Skip to main content
HIPAA Security Rule has 18 standards across Administrative, Physical, and Technical safeguards. This page lists the per-standard evidence Codex collects for SaaS Business Associates. Companion to the HIPAA framework guide.

Administrative safeguards (§ 164.308)

§ 164.308(a)(1) — Security management process

Required evidence:
  • Risk analysis — annual risk assessment document with sign-off
  • Risk management — remediation tracking from your ticketing system (PagerDuty, Linear, Jira)
  • Sanction policy — link to published HR policy + acknowledgment records
  • Information system activity review — log review records (who reviewed, when, finding count)
Codex tracks the cadence + completion of each.

§ 164.308(a)(3) — Workforce security

User: alice@company.com
Hire date: 2026-01-15
Authorization: granted by carol@company.com (manager)
Access provisioned: 2026-01-15 09:00 (Okta + Google Workspace)
Background check: completed 2026-01-10 (Checkr, status: clear)
Termination: not applicable (active)
Per-user authorization chain pulled from HRIS + IdP + ticketing system.

§ 164.308(a)(4) — Information access management

Per-user, per-system access table with last-review timestamp. Filtered to PHI-handling systems. 
User: alice@company.com
Access to:
  - EHR system (Epic)              role: clinical user      reviewed: 2026-04-01
  - Patient data export tool       role: read-only          reviewed: 2026-04-01
  - Medication ordering            role: not granted        reviewed: 2026-04-01

§ 164.308(a)(5) — Security awareness and training

LMS connector pulls per-user training completion for HIPAA-specific courses:
  • HIPAA basics (annual)
  • Phishing awareness (quarterly)
  • Role-specific training (e.g. clinical staff get PHI handling specifics)
Codex flags any active user without current training as an exception.

§ 164.308(a)(6) — Security incident procedures

Per-incident evidence with PHI-specific attributes:
  • Was PHI involved? (yes/no/unknown — categorization required by Breach Notification Rule)
  • Number of records affected (if PHI)
  • Detection time, containment time, notification time
  • Notification recipients (Covered Entity, HHS if breach > 500 records, affected individuals)

§ 164.308(a)(7) — Contingency plan

Sub-standardEvidence
Data backup planBackup snapshot history per PHI-handling system
Disaster recovery planLinked DR runbook + last review timestamp
Emergency mode operation planDocumented degraded-mode procedures + test results
Testing and revision proceduresQuarterly DR test results (you upload, Codex stores with timestamp + tester identity)
Applications and data criticality analysisDocumented inventory of PHI systems by criticality tier

§ 164.308(a)(8) — Evaluation

Codex itself is the evaluation tool — quarterly evidence package shows ongoing review of all controls.

Physical safeguards (§ 164.310)

§ 164.310(a) — Facility access controls

For SaaS-only Business Associates:
  • Office walk-through checklist (semi-annual; you upload)
  • Visitor log review (if you receive PHI couriers)
  • Server-room access for any on-prem infrastructure (most BAs run cloud-only — N/A with documented justification)

§ 164.310(b) — Workstation use

MDM device inventory filtered to “PHI-handling devices” (you tag which devices in MDM):
  • Approved use policy acknowledged per user
  • Device location restrictions (e.g. “no PHI work from public WiFi”)

§ 164.310(c) — Workstation security

ControlMDM evidence
Screen lock policyPer-device idle timeout + auto-lock enforcement
EncryptionFileVault (Mac), BitLocker (Windows), per-device status
Approved software inventoryApplication allowlist enforcement

§ 164.310(d) — Device and media controls

Per-device lifecycle evidence:
  • Provisioning (when, to whom, configuration applied)
  • Reassignment events (with secure-wipe attestation)
  • Decommission (secure-wipe certificate + disposal method)
For removable media: usage logs + encryption-at-rest enforcement (BitLocker To Go, FileVault USB).

Technical safeguards (§ 164.312)

§ 164.312(a) — Access control

Codex builds the four required components:
ComponentEvidence
Unique user identificationIdP user inventory — every account has a unique identifier
Emergency access procedureDocumented break-glass procedure + audit log of activations
Automatic logoffMDM screen lock + app-level session timeout configuration
Encryption and decryptionAt-rest encryption status per PHI store + KMS key management

§ 164.312(b) — Audit controls

SIEM event coverage per PHI-handling system:
  • All access events logged (read, write, query, export)
  • Logs retained for 6 years (HIPAA minimum)
  • Log integrity controls (CloudTrail / Activity Log immutability)
  • Log review records (who reviewed, when, anomaly count)

§ 164.312(c) — Integrity

For PHI in transit + at rest:
  • Database integrity constraints (foreign keys, checksums)
  • File-integrity monitoring on PHI stores (cloud connector audit reports)
  • Cryptographic verification of backup restores

§ 164.312(d) — Person or entity authentication

Per-user authentication strength report:
  • MFA enrolled (Y/N, factor types)
  • Conditional access policies applied
  • Failed authentication events (correlation to alerts)

§ 164.312(e) — Transmission security

ChannelEvidence
HTTPS endpointsTLS coverage scan (TLS 1.2+, no weak ciphers)
Email transportSMTP TLS enforcement + DMARC/DKIM/SPF config
Internal servicesService-mesh mTLS configuration
File transferSFTP-only, no FTP; key-based auth, no passwords

Business Associate Agreements

Tracked separately under BAA workflow. Audit-package export includes the current BAA inventory snapshot + outstanding gaps.

What this catalog isn’t

HIPAA Security Rule is one of two rule sets that apply to Business Associates. The Privacy Rule (handling, disclosure, patient rights) is mostly process-based and tracked via document links + attestations rather than auto-evidenced API calls. See the HIPAA framework guide for the full mapping.