Administrative safeguards (§ 164.308)
§ 164.308(a)(1) — Security management process
Required evidence:- Risk analysis — annual risk assessment document with sign-off
- Risk management — remediation tracking from your ticketing system (PagerDuty, Linear, Jira)
- Sanction policy — link to published HR policy + acknowledgment records
- Information system activity review — log review records (who reviewed, when, finding count)
§ 164.308(a)(3) — Workforce security
§ 164.308(a)(4) — Information access management
Per-user, per-system access table with last-review timestamp. Filtered to PHI-handling systems.§ 164.308(a)(5) — Security awareness and training
LMS connector pulls per-user training completion for HIPAA-specific courses:- HIPAA basics (annual)
- Phishing awareness (quarterly)
- Role-specific training (e.g. clinical staff get PHI handling specifics)
§ 164.308(a)(6) — Security incident procedures
Per-incident evidence with PHI-specific attributes:- Was PHI involved? (yes/no/unknown — categorization required by Breach Notification Rule)
- Number of records affected (if PHI)
- Detection time, containment time, notification time
- Notification recipients (Covered Entity, HHS if breach > 500 records, affected individuals)
§ 164.308(a)(7) — Contingency plan
§ 164.308(a)(8) — Evaluation
Codex itself is the evaluation tool — quarterly evidence package shows ongoing review of all controls.Physical safeguards (§ 164.310)
§ 164.310(a) — Facility access controls
For SaaS-only Business Associates:- Office walk-through checklist (semi-annual; you upload)
- Visitor log review (if you receive PHI couriers)
- Server-room access for any on-prem infrastructure (most BAs run cloud-only — N/A with documented justification)
§ 164.310(b) — Workstation use
MDM device inventory filtered to “PHI-handling devices” (you tag which devices in MDM):- Approved use policy acknowledged per user
- Device location restrictions (e.g. “no PHI work from public WiFi”)
§ 164.310(c) — Workstation security
§ 164.310(d) — Device and media controls
Per-device lifecycle evidence:- Provisioning (when, to whom, configuration applied)
- Reassignment events (with secure-wipe attestation)
- Decommission (secure-wipe certificate + disposal method)
Technical safeguards (§ 164.312)
§ 164.312(a) — Access control
Codex builds the four required components:§ 164.312(b) — Audit controls
SIEM event coverage per PHI-handling system:- All access events logged (read, write, query, export)
- Logs retained for 6 years (HIPAA minimum)
- Log integrity controls (CloudTrail / Activity Log immutability)
- Log review records (who reviewed, when, anomaly count)
§ 164.312(c) — Integrity
For PHI in transit + at rest:- Database integrity constraints (foreign keys, checksums)
- File-integrity monitoring on PHI stores (cloud connector audit reports)
- Cryptographic verification of backup restores
§ 164.312(d) — Person or entity authentication
Per-user authentication strength report:- MFA enrolled (Y/N, factor types)
- Conditional access policies applied
- Failed authentication events (correlation to alerts)