HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires Covered Entities and Business Associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). Any organization that stores, processes, or transmits ePHI — or provides services to those that do — must comply.

Infracast ships 45 automated rules mapped to HIPAA Security Rule requirements, covering the technical safeguards and organizational controls that can be evaluated through infrastructure analysis.

HIPAA Security Rule Structure

The Security Rule is organized into three safeguard categories:

Category	Rules in Infracast	Description
Technical Safeguards	35	Access controls, audit controls, encryption
Administrative Safeguards	7	Risk analysis, workforce training, procedures
Physical Safeguards	3	Workstation security, device controls

note

Physical and most administrative safeguards require manual attestation. Infracast automates evaluation of all technical safeguards and provides attestation workflows for the rest.

Technical Safeguards

164.312(a) — Access Control

Access controls ensure only authorized persons access ePHI:

Rule	Standard	Description
`HIPAA-164.312a-ROOT-MFA`	164.312(a)(1)	Root/admin accounts require MFA
`HIPAA-164.312a-USER-MFA`	164.312(a)(2)(i)	Unique user IDs + MFA for ePHI systems
`HIPAA-164.312a-INACTIVE-ACCOUNTS`	164.312(a)(2)(ii)	Inactive accounts disabled after 35 days
`HIPAA-164.312a-LEAST-PRIVILEGE`	164.312(a)(2)(iv)	IAM policies follow least privilege
`HIPAA-164.312a-SSH-RESTRICTED`	164.312(a)(1)	SSH access restricted, not open to internet

164.312(b) — Audit Controls

Systems containing ePHI must implement audit controls:

Rule	Standard	Description
`HIPAA-164.312b-CLOUDTRAIL`	164.312(b)	CloudTrail enabled in all regions
`HIPAA-164.312b-LOG-RETENTION`	164.312(b)	Log retention ≥ 6 years
`HIPAA-164.312b-LOG-VALIDATION`	164.312(b)	CloudTrail log file validation enabled
`HIPAA-164.312b-ACCESS-LOGGING`	164.312(b)	S3 access logging enabled for ePHI buckets

164.312(c) — Integrity

Protect ePHI from improper alteration or destruction:

Rule	Standard	Description
`HIPAA-164.312c-S3-VERSIONING`	164.312(c)(1)	S3 versioning enabled for ePHI buckets
`HIPAA-164.312c-S3-MFA-DELETE`	164.312(c)(1)	MFA Delete enabled on ePHI buckets
`HIPAA-164.312c-RDS-BACKUP`	164.312(c)(1)	RDS automated backups enabled
`HIPAA-164.312c-CLOUDTRAIL-TAMPER`	164.312(c)(2)	CloudTrail cannot be disabled without alerting

164.312(d) — Person or Entity Authentication

Rule	Standard	Description
`HIPAA-164.312d-MFA-ALL`	164.312(d)	MFA enforced for all console and API access
`HIPAA-164.312d-PASSWORD-POLICY`	164.312(d)	Password complexity and rotation enforced
`HIPAA-164.312d-SSO-ENABLED`	164.312(d)	SSO/SAML used rather than shared credentials

164.312(e) — Transmission Security

Rule	Standard	Description
`HIPAA-164.312e-HTTPS-ONLY`	164.312(e)(2)(ii)	All load balancers enforce HTTPS/TLS
`HIPAA-164.312e-S3-TLS`	164.312(e)(2)(ii)	S3 buckets deny HTTP requests
`HIPAA-164.312e-RDS-TLS`	164.312(e)(2)(ii)	RDS requires TLS connections
`HIPAA-164.312e-NO-WEAK-TLS`	164.312(e)(2)(ii)	TLS 1.0/1.1 disabled

PHI Protection Findings

Sample Findings

Finding: Unencrypted ePHI Storage

{
  "rule_id": "HIPAA-164.312a-2-EBS-ENCRYPTION",
  "control_id": "164.312(a)(2)(iv)",
  "severity": "CRITICAL",
  "title": "EBS volume containing potential ePHI is not encrypted at rest",
  "description": "EBS volume 'vol-0x1234' attached to 'ehr-app-01' is unencrypted. Systems tagged with 'ehr' or 'phi' must have encryption enabled.",
  "remediation": "Enable EBS encryption. Snapshot the volume, copy to an encrypted snapshot, and restore."
}

Finding: Missing Audit Logging

{
  "rule_id": "HIPAA-164.312b-S3-ACCESS-LOGGING",
  "control_id": "164.312(b)",
  "severity": "HIGH",
  "title": "S3 bucket storing ePHI has no access logging",
  "description": "S3 bucket 'patient-records-prod' does not have server access logging enabled. All access to ePHI must be logged per HIPAA 164.312(b).",
  "remediation": "Enable S3 server access logging and direct logs to a centralized audit bucket."
}

Scoping PHI Systems

Use resource tags and application boundaries to scope HIPAA checks to systems that actually handle ePHI:

# Tag ePHI systems in your environment
# (via AWS console or Terraform)
resource "aws_instance" "ehr_app" {
  ...
  tags = {
    "hipaa-in-scope" = "true"
    "data-classification" = "phi"
  }
}

# Infracast uses tags to identify in-scope resources
# and apply additional scrutiny to ePHI-tagged systems

tip

Create an application in Infracast grouping all ePHI-handling resources. Compliance scoring and reports can be scoped to this application boundary for more accurate PHI-specific results.

Administrative Safeguard Attestations

HIPAA administrative safeguards require policies and procedures, not just technical controls. Use Infracast questionnaires to document compliance:

Safeguard	Standard	Questionnaire
Risk Analysis	164.308(a)(1)	`hipaa-risk-analysis`
Workforce Training	164.308(a)(5)	`hipaa-workforce-training`
Access Authorization	164.308(a)(4)	`hipaa-access-management`
Business Associate Agreements	164.308(b)(1)	`hipaa-baa-management`
Incident Response	164.308(a)(6)	`hipaa-incident-response`

# Create workforce training attestation
POST /api/v1/tenants/{tenantID}/questionnaires/from-template
{
  "template_id": "hipaa-workforce-training",
  "title": "HIPAA Workforce Training — 2024 Annual",
  "assignees": ["hr@hospital.com", "security-officer@hospital.com"]
}

HIPAA Compliance Report

Generate HIPAA compliance reports for your Privacy Officer or auditors:

POST /api/v1/tenants/{tenantID}/reports/generate
{
  "type": "framework",
  "framework": "hipaa",
  "format": "pdf",
  "options": {
    "include_phi_systems_only": true,
    "include_remediation": true,
    "include_attestations": true
  }
}

Reports include:

Technical safeguard status for each ePHI system
Access control findings with IAM detail
Audit log coverage gaps
Encryption compliance across storage and transit
BAA tracking (attested)
Remediation timeline and ownership

HIPAA Compliance Score

GET /api/v1/tenants/{tenantID}/compliance/summary?framework=hipaa

{
  "framework": "hipaa",
  "score": 86,
  "controls_total": 45,
  "controls_passing": 39,
  "by_safeguard": {
    "technical": { "score": 88, "passing": 31, "total": 35 },
    "administrative": { "score": 71, "passing": 5, "total": 7, "note": "3 attestations pending" },
    "physical": { "score": 100, "passing": 3, "total": 3 }
  }
}

HIPAA Risk Analysis Report

Infracast generates a full HIPAA Risk Analysis document (required under 45 CFR §164.308(a)(1)) auto-populated from discovered infrastructure and HIPAA rule-pack findings.

What’s included:

ePHI system inventory (auto-detected from node metadata: RDS instances tagged data_classification=phi, EC2s in subnets tagged hipaa-scope, etc.)
Threat and vulnerability identification per system
Likelihood and impact ratings per safeguard category
Current control assessment (technical, administrative, physical)
Risk matrix and prioritized remediation list
BAA status summary (from questionnaire)

Generate via UI: Documents → Generate → HIPAA Risk Analysis
DocType: hipaa_risk

Required questionnaire fields: ePHI system inventory, BAA vendor list, workforce access controls, incident response coordinator. (Template: hipaa_ephi_scope)

Next Steps

SOC 2 Guide — Often paired with HIPAA for healthcare SaaS
API: Findings — Query HIPAA findings by safeguard category
API: Reports — Generate Privacy Officer reports

HIPAA Security Rule Structure​

Technical Safeguards​

164.312(a) — Access Control​

164.312(b) — Audit Controls​

164.312(c) — Integrity​

164.312(d) — Person or Entity Authentication​

164.312(e) — Transmission Security​

PHI Protection Findings​

Sample Findings​

Scoping PHI Systems​

Administrative Safeguard Attestations​

HIPAA Compliance Report​

HIPAA Compliance Score​

HIPAA Risk Analysis Report​

Next Steps​