Skip to main content
HIPAA Security Rule has 18 standards across Administrative, Physical, and Technical safeguards. This page lists the per-standard evidence Codex collects for SaaS Business Associates. Companion to the HIPAA framework guide.

Administrative safeguards (§ 164.308)

§ 164.308(a)(1) — Security management process

Required evidence:
  • Risk analysis — annual risk assessment document with sign-off
  • Risk management — remediation tracking from your ticketing system (PagerDuty, Linear, Jira)
  • Sanction policy — link to published HR policy + acknowledgment records
  • Information system activity review — log review records (who reviewed, when, finding count)
Codex tracks the cadence + completion of each.

§ 164.308(a)(3) — Workforce security

Per-user authorization chain pulled from HRIS + IdP + ticketing system.

§ 164.308(a)(4) — Information access management

Per-user, per-system access table with last-review timestamp. Filtered to PHI-handling systems.

§ 164.308(a)(5) — Security awareness and training

LMS connector pulls per-user training completion for HIPAA-specific courses:
  • HIPAA basics (annual)
  • Phishing awareness (quarterly)
  • Role-specific training (e.g. clinical staff get PHI handling specifics)
Codex flags any active user without current training as an exception.

§ 164.308(a)(6) — Security incident procedures

Per-incident evidence with PHI-specific attributes:
  • Was PHI involved? (yes/no/unknown — categorization required by Breach Notification Rule)
  • Number of records affected (if PHI)
  • Detection time, containment time, notification time
  • Notification recipients (Covered Entity, HHS if breach > 500 records, affected individuals)

§ 164.308(a)(7) — Contingency plan

§ 164.308(a)(8) — Evaluation

Codex itself is the evaluation tool — quarterly evidence package shows ongoing review of all controls.

Physical safeguards (§ 164.310)

§ 164.310(a) — Facility access controls

For SaaS-only Business Associates:
  • Office walk-through checklist (semi-annual; you upload)
  • Visitor log review (if you receive PHI couriers)
  • Server-room access for any on-prem infrastructure (most BAs run cloud-only — N/A with documented justification)

§ 164.310(b) — Workstation use

MDM device inventory filtered to “PHI-handling devices” (you tag which devices in MDM):
  • Approved use policy acknowledged per user
  • Device location restrictions (e.g. “no PHI work from public WiFi”)

§ 164.310(c) — Workstation security

§ 164.310(d) — Device and media controls

Per-device lifecycle evidence:
  • Provisioning (when, to whom, configuration applied)
  • Reassignment events (with secure-wipe attestation)
  • Decommission (secure-wipe certificate + disposal method)
For removable media: usage logs + encryption-at-rest enforcement (BitLocker To Go, FileVault USB).

Technical safeguards (§ 164.312)

§ 164.312(a) — Access control

Codex builds the four required components:

§ 164.312(b) — Audit controls

SIEM event coverage per PHI-handling system:
  • All access events logged (read, write, query, export)
  • Logs retained for 6 years (HIPAA minimum)
  • Log integrity controls (CloudTrail / Activity Log immutability)
  • Log review records (who reviewed, when, anomaly count)

§ 164.312(c) — Integrity

For PHI in transit + at rest:
  • Database integrity constraints (foreign keys, checksums)
  • File-integrity monitoring on PHI stores (cloud connector audit reports)
  • Cryptographic verification of backup restores

§ 164.312(d) — Person or entity authentication

Per-user authentication strength report:
  • MFA enrolled (Y/N, factor types)
  • Conditional access policies applied
  • Failed authentication events (correlation to alerts)

§ 164.312(e) — Transmission security

Business Associate Agreements

Tracked separately under BAA workflow. Audit-package export includes the current BAA inventory snapshot + outstanding gaps.

What this catalog isn’t

HIPAA Security Rule is one of two rule sets that apply to Business Associates. The Privacy Rule (handling, disclosure, patient rights) is mostly process-based and tracked via document links + attestations rather than auto-evidenced API calls. See the HIPAA framework guide for the full mapping.