group Health Plans
Group health plan sponsor safeguards for ePHI.
How we cover it: Reviewed when the assessment is scoped against a health plan.
Policies and Procedures
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements.
How we cover it: Policy existence and effectiveness review.
Documentation
Maintain the policies and procedures in writing, in electronic form, and for six years.
How we cover it: Documentation sample review — six-year retention is confirmed via sampling.
Breach Notification Rule
Not part of the Security Rule itself, but tightly linked — every exploitable finding in our report includes an explicit Breach Notification Rule impact analysis for legal review.
4 individual standards & specifications below
Breach — Definitions
The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises its security or privacy.
How we cover it: Every exploitable finding includes a Breach Notification Rule impact analysis — whether it would meet the definition if exercised.
Notification to Individuals
A covered entity must notify each individual whose PHI has been, or is reasonably believed to have been, accessed or disclosed as a result of a breach.
How we cover it: Findings that would trigger individual notification are flagged separately in the report for legal review.
Notification to the Secretary
Covered entities must notify the Secretary of HHS of breaches of unsecured PHI.
How we cover it: Findings are scored against the 500-individual threshold that triggers immediate HHS notification.
Notification by a Business Associate
A business associate must notify the covered entity of a breach.
How we cover it: BAs receive explicit BA-to-CE notification runbook guidance as part of the deliverable.
Want this map against your environment?
The HIPAA Security Risk Assessment engagement produces exactly this map — but populated with findings, evidence, and a remediation roadmap specific to your systems.