From Scope Determination to OCR Enforcement Defense

HIPAA compliance is not a security project.
It is an operating model for handling health data under regulatory scrutiny.

This page documents every required step, decision, artifact, control, and evidence trail needed to implement, operate, and defend HIPAA compliance in real environments.

This guide is written for:

• CISOs and Heads of Security

• Compliance & GRC leaders

• Internal and external auditors

• Healthcare SaaS and digital health founders

• Organizations subject to OCR investigations

It reflects:

• HIPAA Security Rule (45 CFR §164.308, §164.310, §164.312)

• HIPAA Privacy Rule (45 CFR §164.500–534)

• HIPAA Breach Notification Rule (45 CFR §164.400–414)

• OCR audit protocols and enforcement history

---

PART 1 — SCOPE & APPLICABILITY (WHERE HIPAA REALLY BEGINS)

1. Covered Entity vs Business Associate Determination

Before controls, before tools, before audits — you must legally classify the organization.

You are a Covered Entity if you are:

• A healthcare provider transmitting health information electronically

• A health plan

• A healthcare clearinghouse

You are a Business Associate if you:

• Create, receive, maintain, or transmit PHI on behalf of a covered entity

📌 Evidence Required

• Written scope determination

• Legal classification memo

• List of covered services and exclusions

❌ Common Failure

• SaaS companies assuming they are “just vendors”

• MSPs assuming HIPAA doesn’t apply because they “don’t look at data”

---

2. Definition of PHI and ePHI (NO ASSUMPTIONS ALLOWED)

HIPAA protects PHI, not just medical records.

PHI includes:

• Identifiers (name, email, phone, IP, device ID)

• Health information

• Any linkage between identity and health context

ePHI exists if PHI is:

• Stored electronically

• Transmitted electronically

• Processed electronically

📌 Evidence Required

• Formal PHI definition adopted internally

• PHI inclusion/exclusion criteria

• Training material showing workforce understanding

❌ Common Failure

• Excluding metadata, logs, analytics, or support data

---

PART 2 — DATA DISCOVERY & PHI INVENTORY (THE MOST FAILED STEP)

3. PHI Data Mapping (SYSTEMS, FLOWS, STATES)

HIPAA compliance fails instantly without documented PHI mapping.

You must identify:

• Where PHI is created

• Where it is processed

• Where it is stored

• Where it is transmitted

• Where it is backed up

• Where it is archived

• Where it is destroyed

Mandatory PHI Locations to Assess

• Production applications

• Test / staging environments

• Databases

• Object storage

• Email systems

• Collaboration tools

• Logging & monitoring systems

• Backups (online + offline)

• Disaster recovery environments

• End-user devices

• Third-party SaaS

📌 Evidence Required

• PHI inventory register

• Data flow diagrams

• System ownership mapping

❌ Common Failure

• Mapping only “primary databases”

• Ignoring non-production and backups

---

PART 3 — ADMINISTRATIVE SAFEGUARDS (GOVERNANCE & ACCOUNTABILITY)

4. Security Management Process (45 CFR §164.308(a)(1))

4.1 Risk Analysis (NOT A TEMPLATE EXERCISE)

HIPAA requires a formal, documented, and repeatable risk analysis.

It must include:

• Asset identification

• Threat enumeration

• Vulnerability analysis

• Likelihood determination

• Impact determination

• Risk scoring

• Risk treatment decisions

📌 Evidence Required

• Risk assessment report

• Methodology description

• Management sign-off

• Risk register with owners and timelines

❌ Common Failure

• One-time assessments

• No reassessment after changes or incidents

---

4.2 Risk Management

Risk analysis without management is non-compliance.

You must:

• Mitigate, accept, transfer, or avoid each risk

• Track remediation

• Re-evaluate residual risk

📌 Evidence Required

• Risk treatment plans

• Mitigation tracking

• Acceptance approvals

---

5. Assigned Security Responsibility

HIPAA requires named accountability.

📌 Evidence Required

• Designated HIPAA Security Officer

• Defined responsibilities

• Authority to enforce controls

❌ Common Failure

• “Shared responsibility” with no owner

---

6. Workforce Security & Training

Every workforce member must:

• Understand PHI

• Understand acceptable use

• Know how to report incidents

📌 Evidence Required

• Training records

• Attendance logs

• Role-based training content

• Disciplinary procedures

❌ Common Failure

• Generic annual training only

• No training evidence

---

7. Vendor & Business Associate Lifecycle (END-TO-END)

HIPAA extends through vendors.

Required lifecycle:

1. Vendor identification

2. Vendor risk assessment

3. BAA execution

4. Ongoing monitoring

5. Annual BAA review

6. Termination handling

7. PHI return or destruction

📌 Evidence Required

• Signed BAAs

• Vendor risk reports

• Offboarding attestations

❌ Common Failure

• Missing BAAs

• No offboarding controls

---

PART 4 — TECHNICAL SAFEGUARDS (CONTROL ENFORCEMENT)

8. Access Control (45 CFR §164.312(a))

Mandatory Components

• Unique user identification

• MFA

• Role-based access

• Minimum Necessary enforcement

• Emergency access procedures

📌 Evidence Required

• Access matrices

• Review logs

• Emergency access audit logs

❌ Common Failure

• Over-privileged users

• Shared credentials

---

9. Audit Controls (45 CFR §164.312(b))

You must be able to reconstruct events.

Required:

• Centralized logging

• User attribution

• Time synchronization

• Log retention (minimum 6 years)

• Legal hold capability

📌 Evidence Required

• Log samples

• Retention policy

• SIEM dashboards

❌ Common Failure

• Logs overwritten

• Logs without identity context

---

10. Integrity Controls (45 CFR §164.312(c))

HIPAA requires protection against:

• Unauthorized alteration

• Data corruption

• Silent manipulation

📌 Evidence Required

• Integrity monitoring

• Change tracking

• Alerting evidence

---

11. Transmission Security (45 CFR §164.312(e))

PHI must be protected in transit.

Required:

• Strong encryption

• Secure channels

• Protection against downgrade attacks

📌 Evidence Required

• Encryption configurations

• Network diagrams

---

12. Availability & Resilience (OFTEN FAILED)

HIPAA requires PHI availability.

Required:

• Backups

• Immutable backups

• Disaster recovery plans

• Defined RTO / RPO

• Regular DR testing

📌 Evidence Required

• Backup reports

• DR test results

❌ Common Failure

• Untested backups

• No ransomware resilience

---

PART 5 — PHYSICAL SAFEGUARDS

13. Facility & Device Controls

Required:

• Facility access restrictions

• Device inventory

• Secure disposal

• Media sanitization

📌 Evidence Required

• Asset registers

• Disposal certificates

---

PART 6 — INCIDENT RESPONSE & BREACH MANAGEMENT

14. Incident Handling (MANDATORY PROCESS)

Every incident must go through:

1. Detection

2. Triage

3. Containment

4. Investigation

5. Documentation

---

15. Breach Risk Assessment (NOT OPTIONAL)

HIPAA requires evaluating:

• Nature of PHI

• Unauthorized person

• Whether PHI was viewed

• Mitigation actions

📌 Evidence Required

• Risk assessment worksheet

• Decision rationale

---

16. Breach Notification Rule

Notification timelines:

• Individuals: without unreasonable delay

• OCR: within 60 days

• Media: if >500 individuals affected

📌 Evidence Required

• Notification letters

• Submission confirmations

❌ Common Failure

• Missing deadlines

• Incomplete notifications

---

PART 7 — PRIVACY RULE & PATIENT RIGHTS

17. Patient Rights Management

Patients have rights to:

• Access

• Amend

• Receive accounting of disclosures

📌 Evidence Required

• Request logs

• Response timelines

• Decision documentation

---

PART 8 — CONTINUOUS COMPLIANCE & DEFENSIBILITY

18. Evidence Management (THE DIFFERENCE MAKER)

If you cannot produce evidence, you are not compliant.

Required:

• Central evidence repository

• Control-to-rule mapping

• Audit trail preservation

---

19. Continuous Monitoring & Reassessment

HIPAA requires reassessment after:

• System changes

• Vendor changes

• Incidents

• New threats

📌 Evidence Required

• Trigger-based reassessment records

---

WHERE HIPAA COMPLIANCE ACTUALLY ENDS

HIPAA compliance ends only when:

• You can withstand an OCR investigation

• You can explain every decision

• You can produce evidence on demand

• You can show consistency over time

---

Why This Page Exists

Most HIPAA guidance is:

• Superficial

• Tool-centric

• Non-defensible

This framework is:

• Operational

• Evidence-driven

• Enforcement-aligned

• Built from real investigations

---

Final Note for CISOs & Auditors

If your current HIPAA posture cannot be explained step-by-step, system-by-system, and decision-by-decision, it will not survive scrutiny.