HIPAA

Protect healthcare data and achieve HIPAA compliance with CyberOrigen.

Overview

HIPAA (Health Insurance Portability and Accountability Act) protects sensitive patient health information (PHI). It applies to covered entities and their business associates.

HIPAA Rules

Privacy Rule

Protects PHI usage and disclosure:

Patient rights
Minimum necessary standard
Authorization requirements

Security Rule

Technical safeguards for ePHI:

Category	Requirement
Administrative	Policies, training, risk analysis
Physical	Facility access, workstation security
Technical	Access controls, encryption, audit

Breach Notification Rule

Requires notification when PHI is compromised:

Patient notification (within 60 days)
HHS notification
Media notification (>500 individuals)

Security Rule Requirements

Administrative Safeguards

Standard	Implementation
164.308(a)(1)	Risk analysis and management
164.308(a)(2)	Assigned security responsibility
164.308(a)(3)	Workforce security
164.308(a)(4)	Information access management
164.308(a)(5)	Security awareness and training
164.308(a)(6)	Security incident procedures
164.308(a)(7)	Contingency plan
164.308(a)(8)	Evaluation
164.308(b)(1)	Business associate agreements

Physical Safeguards

Standard	Implementation
164.310(a)(1)	Facility access controls
164.310(b)	Workstation use
164.310(c)	Workstation security
164.310(d)(1)	Device and media controls

Technical Safeguards

Standard	Implementation
164.312(a)(1)	Access control
164.312(b)	Audit controls
164.312(c)(1)	Integrity
164.312(d)	Person/entity authentication
164.312(e)(1)	Transmission security

Getting Started

1. Enable Framework

Go to GRC → Frameworks
Click Enroll on HIPAA
Click Enable

2. Risk Analysis

HIPAA requires documented risk analysis:

Go to GRC → Risk Register
Identify ePHI locations
Assess threats and vulnerabilities
Document risk levels

3. Implement Safeguards

Address required and addressable standards:

Required: Must implement
Addressable: Implement or document alternative

Key Controls

Technical Controls

Requirement	CyberOrigen Feature
164.312(a)(1) Access Control	Access scanning, reviews
164.312(b) Audit Controls	Audit log tracking
164.312(c)(1) Integrity	File integrity checks
164.312(e)(1) Transmission	TLS/encryption scanning

Administrative Controls

Requirement	CyberOrigen Feature
164.308(a)(1) Risk Analysis	Risk register
164.308(a)(5) Training	Policy acknowledgment
164.308(a)(6) Incidents	Remediation workflow

PHI Identification

What is PHI?

Protected Health Information includes:

Names
Dates (birth, admission, discharge)
Phone/fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan IDs
Account numbers
Certificate/license numbers
Vehicle identifiers
Device identifiers
URLs
IP addresses
Biometric identifiers
Photos
Any unique identifying number

ePHI Systems

Identify systems with electronic PHI:

Go to GRC → Control Library
Map assets to PHI handling
Track in asset inventory

Business Associate Agreements

BAA Requirements

Track vendor BAAs:

Go to GRC → Vendors
Add vendors with PHI access
Upload BAA documents
Track expiration dates

Vendor Risk Assessment

Assess BA security:

Security questionnaires
SOC 2 reports
Penetration test results

Evidence Collection

Automated Evidence

Access control scans
Encryption verification
Vulnerability assessments
Audit log exports

Manual Evidence

Policies and procedures
Risk analysis documentation
Training records
BAAs
Incident response plans

Control Mapping

HIPAA maps to other frameworks:

HIPAA	SOC 2	ISO 27001
164.312(a)(1)	CC6.1	A.9.1.1
164.312(b)	CC7.2	A.12.4.1
164.312(e)(1)	CC6.7	A.10.1.1
164.308(a)(1)	CC3.2	6.1

Breach Response

When to Notify

Notification required when:

Unauthorized access to PHI
Use or disclosure violating Privacy Rule
Cannot demonstrate low probability of compromise

Response Steps

Identify breach scope
Document investigation
Notify individuals (within 60 days)
Notify HHS
Notify media (if >500 individuals)
Remediate vulnerabilities

Common Gaps

Requirement	Issue	Solution
164.308(a)(1)	No risk analysis	Complete risk assessment
164.312(a)(2)(i)	Shared accounts	Unique user IDs
164.312(e)(1)	Unencrypted email	Encryption solution
164.308(b)(1)	Missing BAAs	BAA tracking

HIPAA ​

Overview ​

HIPAA Rules ​

Privacy Rule ​

Security Rule ​

Breach Notification Rule ​

Security Rule Requirements ​

Administrative Safeguards ​

Physical Safeguards ​

Technical Safeguards ​

Getting Started ​

1. Enable Framework ​

2. Risk Analysis ​

3. Implement Safeguards ​

Key Controls ​

Technical Controls ​

Administrative Controls ​

PHI Identification ​

What is PHI? ​

ePHI Systems ​

Business Associate Agreements ​

BAA Requirements ​

Vendor Risk Assessment ​

Evidence Collection ​

Automated Evidence ​

Manual Evidence ​

Control Mapping ​

Breach Response ​

When to Notify ​

Response Steps ​

Common Gaps ​

Resources ​