HIPAA Security Rule
cloud-audit maps 88 checks to 47 HIPAA Security Rule implementation specifications across 3 safeguard categories. 28 specifications are automated, 19 require manual review (administrative and organizational controls).
Readiness assessment, not certification
HIPAA compliance requires ongoing organizational commitment and may be subject to HHS OCR audits. This tool automates assessment of technical safeguard controls and generates evidence to support your compliance program. HIPAA has no formal certification - compliance is demonstrated through policies, procedures, and technical controls.
Coverage Summary
Automated includes both fully automated and partially automated specifications. HIPAA distinguishes between Required (R) and Addressable (A) implementation specifications. Addressable does not mean optional - it means the organization must implement the specification or document why an alternative control is reasonable and appropriate.
| Safeguard | Specifications | Automated* | Manual | Required | Addressable |
|---|---|---|---|---|---|
| Administrative Safeguards | 20 | 8 | 12 | 12 | 8 |
| Physical Safeguards | 10 | 0 | 10 | 4 | 6 |
| Technical Safeguards | 17 | 17 | 0 | 9 | 8 |
| Total | 47 | 28 (60%) | 19 (40%) | 25 | 22 |
Organizational Requirements (Business Associate Agreements, policies) and Policies and Procedures are tracked separately as NOT_ASSESSED items.
Usage
# Terminal output with readiness score
cloud-audit scan --compliance hipaa_security
# HTML report for auditors
cloud-audit scan --compliance hipaa_security --format html --output hipaa-report.html
# Markdown for documentation
cloud-audit scan --compliance hipaa_security --format markdown --output hipaa-report.md
# List all frameworks
cloud-audit list-frameworks
# Preview controls without scanning
cloud-audit show-framework hipaa_security
Administrative Safeguards (164.308)
| ID | Title | R/A | Type | cloud-audit Checks |
|---|---|---|---|---|
| 308(a)(1)(i) | Security management process | R | Partial | aws-gd-001, aws-gd-002, aws-sh-001, aws-cfg-001, aws-cfg-002 |
| 308(a)(1)(ii)(A) | Risk analysis | R | Manual | - |
| 308(a)(1)(ii)(B) | Risk management | R | Partial | aws-gd-001, aws-gd-002, aws-sh-001 |
| 308(a)(1)(ii)(C) | Sanction policy | R | Manual | - |
| 308(a)(1)(ii)(D) | Information system activity review | R | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-008 |
| 308(a)(2) | Assigned security responsibility | R | Manual | - |
| 308(a)(3)(i) | Workforce security | R | Manual | - |
| 308(a)(3)(ii)(A) | Authorization and supervision | A | Partial | aws-iam-005, aws-iam-010 |
| 308(a)(3)(ii)(B) | Workforce clearance procedure | A | Manual | - |
| 308(a)(3)(ii)(C) | Termination procedures | A | Partial | aws-iam-003, aws-iam-004, aws-iam-009 |
| 308(a)(4)(i) | Information access management | R | Auto | aws-iam-005, aws-iam-007, aws-iam-010, aws-iam-017 |
| 308(a)(4)(ii)(A) | Isolating healthcare clearinghouse functions | R | Manual | - |
| 308(a)(4)(ii)(B) | Access authorization | A | Auto | aws-iam-005, aws-iam-007, aws-iam-008, aws-iam-014 |
| 308(a)(4)(ii)(C) | Access establishment and modification | A | Partial | aws-iam-003, aws-iam-004, aws-iam-012 |
| 308(a)(5)(i) | Security awareness and training | R | Manual | - |
| 308(a)(5)(ii)(A) | Security reminders | A | Manual | - |
| 308(a)(5)(ii)(B) | Protection from malicious software | A | Partial | aws-gd-001, aws-gd-002, aws-inspector-001 |
| 308(a)(5)(ii)(C) | Log-in monitoring | A | Auto | aws-cw-001 through aws-cw-016, aws-ct-001 |
| 308(a)(5)(ii)(D) | Password management | A | Auto | aws-iam-006 |
| 308(a)(6) | Security incident procedures | R | Manual | - |
Physical Safeguards (164.310)
| ID | Title | R/A | Type | cloud-audit Checks |
|---|---|---|---|---|
| 310(a)(1) | Facility access controls | R | Manual | AWS shared responsibility |
| 310(a)(2)(i) | Contingency operations | A | Manual | AWS shared responsibility |
| 310(a)(2)(ii) | Facility security plan | A | Manual | AWS shared responsibility |
| 310(a)(2)(iii) | Access control and validation procedures | A | Manual | AWS shared responsibility |
| 310(a)(2)(iv) | Maintenance records | A | Manual | AWS shared responsibility |
| 310(b) | Workstation use | R | Manual | - |
| 310(c) | Workstation security | R | Manual | - |
| 310(d)(1) | Device and media controls | R | Manual | - |
| 310(d)(2)(i) | Disposal | R | Manual | - |
| 310(d)(2)(ii) | Media re-use | A | Manual | - |
Technical Safeguards (164.312)
| ID | Title | R/A | Type | cloud-audit Checks |
|---|---|---|---|---|
| 312(a)(1) | Access control | R | Auto | aws-iam-005, aws-iam-006, aws-iam-010, aws-iam-014, aws-iam-016, aws-iam-017 |
| 312(a)(2)(i) | Unique user identification | R | Auto | aws-iam-003, aws-iam-009, aws-iam-013 |
| 312(a)(2)(ii) | Emergency access procedure | R | Partial | aws-iam-001, aws-iam-008 |
| 312(a)(2)(iii) | Automatic logoff | A | Partial | aws-iam-003, aws-iam-004 |
| 312(a)(2)(iv) | Encryption and decryption | A | Auto | aws-s3-002, aws-rds-002, aws-ec2-002, aws-ec2-006, aws-efs-001, aws-kms-001, aws-kms-002 |
| 312(b) | Audit controls | R | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-006, aws-ct-007, aws-ct-008 |
| 312(c)(1) | Integrity | R | Auto | aws-s3-005, aws-ct-005, aws-rds-002 |
| 312(c)(2) | Mechanism to authenticate ePHI | A | Auto | aws-s3-005, aws-s3-007, aws-ct-005 |
| 312(d) | Person or entity authentication | R | Auto | aws-iam-001, aws-iam-002, aws-iam-006, aws-iam-015 |
| 312(e)(1) | Transmission security | R | Auto | aws-s3-006, aws-rds-002, aws-efs-001, aws-lambda-003, aws-ssm-002 |
| 312(e)(2)(i) | Integrity controls | A | Auto | aws-s3-005, aws-s3-007 |
| 312(e)(2)(ii) | Encryption | A | Auto | aws-s3-006, aws-kms-001, aws-kms-002 |
| 312(a)(1) | Network segmentation | R | Auto | aws-vpc-001, aws-vpc-002, aws-vpc-004, aws-vpc-005, aws-vpc-006 |
| 312(a)(1) | Firewall controls | R | Auto | aws-vpc-002, aws-vpc-004, aws-waf-001, aws-ec2-001 |
| 312(a)(1) | Network monitoring | R | Auto | aws-vpc-003, aws-gd-001, aws-gd-002 |
| 312(a)(1) | Backup and recovery | R | Auto | aws-rds-003, aws-s3-003, aws-ec2-005, aws-backup-001 |
| 312(a)(1) | Vulnerability management | A | Auto | aws-ssm-001, aws-ssm-003, aws-inspector-001 |
Why 19 Specifications Are Manual
HIPAA covers administrative procedures, workforce management, physical facility controls, and organizational policies that cannot be verified by scanning AWS infrastructure.
Examples:
- 308(a)(1)(ii)(A) (risk analysis) - documented risk assessment, asset inventory, threat identification
- 310(a)(1) (facility access) - covered by AWS shared responsibility model; request AWS SOC 2 report via Artifact
- 308(a)(6) (incident procedures) - documented incident response plan, breach notification procedures
cloud-audit marks these as NOT_ASSESSED with actionable manual steps for each.
Shared Responsibility and AWS BAA
AWS Business Associate Agreement required
Before processing Protected Health Information (PHI) on AWS, you must have an executed AWS Business Associate Agreement (BAA). Request it through AWS Artifact in the AWS Console. Only HIPAA-eligible AWS services may be used with PHI.
HIPAA compliance on AWS operates under the shared responsibility model:
- AWS responsibility: Physical safeguards for data centers, infrastructure availability, physical media disposal
- Your responsibility: Access controls, encryption configuration, audit logging, network segmentation, backup policies
cloud-audit covers the customer-side technical controls. AWS compliance documentation (SOC 2, ISO 27001 reports) covers the provider side - available through AWS Artifact.
Attack Chain Integration
All 25 attack chain rules are mapped to HIPAA specifications. When a chain is detected, the compliance report shows which specifications it violates:
| Chain | HIPAA Specifications Violated |
|---|---|
| AC-01 Internet-Exposed Admin Instance | 312(a)(1), 308(a)(4)(i) |
| AC-02 SSRF to Credential Theft | 312(a)(1), 312(e)(1) |
| AC-12 Admin Without MFA | 312(d), 312(a)(2)(i) |
| AC-17 Exposed Database Without Audit Trail | 312(a)(1), 312(b), 312(c)(1) |
| AC-32 CloudTrail Blind Spot | 312(b), 308(a)(1)(ii)(D) |