HIPAA Compliance Dashboard

Health Insurance Portability and Accountability Act

Jurisdiction: United States | Effective: 1996 (updated) | Domain: Health

Overview

HIPAA establishes national standards for the protection of individually identifiable health information (protected health information or PHI). It includes the Privacy Rule, Security Rule, and Breach Notification Rule.

Controls

HIPAA-C001: PHI Access Controls

• Requirement: Implement access controls for electronic PHI (ePHI)
• Automated: Yes
• Evidence: Access logs, role-based access control configurations

HIPAA-C002: Encryption of ePHI

• Requirement: Implement encryption for ePHI at rest and in transit
• Automated: Yes
• Evidence: Encryption audit, TLS configuration

HIPAA-C003: Audit Controls

• Requirement: Implement mechanisms to record and examine access to ePHI
• Automated: Yes
• Evidence: Audit trail reports

HIPAA-C004: Breach Notification

• Requirement: Notify affected individuals and HHS within required timeframes
• Automated: No
• Evidence: Breach log, notification records

HIPAA-C005: Business Associate Agreements

• Requirement: Execute BAAs with all entities handling PHI
• Automated: No
• Evidence: BAA inventory, signed agreements

Compliance Gates

Gate	Control Ref	Requirement	Status
HIPAA-G001	HIPAA-C001	Access controls implemented for all ePHI systems
HIPAA-G002	HIPAA-C002	All ePHI encrypted in transit and at rest
HIPAA-G003	HIPAA-C004	Breach notification procedures tested annually

Metrics

Metric	Target	Source	Trend
ePHI access authorization rate	100%	access_system	Stable
Encryption coverage for ePHI	100%	crypto_audit	Improving
BAA coverage	100%	vendor_management	Improving

Recommended Actions

1. Conduct annual security risk analysis
2. Review and update BAA inventory
3. Test breach notification procedures

Cross-Regulation Overlaps

• GDPR — Data protection for health information
• ISO 27001 — Information security controls
• SOC 2 — Security and confidentiality criteria