[{"data":1,"prerenderedAt":11299},["ShallowReactive",2],{"framework-topics-hipaa":3,"framework-hipaa":4140,"explore-glossary-hipaa-\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule":4702,"explore-topics-hipaa-\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule":5498,"explore-hub-hipaa":5828,"explore-compare-vs-\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule":6168,"explore-compare-\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule":6334,"related-glossary-hipaa":6455,"explore-blog-hipaa-\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule":11144,"explore-industry-hipaa":546},[4,309,556,1159,1461,1748,2113,2378,2611,2968,3272,3587,3857],{"id":5,"title":6,"body":7,"description":277,"extension":278,"faq":279,"frameworkSlug":293,"lastUpdated":294,"meta":295,"navigation":296,"path":297,"relatedTerms":298,"relatedTopics":299,"seo":304,"stem":307,"__hash__":308},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fbreach-notification.md","HIPAA Breach Notification Rule",{"type":8,"value":9,"toc":256},"minimark",[10,15,19,43,47,50,55,63,67,70,98,101,105,108,112,115,119,126,129,133,136,151,154,158,165,169,181,184,188,195,199,206,209,223,230,234,241,249,253],[11,12,14],"h2",{"id":13},"what-is-the-hipaa-breach-notification-rule","What is the HIPAA Breach Notification Rule?",[16,17,18],"p",{},"The HIPAA Breach Notification Rule (45 CFR Sections 164.400–414) requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Established by the HITECH Act in 2009 and finalized in the 2013 Omnibus Rule, the Breach Notification Rule creates a structured process for informing affected individuals, the Department of Health and Human Services (HHS), and in certain cases the media when PHI has been compromised.",[16,20,21,22,27,28,32,33,37,38,42],{},"This rule works in concert with the ",[23,24,26],"a",{"href":25},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","HIPAA Security Rule"," and ",[23,29,31],{"href":30},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," to form the complete HIPAA compliance framework. For a high-level overview, visit the ",[23,34,36],{"href":35},"\u002Fframeworks\u002Fhipaa","HIPAA compliance"," page or consult the ",[23,39,41],{"href":40},"\u002Fglossary\u002Fhipaa","HIPAA glossary entry",".",[11,44,46],{"id":45},"what-constitutes-a-breach","What constitutes a breach?",[16,48,49],{},"A breach is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. This is a broad definition, and understanding its boundaries is critical for building an effective response program.",[51,52,54],"h3",{"id":53},"the-presumption-of-breach","The presumption of breach",[16,56,57,58,62],{},"Under the Omnibus Rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate can demonstrate a ",[59,60,61],"strong",{},"low probability"," that the PHI has been compromised. This is determined through a four-factor risk assessment.",[51,64,66],{"id":65},"the-four-factor-risk-assessment","The four-factor risk assessment",[16,68,69],{},"When an impermissible use or disclosure occurs, the organization must evaluate:",[71,72,73,80,86,92],"ol",{},[74,75,76,79],"li",{},[59,77,78],{},"The nature and extent of the PHI involved"," — disclosures involving names, Social Security numbers, and diagnosis codes carry higher risk than those with only zip codes.",[74,81,82,85],{},[59,83,84],{},"The unauthorized person who received the PHI"," — a misdirected fax to another provider presents different risks than a public database exposure.",[74,87,88,91],{},[59,89,90],{},"Whether the PHI was actually acquired or viewed"," — if forensic analysis confirms no access occurred, this weighs against a finding of compromise.",[74,93,94,97],{},[59,95,96],{},"The extent to which risk has been mitigated"," — if the recipient returned or destroyed the information, this reduces the probability of compromise.",[16,99,100],{},"If the risk assessment cannot demonstrate a low probability of compromise, the organization must treat the incident as a breach and proceed with notifications.",[51,102,104],{"id":103},"exceptions-to-the-breach-definition","Exceptions to the breach definition",[16,106,107],{},"Three narrow exceptions exist: unintentional access by a workforce member acting in good faith within the scope of authority, inadvertent disclosure between persons authorized to access PHI at the same entity, and disclosure to someone who could not reasonably retain the information. Even when an exception applies, organizations should document their analysis.",[11,109,111],{"id":110},"notification-requirements","Notification requirements",[16,113,114],{},"The Breach Notification Rule establishes distinct notification obligations depending on the size of the breach and the role of the organization.",[51,116,118],{"id":117},"individual-notification","Individual notification",[16,120,121,122,125],{},"Covered entities must notify each individual whose unsecured PHI has been breached. The notification must be provided without unreasonable delay and no later than ",[59,123,124],{},"60 calendar days"," from the date the breach was discovered.",[16,127,128],{},"The notification must describe the breach (including dates), the types of PHI involved, steps the individual should take for protection, what the entity is doing to investigate and prevent future breaches, and entity contact information. Notifications must be sent by first-class mail or email (if agreed). When contact information is unavailable for 10 or more individuals, substitute notice via the entity's website (90 days) or major media is required.",[51,130,132],{"id":131},"hhs-notification","HHS notification",[16,134,135],{},"The timeline and method for notifying HHS depend on the number of individuals affected:",[137,138,139,145],"ul",{},[74,140,141,144],{},[59,142,143],{},"Breaches affecting 500 or more individuals"," — the covered entity must notify HHS at the same time as individual notifications, no later than 60 days from discovery. These breaches are posted on the HHS \"Wall of Shame\" (the Breach Portal) and often attract media attention and regulatory scrutiny.",[74,146,147,150],{},[59,148,149],{},"Breaches affecting fewer than 500 individuals"," — the covered entity must notify HHS within 60 days of the end of the calendar year in which the breach was discovered. These notifications are submitted through the HHS breach reporting portal as an annual log.",[16,152,153],{},"All HHS notifications are made through the online portal maintained by the Office for Civil Rights.",[51,155,157],{"id":156},"media-notification","Media notification",[16,159,160,161,164],{},"When a breach affects ",[59,162,163],{},"500 or more residents of a single state or jurisdiction",", the covered entity must notify prominent media outlets serving that area. This notification must be provided without unreasonable delay and no later than 60 days from discovery. The media notice must contain the same elements required for individual notification.",[51,166,168],{"id":167},"business-associate-obligations","Business associate obligations",[16,170,171,172,175,176,180],{},"When a business associate discovers a breach of unsecured PHI, it must notify the covered entity without unreasonable delay and no later than ",[59,173,174],{},"60 days from discovery"," (or sooner if specified in the ",[23,177,179],{"href":178},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements","Business Associate Agreement","). The notification must identify each individual whose PHI has been or is reasonably believed to have been affected, along with any other available information the covered entity needs to fulfill its own notification obligations.",[16,182,183],{},"The covered entity, not the business associate, is ultimately responsible for providing notifications to individuals, HHS, and the media. However, the BAA may allocate additional responsibilities.",[11,185,187],{"id":186},"when-is-a-breach-discovered","When is a breach \"discovered\"?",[16,189,190,191,194],{},"The 60-day clock starts on the date the breach is ",[59,192,193],{},"discovered",", not the date it occurred. A breach is considered discovered on the first day the entity knows of it or, by exercising reasonable diligence, would have known. Willful ignorance does not stop the clock, and delayed discovery from inadequate monitoring can itself become a compliance violation.",[11,196,198],{"id":197},"the-role-of-encryption","The role of encryption",[16,200,201,202,205],{},"The Breach Notification Rule applies only to ",[59,203,204],{},"unsecured PHI",". PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized persons is considered secured and falls outside the notification requirements.",[16,207,208],{},"HHS has specified two methods for securing PHI:",[137,210,211,217],{},[74,212,213,216],{},[59,214,215],{},"Encryption"," — PHI encrypted in accordance with NIST standards (currently AES-128 or stronger for data at rest, and TLS 1.2+ for data in transit) is considered secured, provided the encryption key has not been compromised alongside the data.",[74,218,219,222],{},[59,220,221],{},"Destruction"," — paper PHI that has been shredded or destroyed such that it cannot be reconstructed, and electronic media that has been cleared, purged, or destroyed in accordance with NIST SP 800-88, is considered secured.",[16,224,225,226,229],{},"This creates a powerful incentive to encrypt ePHI at rest and in transit. If encrypted data is stolen but the key remains secure, no breach notification is required. This is why encryption, although technically an addressable specification under the ",[23,227,228],{"href":25},"Security Rule",", is implemented by virtually every organization that handles ePHI.",[11,231,233],{"id":232},"building-a-breach-response-process","Building a breach response process",[16,235,236,240],{},[23,237,239],{"href":238},"\u002Findustry\u002Fhealthcare","Healthcare organizations"," and their technology partners should build a documented breach response process before an incident occurs. Key components include incident detection and reporting channels, a defined team for conducting the four-factor risk assessment, pre-drafted notification templates and workflows, mitigation and containment steps, comprehensive documentation (retained for at least six years), and post-incident reviews to update policies and controls.",[16,242,243,244,248],{},"The ",[23,245,247],{"href":246},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist","HIPAA compliance checklist"," includes breach response requirements alongside the broader compliance program.",[11,250,252],{"id":251},"penalties-for-non-compliance","Penalties for non-compliance",[16,254,255],{},"Failure to comply with the Breach Notification Rule carries penalties ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Delayed or insufficient notifications are among the most common findings in HHS enforcement actions. State attorneys general may also bring actions under the HITECH Act. Breaches posted on the HHS Breach Portal are publicly accessible, creating significant reputational consequences.",{"title":257,"searchDepth":258,"depth":258,"links":259},"",2,[260,261,267,273,274,275,276],{"id":13,"depth":258,"text":14},{"id":45,"depth":258,"text":46,"children":262},[263,265,266],{"id":53,"depth":264,"text":54},3,{"id":65,"depth":264,"text":66},{"id":103,"depth":264,"text":104},{"id":110,"depth":258,"text":111,"children":268},[269,270,271,272],{"id":117,"depth":264,"text":118},{"id":131,"depth":264,"text":132},{"id":156,"depth":264,"text":157},{"id":167,"depth":264,"text":168},{"id":186,"depth":258,"text":187},{"id":197,"depth":258,"text":198},{"id":232,"depth":258,"text":233},{"id":251,"depth":258,"text":252},"The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, HHS, and sometimes the media after a breach of unsecured PHI.","md",{"items":280},[281,284,287,290],{"label":282,"content":283},"How long do you have to report a HIPAA breach?","Covered entities must notify affected individuals no later than 60 calendar days from the date the breach was discovered. For breaches affecting 500 or more individuals, HHS must also be notified within the same 60-day window. Business associates must notify the covered entity within 60 days of discovery.",{"label":285,"content":286},"What triggers the HIPAA breach notification requirement?","Any impermissible acquisition, access, use, or disclosure of protected health information (PHI) is presumed to be a breach unless a four-factor risk assessment demonstrates a low probability that the PHI was compromised. The four factors evaluate the nature of the PHI, who received it, whether it was actually viewed, and the extent of mitigation.",{"label":288,"content":289},"Does encryption eliminate the need for breach notification?","Yes, if the PHI was encrypted according to NIST standards (AES-128 or stronger at rest, TLS 1.2+ in transit) and the encryption key was not compromised alongside the data, the information is considered secured and falls outside the breach notification requirements.",{"label":291,"content":292},"What are the penalties for failing to report a HIPAA breach?","Penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per category. Breaches affecting 500+ individuals are posted publicly on the HHS Breach Portal. State attorneys general may also bring separate enforcement actions under the HITECH Act.","hipaa","2026-04-16",{},true,"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification",[293],[300,301,302,303],"security-rule","privacy-rule","business-associate-agreements","compliance-checklist",{"title":305,"description":306},"HIPAA Breach Notification Rule: 60-Day Timeline, Requirements & Reporting Steps","HIPAA breach notification requirements — 60-day timeline, individual vs HHS vs media notification rules, risk assessment factors, and step-by-step reporting guide.","5.frameworks\u002Fhipaa\u002Fbreach-notification","8brHphtde3Ujctufl7f1XJYADy8eqT2qNH1Gyn-fOkQ",{"id":310,"title":311,"body":312,"description":545,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":547,"navigation":296,"path":178,"relatedTerms":548,"relatedTopics":549,"seo":551,"stem":554,"__hash__":555},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fbusiness-associate-agreements.md","Business Associate Agreements (BAA)",{"type":8,"value":313,"toc":528},[314,318,321,324,332,336,345,348,352,355,359,366,370,373,377,380,383,443,447,454,458,461,465,468,472,475,479,484,488,491,523],[11,315,317],{"id":316},"what-is-a-business-associate-agreement","What is a Business Associate Agreement?",[16,319,320],{},"A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity and a business associate, or between a business associate and a subcontractor. The agreement establishes the permitted and required uses and disclosures of protected health information (PHI) by the business associate, mandates appropriate safeguards, and defines each party's responsibilities for compliance.",[16,322,323],{},"No covered entity may share PHI with a vendor, contractor, or service provider until a BAA is executed. This requirement is absolute — even if a business associate has robust security practices and excellent intentions, the absence of a signed BAA is itself a HIPAA violation.",[16,325,326,327,329,330,42],{},"BAAs are a central element of ",[23,328,36],{"href":35},". For broader context on how they fit into the compliance framework, see the main HIPAA page and the ",[23,331,41],{"href":40},[11,333,335],{"id":334},"who-is-a-business-associate","Who is a business associate?",[16,337,338,339,341,342,42],{},"A business associate is any person or organization that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. The HITECH Act expanded this definition significantly, making business associates directly subject to HIPAA's ",[23,340,228],{"href":25}," and certain provisions of the ",[23,343,344],{"href":30},"Privacy Rule",[16,346,347],{},"Common examples include cloud service providers, IT managed service providers, billing companies, EHR vendors, data analytics firms, consultants, shredding companies, email platforms used to transmit PHI, law firms, and accountants. A critical point: simply stating that a vendor \"will not access PHI\" does not eliminate the BAA requirement if the vendor's services involve PHI in any form. A cloud provider hosting encrypted ePHI is a business associate even if it never decrypts the data.",[51,349,351],{"id":350},"subcontractors","Subcontractors",[16,353,354],{},"Under the Omnibus Rule, subcontractors of business associates are themselves considered business associates. This means a business associate must execute BAAs with its own downstream vendors that handle PHI. The chain of contractual protection must extend to every entity that touches PHI.",[11,356,358],{"id":357},"when-is-a-baa-required","When is a BAA required?",[16,360,361,362,365],{},"A BAA is required whenever a covered entity engages a business associate to perform a function or service involving PHI, or whenever a business associate engages a subcontractor for the same purpose. The timing is important: the BAA must be in place ",[59,363,364],{},"before"," any PHI is shared.",[51,367,369],{"id":368},"when-a-baa-is-not-required","When a BAA is NOT required",[16,371,372],{},"A BAA is not needed when the vendor is a mere conduit (like the postal service), the relationship is between a covered entity and a patient, the vendor's services do not involve PHI, or covered entities share PHI for treatment purposes. The determination should always be documented — when in doubt, executing a BAA is the safer approach.",[11,374,376],{"id":375},"required-provisions-of-a-baa","Required provisions of a BAA",[16,378,379],{},"The Privacy Rule (45 CFR 164.504(e)) and Security Rule specify the provisions a BAA must contain. While organizations may negotiate additional terms, the following elements are mandatory:",[16,381,382],{},"The mandatory provisions are:",[137,384,385,394,403,413,419,425,431,437],{},[74,386,387,390,391,393],{},[59,388,389],{},"Permitted uses and disclosures"," — describe how the business associate may use PHI, consistent with the ",[23,392,344],{"href":30},". The BAA may not authorize uses that would violate the Privacy Rule if done by the covered entity itself.",[74,395,396,399,400,402],{},[59,397,398],{},"Appropriate safeguards"," — require the business associate to implement ",[23,401,228],{"href":25}," safeguards (administrative, physical, and technical) to prevent unauthorized use or disclosure.",[74,404,405,408,409,412],{},[59,406,407],{},"Breach reporting"," — require reporting of any impermissible use or disclosure, including breaches of unsecured PHI. The ",[23,410,411],{"href":297},"Breach Notification Rule"," sets a 60-day deadline, but many BAAs negotiate shorter timelines.",[74,414,415,418],{},[59,416,417],{},"Subcontractor compliance"," — require downstream vendors handling PHI to agree to the same restrictions and execute their own BAAs.",[74,420,421,424],{},[59,422,423],{},"Individual rights support"," — make PHI available for individual access requests, amendment requests, and accounting of disclosures.",[74,426,427,430],{},[59,428,429],{},"HHS access"," — make internal practices, books, and records available to HHS for compliance determinations.",[74,432,433,436],{},[59,434,435],{},"Return or destroy PHI"," — at termination, return or destroy all PHI. If infeasible, extend protections and limit further use.",[74,438,439,442],{},[59,440,441],{},"Termination authority"," — authorize the covered entity to terminate the agreement for material violations.",[11,444,446],{"id":445},"liability-under-a-baa","Liability under a BAA",[16,448,449,450,453],{},"The HITECH Act fundamentally changed the liability landscape for business associates. Before HITECH, business associates were liable only to the covered entity through the contractual terms of the BAA. After HITECH, business associates are ",[59,451,452],{},"directly liable"," to HHS for compliance with the Security Rule, the breach notification requirements, and certain Privacy Rule provisions.",[51,455,457],{"id":456},"covered-entity-liability","Covered entity liability",[16,459,460],{},"A covered entity is not liable for a business associate's HIPAA violations if the entity did not know (and by exercising reasonable diligence would not have known) of the violation pattern. However, if the covered entity knows of a violation and fails to take reasonable steps to cure the breach or terminate the agreement, the entity becomes liable.",[51,462,464],{"id":463},"business-associate-liability","Business associate liability",[16,466,467],{},"Business associates face the same tiered penalty structure as covered entities — from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal penalties of up to $250,000 and imprisonment also apply.",[51,469,471],{"id":470},"contractual-indemnification","Contractual indemnification",[16,473,474],{},"Beyond HIPAA's statutory penalties, BAAs frequently include indemnification clauses, limitation of liability provisions, and insurance requirements that allocate financial risk between the parties. These terms are negotiated commercially and are not required by HIPAA, but they are practically important for managing exposure.",[11,476,478],{"id":477},"managing-baas-at-scale","Managing BAAs at scale",[16,480,481,483],{},[23,482,239],{"href":238}," often maintain dozens or hundreds of BAAs. Effective management requires a centralized inventory tracking all agreements and their renewal dates, standardized templates with all required provisions, automated renewal tracking, periodic vendor risk assessments, ongoing compliance monitoring through certifications and audit reports, and thorough documentation of every decision and agreement.",[11,485,487],{"id":486},"common-baa-mistakes","Common BAA mistakes",[16,489,490],{},"Organizations frequently encounter these pitfalls with BAAs:",[137,492,493,499,505,511,517],{},[74,494,495,498],{},[59,496,497],{},"Missing BAAs entirely"," — the most basic and most common violation. Every vendor relationship should be evaluated for BAA necessity during procurement.",[74,500,501,504],{},[59,502,503],{},"Using outdated templates"," — BAAs drafted before the 2013 Omnibus Rule may lack required provisions for breach notification, subcontractor compliance, and Security Rule obligations.",[74,506,507,510],{},[59,508,509],{},"Failing to cascade to subcontractors"," — a business associate that does not execute BAAs with its own vendors breaks the chain of protection.",[74,512,513,516],{},[59,514,515],{},"Ignoring termination provisions"," — when a vendor relationship ends, the BAA's return-or-destroy provisions must be enforced. Orphaned PHI at former vendors is a significant risk.",[74,518,519,522],{},[59,520,521],{},"Not monitoring compliance"," — executing a BAA is not a one-time event. Ongoing oversight of business associate security practices is expected.",[16,524,243,525,527],{},[23,526,247],{"href":246}," includes BAA management requirements as a core component of the overall compliance program.",{"title":257,"searchDepth":258,"depth":258,"links":529},[530,531,534,537,538,543,544],{"id":316,"depth":258,"text":317},{"id":334,"depth":258,"text":335,"children":532},[533],{"id":350,"depth":264,"text":351},{"id":357,"depth":258,"text":358,"children":535},[536],{"id":368,"depth":264,"text":369},{"id":375,"depth":258,"text":376},{"id":445,"depth":258,"text":446,"children":539},[540,541,542],{"id":456,"depth":264,"text":457},{"id":463,"depth":264,"text":464},{"id":470,"depth":264,"text":471},{"id":477,"depth":258,"text":478},{"id":486,"depth":258,"text":487},"A Business Associate Agreement is a legally required contract ensuring that vendors and subcontractors handling PHI comply with HIPAA requirements.",null,{},[293],[300,301,550,303],"breach-notification",{"title":552,"description":553},"HIPAA Business Associate Agreements (BAA) - Requirements & Key Provisions","Learn what a BAA is, when one is required, the provisions it must include, and how liability flows between covered entities and business associates.","5.frameworks\u002Fhipaa\u002Fbusiness-associate-agreements","1WFenZxptMnDm8MgpXeSdLl1IXz9YOpO66HInGj2Tek",{"id":557,"title":558,"body":559,"description":1150,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":1151,"navigation":296,"path":246,"relatedTerms":1152,"relatedTopics":1153,"seo":1154,"stem":1157,"__hash__":1158},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fcompliance-checklist.md","HIPAA Compliance Checklist",{"type":8,"value":560,"toc":1124},[561,565,568,589,593,598,602,633,637,664,668,689,693,698,702,717,721,766,770,827,831,837,841,868,872,923,927,966,970,973,977,1016,1020,1025,1029,1080,1084,1087,1114,1118],[11,562,564],{"id":563},"hipaa-compliance-checklist-overview","HIPAA compliance checklist overview",[16,566,567],{},"Building and maintaining a HIPAA compliance program requires coordinating across privacy, security, vendor management, workforce training, and incident response. This checklist provides a structured walkthrough of the major requirements that covered entities and business associates must address.",[16,569,570,571,573,574,573,576,578,579,582,583,585,586,588],{},"This checklist is not a substitute for legal counsel or a formal risk assessment, but it serves as a practical framework for identifying gaps and tracking progress. For detailed guidance on individual topics, refer to the dedicated pages for the ",[23,572,228],{"href":25},", ",[23,575,344],{"href":30},[23,577,411],{"href":297},", and ",[23,580,581],{"href":178},"Business Associate Agreements",". The main ",[23,584,36],{"href":35}," page provides a high-level overview, and the ",[23,587,41],{"href":40}," covers foundational terms.",[11,590,592],{"id":591},"privacy-rule-checklist","Privacy Rule checklist",[16,594,243,595,597],{},[23,596,344],{"href":30}," governs the use and disclosure of PHI in all forms. Every covered entity and business associate must address the following:",[51,599,601],{"id":600},"privacy-official-and-npp","Privacy official and NPP",[137,603,606,615,621,627],{"className":604},[605],"contains-task-list",[74,607,610,614],{"className":608},[609],"task-list-item",[611,612],"input",{"disabled":296,"type":613},"checkbox"," Appoint a privacy officer with authority to develop and enforce privacy policies",[74,616,618,620],{"className":617},[609],[611,619],{"disabled":296,"type":613}," Draft and distribute the Notice of Privacy Practices with all required content",[74,622,624,626],{"className":623},[609],[611,625],{"disabled":296,"type":613}," Post the NPP at physical locations and on the organization's website",[74,628,630,632],{"className":629},[609],[611,631],{"disabled":296,"type":613}," Revise and redistribute the NPP when material changes occur",[51,634,636],{"id":635},"minimum-necessary-and-individual-rights","Minimum necessary and individual rights",[137,638,640,646,652,658],{"className":639},[605],[74,641,643,645],{"className":642},[609],[611,644],{"disabled":296,"type":613}," Define role-based access ensuring workforce members access only the PHI needed for their role",[74,647,649,651],{"className":648},[609],[611,650],{"disabled":296,"type":613}," Establish standard protocols for routine disclosures and a review process for non-routine requests",[74,653,655,657],{"className":654},[609],[611,656],{"disabled":296,"type":613}," Create documented processes for access requests (30 days), amendment requests (60 days), and accounting of disclosures",[74,659,661,663],{"className":660},[609],[611,662],{"disabled":296,"type":613}," Establish procedures for restriction and confidential communication requests",[51,665,667],{"id":666},"authorizations-and-permitted-disclosures","Authorizations and permitted disclosures",[137,669,671,677,683],{"className":670},[605],[74,672,674,676],{"className":673},[609],[611,675],{"disabled":296,"type":613}," Develop authorization forms with all required elements and track expiration dates",[74,678,680,682],{"className":679},[609],[611,681],{"disabled":296,"type":613}," Document policies for each category of permitted use and disclosure",[74,684,686,688],{"className":685},[609],[611,687],{"disabled":296,"type":613}," Establish verification procedures for third-party disclosure requests",[11,690,692],{"id":691},"security-rule-checklist","Security Rule checklist",[16,694,243,695,697],{},[23,696,228],{"href":25}," requires administrative, physical, and technical safeguards for ePHI. These requirements apply to all covered entities and business associates.",[51,699,701],{"id":700},"designate-a-security-official","Designate a security official",[137,703,705,711],{"className":704},[605],[74,706,708,710],{"className":707},[609],[611,709],{"disabled":296,"type":613}," Appoint a security officer responsible for developing and implementing security policies (may be the same person as the privacy officer in smaller organizations)",[74,712,714,716],{"className":713},[609],[611,715],{"disabled":296,"type":613}," Document the appointment and ensure adequate authority and resources",[51,718,720],{"id":719},"conduct-and-maintain-a-risk-analysis","Conduct and maintain a risk analysis",[137,722,724,730,736,742,748,754,760],{"className":723},[605],[74,725,727,729],{"className":726},[609],[611,728],{"disabled":296,"type":613}," Identify all systems that create, receive, maintain, or transmit ePHI",[74,731,733,735],{"className":732},[609],[611,734],{"disabled":296,"type":613}," Identify and document reasonably anticipated threats and vulnerabilities for each system",[74,737,739,741],{"className":738},[609],[611,740],{"disabled":296,"type":613}," Assess current security measures in place",[74,743,745,747],{"className":744},[609],[611,746],{"disabled":296,"type":613}," Determine the likelihood and impact of each identified threat",[74,749,751,753],{"className":750},[609],[611,752],{"disabled":296,"type":613}," Assign risk levels and document a prioritized remediation plan",[74,755,757,759],{"className":756},[609],[611,758],{"disabled":296,"type":613}," Schedule regular risk analysis updates (at least annually and after significant changes)",[74,761,763,765],{"className":762},[609],[611,764],{"disabled":296,"type":613}," Maintain all risk analysis documentation for at least six years",[51,767,769],{"id":768},"implement-safeguards","Implement safeguards",[137,771,773,779,785,791,797,803,809,815,821],{"className":772},[605],[74,774,776,778],{"className":775},[609],[611,777],{"disabled":296,"type":613}," Develop a risk management plan and sanction policies",[74,780,782,784],{"className":781},[609],[611,783],{"disabled":296,"type":613}," Implement regular log reviews and workforce security procedures (authorization, supervision, termination)",[74,786,788,790],{"className":787},[609],[611,789],{"disabled":296,"type":613}," Establish security awareness training covering passwords, malware, and incident reporting",[74,792,794,796],{"className":793},[609],[611,795],{"disabled":296,"type":613}," Develop and test contingency plans: data backup, disaster recovery, and emergency operations",[74,798,800,802],{"className":799},[609],[611,801],{"disabled":296,"type":613}," Establish facility access controls, workstation use and security policies, and device\u002Fmedia controls",[74,804,806,808],{"className":805},[609],[611,807],{"disabled":296,"type":613}," Deploy technical access controls: unique user IDs, automatic logoff, encryption, and MFA",[74,810,812,814],{"className":811},[609],[611,813],{"disabled":296,"type":613}," Implement audit controls and ePHI integrity mechanisms",[74,816,818,820],{"className":817},[609],[611,819],{"disabled":296,"type":613}," Secure transmissions with encryption (TLS 1.2+)",[74,822,824,826],{"className":823},[609],[611,825],{"disabled":296,"type":613}," Document all addressable specification assessments, decisions, and rationale",[11,828,830],{"id":829},"business-associate-agreement-checklist","Business Associate Agreement checklist",[16,832,833,836],{},[23,834,835],{"href":178},"BAAs"," must be in place before any PHI is shared with vendors and subcontractors. Managing BAAs is an ongoing operational responsibility.",[51,838,840],{"id":839},"identify-business-associates","Identify business associates",[137,842,844,850,856,862],{"className":843},[605],[74,845,847,849],{"className":846},[609],[611,848],{"disabled":296,"type":613}," Inventory all vendors, contractors, and service providers that access, store, process, or transmit PHI",[74,851,853,855],{"className":852},[609],[611,854],{"disabled":296,"type":613}," Evaluate each relationship to determine whether a BAA is required",[74,857,859,861],{"className":858},[609],[611,860],{"disabled":296,"type":613}," Document the determination for each vendor, including rationale for cases where a BAA is deemed unnecessary",[74,863,865,867],{"className":864},[609],[611,866],{"disabled":296,"type":613}," Include BAA evaluation in the procurement and vendor onboarding process",[51,869,871],{"id":870},"execute-compliant-baas","Execute compliant BAAs",[137,873,875,881,887,893,899,905,911,917],{"className":874},[605],[74,876,878,880],{"className":877},[609],[611,879],{"disabled":296,"type":613}," Use a standardized BAA template that includes all required provisions under 45 CFR 164.504(e)",[74,882,884,886],{"className":883},[609],[611,885],{"disabled":296,"type":613}," Ensure each BAA establishes permitted uses and disclosures consistent with the Privacy Rule",[74,888,890,892],{"className":889},[609],[611,891],{"disabled":296,"type":613}," Include requirements for appropriate safeguards and Security Rule compliance",[74,894,896,898],{"className":895},[609],[611,897],{"disabled":296,"type":613}," Include breach notification obligations with defined timelines (60 days or less)",[74,900,902,904],{"className":901},[609],[611,903],{"disabled":296,"type":613}," Require subcontractor BAAs for downstream vendors handling PHI",[74,906,908,910],{"className":907},[609],[611,909],{"disabled":296,"type":613}," Include provisions for PHI access, amendment, and accounting of disclosures",[74,912,914,916],{"className":913},[609],[611,915],{"disabled":296,"type":613}," Include return-or-destroy provisions for PHI at agreement termination",[74,918,920,922],{"className":919},[609],[611,921],{"disabled":296,"type":613}," Include termination rights for material BAA violations",[51,924,926],{"id":925},"manage-baas-ongoing","Manage BAAs ongoing",[137,928,930,936,942,948,954,960],{"className":929},[605],[74,931,933,935],{"className":932},[609],[611,934],{"disabled":296,"type":613}," Maintain a centralized BAA inventory with effective dates, renewal dates, and scope of PHI",[74,937,939,941],{"className":938},[609],[611,940],{"disabled":296,"type":613}," Implement renewal tracking with automated reminders",[74,943,945,947],{"className":944},[609],[611,946],{"disabled":296,"type":613}," Review and update BAAs when regulations change, services change, or agreements expire",[74,949,951,953],{"className":950},[609],[611,952],{"disabled":296,"type":613}," Conduct periodic vendor risk assessments evaluating business associate security posture",[74,955,957,959],{"className":956},[609],[611,958],{"disabled":296,"type":613}," Enforce return-or-destroy provisions when vendor relationships end",[74,961,963,965],{"className":962},[609],[611,964],{"disabled":296,"type":613}," Monitor business associate compliance through certifications, audit reports, and incident reporting",[11,967,969],{"id":968},"workforce-training-checklist","Workforce training checklist",[16,971,972],{},"Training is required under both the Privacy Rule and Security Rule. Effective training reduces the likelihood of workforce-caused incidents and demonstrates organizational commitment to compliance.",[51,974,976],{"id":975},"develop-and-deliver-training","Develop and deliver training",[137,978,980,986,992,998,1004,1010],{"className":979},[605],[74,981,983,985],{"className":982},[609],[611,984],{"disabled":296,"type":613}," Create content covering Privacy Rule, Security Rule, breach reporting, and BAA awareness",[74,987,989,991],{"className":988},[609],[611,990],{"disabled":296,"type":613}," Tailor training to job roles (clinical, IT, billing, administrative)",[74,993,995,997],{"className":994},[609],[611,996],{"disabled":296,"type":613}," Train all new workforce members within a defined period after hiring",[74,999,1001,1003],{"className":1000},[609],[611,1002],{"disabled":296,"type":613}," Deliver refresher training at least annually and when policies change",[74,1005,1007,1009],{"className":1006},[609],[611,1008],{"disabled":296,"type":613}," Document all training: dates, attendees, content, and acknowledgments",[74,1011,1013,1015],{"className":1012},[609],[611,1014],{"disabled":296,"type":613}," Maintain training records for at least six years",[11,1017,1019],{"id":1018},"breach-response-checklist","Breach response checklist",[16,1021,243,1022,1024],{},[23,1023,411],{"href":297}," requires timely, documented responses to breaches of unsecured PHI.",[51,1026,1028],{"id":1027},"build-and-maintain-the-response-framework","Build and maintain the response framework",[137,1030,1032,1038,1044,1050,1056,1062,1068,1074],{"className":1031},[605],[74,1033,1035,1037],{"className":1034},[609],[611,1036],{"disabled":296,"type":613}," Develop a written incident response plan covering detection, investigation, assessment, notification, and remediation",[74,1039,1041,1043],{"className":1040},[609],[611,1042],{"disabled":296,"type":613}," Assign an incident response team with defined roles and escalation paths",[74,1045,1047,1049],{"className":1046},[609],[611,1048],{"disabled":296,"type":613}," Create pre-drafted notification templates for individuals, HHS, and media",[74,1051,1053,1055],{"className":1052},[609],[611,1054],{"disabled":296,"type":613}," Document the four-factor risk assessment process for evaluating potential breaches",[74,1057,1059,1061],{"className":1058},[609],[611,1060],{"disabled":296,"type":613}," Establish procedures for individual, HHS, and media notification",[74,1063,1065,1067],{"className":1064},[609],[611,1066],{"disabled":296,"type":613}," Conduct tabletop exercises at least annually",[74,1069,1071,1073],{"className":1070},[609],[611,1072],{"disabled":296,"type":613}," Maintain incident documentation for at least six years",[74,1075,1077,1079],{"className":1076},[609],[611,1078],{"disabled":296,"type":613}," Maintain a log of smaller breaches (under 500 individuals) for annual HHS submission",[11,1081,1083],{"id":1082},"documentation-and-record-retention","Documentation and record retention",[16,1085,1086],{},"HIPAA requires policies, procedures, and certain records be maintained for at least six years.",[137,1088,1090,1096,1102,1108],{"className":1089},[605],[74,1091,1093,1095],{"className":1092},[609],[611,1094],{"disabled":296,"type":613}," Maintain all HIPAA policies and procedures in a central, accessible location",[74,1097,1099,1101],{"className":1098},[609],[611,1100],{"disabled":296,"type":613}," Retain risk analysis, training, BAA, and incident documentation",[74,1103,1105,1107],{"className":1104},[609],[611,1106],{"disabled":296,"type":613}," Establish a document retention schedule with assigned responsibility",[74,1109,1111,1113],{"className":1110},[609],[611,1112],{"disabled":296,"type":613}," Implement version control for policies so prior versions remain accessible",[11,1115,1117],{"id":1116},"putting-the-checklist-to-work","Putting the checklist to work",[16,1119,1120,1121,1123],{},"This checklist is most effective as a living document. ",[23,1122,239],{"href":238}," should conduct an initial gap assessment, prioritize remediation based on risk, assign ownership for each item, set deadlines, and review at minimum annually. Compliance is an ongoing process — regular review combined with thorough risk analysis forms the foundation of a sustainable HIPAA program.",{"title":257,"searchDepth":258,"depth":258,"links":1125},[1126,1127,1132,1137,1142,1145,1148,1149],{"id":563,"depth":258,"text":564},{"id":591,"depth":258,"text":592,"children":1128},[1129,1130,1131],{"id":600,"depth":264,"text":601},{"id":635,"depth":264,"text":636},{"id":666,"depth":264,"text":667},{"id":691,"depth":258,"text":692,"children":1133},[1134,1135,1136],{"id":700,"depth":264,"text":701},{"id":719,"depth":264,"text":720},{"id":768,"depth":264,"text":769},{"id":829,"depth":258,"text":830,"children":1138},[1139,1140,1141],{"id":839,"depth":264,"text":840},{"id":870,"depth":264,"text":871},{"id":925,"depth":264,"text":926},{"id":968,"depth":258,"text":969,"children":1143},[1144],{"id":975,"depth":264,"text":976},{"id":1018,"depth":258,"text":1019,"children":1146},[1147],{"id":1027,"depth":264,"text":1028},{"id":1082,"depth":258,"text":1083},{"id":1116,"depth":258,"text":1117},"A comprehensive HIPAA compliance checklist covering the Privacy Rule, Security Rule, Business Associate Agreements, workforce training, and breach response procedures.",{},[293],[300,301,550,302],{"title":1155,"description":1156},"HIPAA Compliance Checklist - Complete Privacy, Security & Breach Guide","Use this HIPAA compliance checklist to cover Privacy Rule, Security Rule, BAAs, training, and breach procedures. Actionable steps for covered entities.","5.frameworks\u002Fhipaa\u002Fcompliance-checklist","TgjvUi6RZsVUtlwvZmd13fSd6pLgzAnqh-iCyksuoQw",{"id":1160,"title":1161,"body":1162,"description":1432,"extension":278,"faq":1433,"frameworkSlug":293,"lastUpdated":294,"meta":1447,"navigation":296,"path":1448,"relatedTerms":1449,"relatedTopics":1453,"seo":1456,"stem":1459,"__hash__":1460},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fcontingency-planning.md","HIPAA Contingency Planning",{"type":8,"value":1163,"toc":1417},[1164,1168,1171,1174,1189,1193,1196,1200,1203,1206,1217,1221,1224,1228,1231,1234,1238,1241,1245,1248,1252,1255,1293,1296,1300,1303,1329,1332,1336,1352,1355,1359,1403,1407,1410],[11,1165,1167],{"id":1166},"why-hipaa-contingency-planning-matters","Why HIPAA contingency planning matters",[16,1169,1170],{},"HIPAA §164.308(a)(7) — the Contingency Plan standard — requires covered entities and business associates to \"establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.\" Availability is one of the three security objectives of the Security Rule, alongside confidentiality and integrity, and contingency planning is the primary control for meeting it.",[16,1172,1173],{},"Cloud outages, ransomware, data center fires, hurricanes, and insider errors are all forecasted risks. A tested contingency plan is what turns each of these from a crisis into an incident — and a missing plan is one of the fastest ways to escalate an operational disruption into a HIPAA breach. The 2016 OCR ransomware guidance made this explicit: if a ransomware attack renders ePHI unavailable, that unavailability itself can constitute a breach absent a demonstration that the data was not compromised.",[16,1175,1176,1177,1179,1180,1183,1184,1188],{},"For the broader administrative safeguards context, see the ",[23,1178,26],{"href":25}," guide and the ",[23,1181,1182],{"href":35},"HIPAA hub page",". Contingency planning is tightly coupled with the ",[23,1185,1187],{"href":1186},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis","HIPAA risk analysis"," that prioritizes which systems get the most investment.",[11,1190,1192],{"id":1191},"the-five-implementation-specifications","The five implementation specifications",[16,1194,1195],{},"§164.308(a)(7)(ii) lists five implementation specifications. Three are required and two are addressable.",[51,1197,1199],{"id":1198},"data-backup-plan-required-164308a7iia","Data backup plan — required — §164.308(a)(7)(ii)(A)",[16,1201,1202],{},"The data backup plan establishes procedures to create and maintain retrievable exact copies of ePHI. At minimum it should define which systems are in scope, the frequency of backups, the retention period, the storage location, and the controls that protect backup data (encryption, access controls, immutability against ransomware).",[16,1204,1205],{},"A defensible backup plan answers three practical questions.",[137,1207,1208,1211,1214],{},[74,1209,1210],{},"Can we restore a single record, an entire table, and an entire system? Test each level.",[74,1212,1213],{},"Are backups isolated from the systems they protect? Ransomware routinely deletes online backups.",[74,1215,1216],{},"Does the backup itself meet the Security Rule? Encrypted backups stored with the same vendor as production often fail this test.",[51,1218,1220],{"id":1219},"disaster-recovery-plan-required-164308a7iib","Disaster recovery plan — required — §164.308(a)(7)(ii)(B)",[16,1222,1223],{},"The disaster recovery plan establishes procedures to restore any loss of data. It is the operational companion to the backup plan: backups give you something to restore from, while the DR plan tells you who does what, in what order, on what timeline. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets anchor the plan, and both should be derived from the criticality analysis described below.",[51,1225,1227],{"id":1226},"emergency-mode-operation-plan-required-164308a7iic","Emergency mode operation plan — required — §164.308(a)(7)(ii)(C)",[16,1229,1230],{},"The emergency mode operation plan defines how critical business processes continue during an emergency that impairs the organization's normal operations — while continuing to protect ePHI. It answers: who has authority to declare emergency mode, which systems and staff are essential, what fallback procedures apply (paper records, manual processes, alternate facilities), and how the organization returns to normal operation.",[16,1232,1233],{},"This is the specification most programs underinvest in. Backup and DR are familiar engineering problems; emergency mode operation is an organizational problem that requires coordination across clinical, operational, security, and legal teams.",[51,1235,1237],{"id":1236},"testing-and-revision-procedures-addressable-164308a7iid","Testing and revision procedures — addressable — §164.308(a)(7)(ii)(D)",[16,1239,1240],{},"Testing validates that the other three specifications actually work. Tabletop exercises, restore drills, and full failover tests each surface different failure modes. The implementation specification is addressable, but in practice untested plans fail when they are needed most — and OCR audit protocol treats testing as the primary evidence that contingency planning is operational rather than paper.",[51,1242,1244],{"id":1243},"applications-and-data-criticality-analysis-addressable-164308a7iie","Applications and data criticality analysis — addressable — §164.308(a)(7)(ii)(E)",[16,1246,1247],{},"Criticality analysis ranks applications and data by how important they are to the organization's operations. This is what tells you which systems need a 15-minute RTO and which can tolerate 72 hours. Without it, every system is treated as equally critical (which is unaffordable) or equally non-critical (which is catastrophic when the wrong system fails).",[11,1249,1251],{"id":1250},"building-the-plan","Building the plan",[16,1253,1254],{},"A workable HIPAA contingency plan has six components, regardless of organization size.",[71,1256,1257,1263,1269,1275,1281,1287],{},[74,1258,1259,1262],{},[59,1260,1261],{},"Scope statement."," Which systems, data, facilities, and vendors are covered. Reference the same asset inventory that feeds your risk analysis.",[74,1264,1265,1268],{},[59,1266,1267],{},"Criticality analysis."," RTO and RPO for each in-scope system, with written justification. Customer contractual commitments are part of this analysis.",[74,1270,1271,1274],{},[59,1272,1273],{},"Backup procedures."," Frequency, retention, encryption, storage, restore testing cadence, and responsible owners.",[74,1276,1277,1280],{},[59,1278,1279],{},"Disaster recovery runbooks."," Step-by-step procedures for failing over each critical system, including dependencies, communication templates, and roll-back criteria.",[74,1282,1283,1286],{},[59,1284,1285],{},"Emergency mode operations."," Authority, triggers, fallback processes, coordination with clinical or operational leadership, and return-to-normal criteria.",[74,1288,1289,1292],{},[59,1290,1291],{},"Testing and revision calendar."," A 12-month schedule that rotates through tabletop exercises, restore tests, and full failover drills.",[16,1294,1295],{},"Each component should have a named owner, a review cadence, and a last-reviewed date. Contingency plans decay fastest among Security Rule artifacts — systems change constantly, and a plan that described last quarter's architecture is no plan at all.",[11,1297,1299],{"id":1298},"testing-the-only-evidence-that-counts","Testing: the only evidence that counts",[16,1301,1302],{},"There is no substitute for live testing. A reasonable 12-month rotation looks like this.",[137,1304,1305,1311,1317,1323],{},[74,1306,1307,1310],{},[59,1308,1309],{},"Q1 — Tabletop exercise."," Walk through a scenario (ransomware detonation, regional cloud outage, data center fire) with the full incident response team. Capture decisions, gaps, and open questions.",[74,1312,1313,1316],{},[59,1314,1315],{},"Q2 — Restore drill."," Restore a production system from backup into an isolated environment. Validate data integrity, time-to-restore, and the runbook accuracy.",[74,1318,1319,1322],{},[59,1320,1321],{},"Q3 — Partial failover."," Fail over one critical system to its DR target. Measure RTO, RPO, and any customer-facing impact.",[74,1324,1325,1328],{},[59,1326,1327],{},"Q4 — Emergency mode exercise."," Simulate an extended disruption that forces fallback processes. Exercise the human workflows that the technical runbooks assume will work.",[16,1330,1331],{},"Document every test: scenario, participants, timeline, findings, and corrective actions. Those findings feed the next iteration of both the contingency plan and the risk analysis.",[11,1333,1335],{"id":1334},"how-this-fits-into-your-hipaa-program","How this fits into your HIPAA program",[16,1337,1338,1339,1341,1342,1346,1347,1351],{},"Contingency planning does not sit alone. It connects to the ",[23,1340,1187],{"href":1186}," that sizes the risks to availability. It connects to ",[23,1343,1345],{"href":1344},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls"," through the contingency operations implementation specification at §164.310(a)(2)(i), which requires procedures allowing facility access during recovery. It connects to ",[23,1348,1350],{"href":1349},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training"," because the plan only works if the people executing it have rehearsed their roles. It connects to BAAs, because most covered entities depend on business associates for critical systems, and the contingency plan must account for vendor failures as well as internal ones.",[16,1353,1354],{},"It also connects to breach notification. When ransomware or extended downtime exposes ePHI, the contingency response and the breach response run in parallel and share evidence. Design them to share templates, logs, and decision gates.",[11,1356,1358],{"id":1357},"common-pitfalls","Common pitfalls",[137,1360,1361,1367,1373,1379,1385,1391,1397],{},[74,1362,1363,1366],{},[59,1364,1365],{},"Backup and DR without emergency mode."," Engineers build strong recovery tooling, but there is no written answer for how clinical or operational staff continue their work during the hours before recovery completes.",[74,1368,1369,1372],{},[59,1370,1371],{},"Untested plans."," The plan is thorough on paper and has never been exercised. The first real incident exposes assumptions that do not match reality.",[74,1374,1375,1378],{},[59,1376,1377],{},"Backups in the same failure domain as production."," Backups stored on the same platform, region, or account as production systems are one ransomware event away from being useless.",[74,1380,1381,1384],{},[59,1382,1383],{},"Criticality analysis is missing or generic."," Every system is \"critical,\" so investment scatters and the systems that actually matter are under-protected.",[74,1386,1387,1390],{},[59,1388,1389],{},"Vendor gaps."," The plan assumes a business associate will restore its own systems within an RTO that the BAA never committed to. Renegotiate or document the risk.",[74,1392,1393,1396],{},[59,1394,1395],{},"No return-to-normal."," Plans cover failover but not failback. Weeks later, the organization is still operating in the emergency mode environment with degraded controls.",[74,1398,1399,1402],{},[59,1400,1401],{},"Stale documentation."," The plan references systems, vendors, or personnel that no longer exist. During an incident, this wastes the hours that matter most.",[11,1404,1406],{"id":1405},"how-episki-helps","How episki helps",[16,1408,1409],{},"episki brings contingency planning into the same workspace as the rest of your HIPAA program. Asset inventories feed the criticality analysis; backup, DR, and emergency mode runbooks live alongside the policies they implement; testing calendars and post-test findings stay linked to the systems they affect; and evidence rolls up automatically for OCR audits and customer reviews. When a real incident lands, the runbook, the contact list, and the decision log are in one place — not in a shared drive nobody has opened in nine months.",[16,1411,1412,1413,1416],{},"See the full ",[23,1414,1415],{"href":35},"HIPAA platform overview"," or start a free trial from the top of the hub page.",{"title":257,"searchDepth":258,"depth":258,"links":1418},[1419,1420,1427,1428,1429,1430,1431],{"id":1166,"depth":258,"text":1167},{"id":1191,"depth":258,"text":1192,"children":1421},[1422,1423,1424,1425,1426],{"id":1198,"depth":264,"text":1199},{"id":1219,"depth":264,"text":1220},{"id":1226,"depth":264,"text":1227},{"id":1236,"depth":264,"text":1237},{"id":1243,"depth":264,"text":1244},{"id":1250,"depth":258,"text":1251},{"id":1298,"depth":258,"text":1299},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(7) requires covered entities and business associates to maintain data backup, disaster recovery, and emergency mode operation plans. Here is how to build them.",{"items":1434},[1435,1438,1441,1444],{"label":1436,"content":1437},"Is a HIPAA contingency plan required?","Yes. §164.308(a)(7) is a required standard, and three of its five implementation specifications — data backup, disaster recovery, and emergency mode operation — are also required. The other two (testing and applications\u002Fdata criticality analysis) are addressable, meaning you must implement them, document an equivalent, or justify their absence.",{"label":1439,"content":1440},"How often should we test our HIPAA contingency plan?","HIPAA does not prescribe a cadence, but mature programs test at least annually and after any material change to the environment. Tabletop exercises, restore-from-backup drills, and full DR failover tests each serve different purposes — most programs rotate through them over a calendar year.",{"label":1442,"content":1443},"What is emergency mode operation under HIPAA?","Emergency mode operation is the procedure your organization follows during a disruption to continue critical business processes while protecting ePHI. It defines who has authority, which systems must stay running, what fallback processes apply, and how you return to normal operations once the incident is resolved.",{"label":1445,"content":1446},"Do cloud SaaS companies still need a contingency plan?","Yes. The HIPAA Security Rule applies regardless of where ePHI lives. Inherited controls from your cloud provider cover portions of the infrastructure, but your own contingency plan must address application-layer recovery, RTO and RPO commitments to customers, and coordination with your BAA partners.",{},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning",[293,1450,1451,1452],"phi","covered-entity","business-associate",[300,1454,1455,303],"risk-analysis","facility-access-controls",{"title":1457,"description":1458},"HIPAA Contingency Planning - §164.308(a)(7) Backup, DR & Testing","Build a HIPAA contingency plan that satisfies §164.308(a)(7). Data backup, disaster recovery, emergency mode operations, testing, and criticality analysis.","5.frameworks\u002Fhipaa\u002Fcontingency-planning","KhxjEUzMIykO_6ZX-W43j9Y9TaiAZYnR7SQPWZJK2Ho",{"id":1462,"title":1463,"body":1464,"description":1723,"extension":278,"faq":1724,"frameworkSlug":293,"lastUpdated":294,"meta":1738,"navigation":296,"path":1344,"relatedTerms":1739,"relatedTopics":1740,"seo":1743,"stem":1746,"__hash__":1747},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Ffacility-access-controls.md","HIPAA Facility Access Controls",{"type":8,"value":1465,"toc":1708},[1466,1470,1473,1476,1483,1487,1490,1494,1501,1504,1508,1511,1514,1518,1521,1524,1528,1531,1534,1538,1541,1544,1561,1567,1571,1574,1606,1609,1613,1616,1636,1638,1653,1659,1661,1699,1701,1704],[11,1467,1469],{"id":1468},"why-hipaa-facility-access-controls-matter","Why HIPAA facility access controls matter",[16,1471,1472],{},"HIPAA §164.310(a) — the Facility Access Controls standard — requires covered entities and business associates to \"implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.\" It is one of the four standards in the physical safeguards category, alongside workstation use, workstation security, and device and media controls.",[16,1474,1475],{},"Physical safeguards sit at an uncomfortable intersection for modern SaaS companies. The hyperscale cloud providers that host most production ePHI inherit the bulk of data center controls, but that does not end the obligation — it shifts it. Workforce offices, co-working spaces, home offices, warehouses, and any location where physical media moves are still in scope. And for clinical settings, physical safeguards are front-line compliance work.",[16,1477,1478,1479,1179,1481,42],{},"For the broader physical safeguards context, see the ",[23,1480,26],{"href":25},[23,1482,1182],{"href":35},[11,1484,1486],{"id":1485},"the-four-implementation-specifications","The four implementation specifications",[16,1488,1489],{},"§164.310(a)(2) lists four implementation specifications. All four are addressable — meaning you must implement each, document an equivalent, or justify its absence based on your risk analysis.",[51,1491,1493],{"id":1492},"contingency-operations-164310a2i","Contingency operations — §164.310(a)(2)(i)",[16,1495,1496,1497,1500],{},"Contingency operations establish procedures that allow facility access in support of the restoration of lost data under the ",[23,1498,1499],{"href":1448},"HIPAA contingency plan",". In other words, when you are recovering from a disaster, the people who need to enter a facility to restore systems must be able to do so — without bypassing your normal access controls entirely.",[16,1502,1503],{},"This specification is often neglected because it sits at the intersection of physical security and disaster recovery. Neither team owns it completely. The fix is to name an owner, define who has emergency access authority, document how access is granted during a contingency, and exercise the procedure during your DR tests.",[51,1505,1507],{"id":1506},"facility-security-plan-164310a2ii","Facility security plan — §164.310(a)(2)(ii)",[16,1509,1510],{},"The facility security plan documents policies and procedures that safeguard the facility and the equipment inside it from unauthorized physical access, tampering, and theft. It should describe the physical boundaries of each facility, the controls at each boundary (locks, badge readers, cameras, alarms), monitoring expectations, and the responsible owners.",[16,1512,1513],{},"A defensible facility security plan is not generic. It describes your buildings, your controls, and your threats — not a template's buildings. Include floor plans, control inventories, and risk notes for each location.",[51,1515,1517],{"id":1516},"access-control-and-validation-164310a2iii","Access control and validation — §164.310(a)(2)(iii)",[16,1519,1520],{},"Access control and validation procedures govern who gets in and how their identity is validated. This includes workforce members, visitors, vendors, maintenance personnel, and contractors. For workforce members, validation usually rides on the same identity infrastructure as logical access: badge plus PIN, badge plus biometric, or badge plus escort for lower-trust areas. For visitors, the industry standard is photo identification, sign-in, a visible badge for the duration of the visit, and escort in sensitive areas.",[16,1522,1523],{},"Access levels should be role-based and reviewed periodically. When a workforce member changes roles or leaves the organization, their physical access must be revoked promptly — this is one of the most common and most embarrassing OCR findings.",[51,1525,1527],{"id":1526},"maintenance-records-164310a2iv","Maintenance records — §164.310(a)(2)(iv)",[16,1529,1530],{},"Maintenance records document repairs and modifications to the physical components of the facility that are related to security — hardware, walls, doors, locks, badge readers, alarms, and cameras. The point is traceability: if a door is cut for cabling and then poorly resealed, the record is how you catch it on the next audit.",[16,1532,1533],{},"Modern facility management systems handle most of this automatically. The gap is usually the tenant-improvement and office-move scenarios where construction work bypasses the normal ticket flow.",[11,1535,1537],{"id":1536},"extending-the-perimeter-to-remote-work","Extending the perimeter to remote work",[16,1539,1540],{},"The traditional facility access model assumes a building with a door, a badge reader, and a receptionist. That model covers fewer workforce members every year. Modern HIPAA programs treat the facility boundary as wherever a workforce member handles PHI.",[16,1542,1543],{},"Your controls should answer practical questions for remote workers.",[137,1545,1546,1549,1552,1555,1558],{},[74,1547,1548],{},"What is the expectation for a home office workspace? Locked door? Locked filing cabinet for any printed PHI?",[74,1550,1551],{},"How is PHI handled in shared living spaces, coffee shops, and during travel?",[74,1553,1554],{},"Who is allowed to be present when the workforce member is viewing PHI on a screen?",[74,1556,1557],{},"How are corporate devices secured when not in use?",[74,1559,1560],{},"What is the process for returning devices at offboarding, especially when the workforce member never set foot in a corporate office?",[16,1562,1563,1564,1566],{},"Bake these expectations into the acceptable use policy and the ",[23,1565,1350],{"href":1349}," curriculum, then validate adherence through attestations, device management telemetry, and spot checks.",[11,1568,1570],{"id":1569},"visitor-management","Visitor management",[16,1572,1573],{},"Visitor management is the most visible facility access control and the most common source of awkward findings during on-site audits. A defensible process includes five elements.",[71,1575,1576,1582,1588,1594,1600],{},[74,1577,1578,1581],{},[59,1579,1580],{},"Pre-arrival notification."," Hosts announce expected visitors in advance.",[74,1583,1584,1587],{},[59,1585,1586],{},"Identity verification."," Government-issued photo identification at sign-in.",[74,1589,1590,1593],{},[59,1591,1592],{},"Visible badge."," A badge that differs from workforce member badges, valid only for the day.",[74,1595,1596,1599],{},[59,1597,1598],{},"Escort requirement."," Visitors are escorted in sensitive areas — server rooms, clinical areas, wherever PHI is physically accessible.",[74,1601,1602,1605],{},[59,1603,1604],{},"Sign-out and badge return."," A clean closeout so the log reflects who is actually in the building.",[16,1607,1608],{},"Camera coverage of entrances, reception areas, and sensitive zones supports the visitor log as corroborating evidence. Retain footage per your policy and review after any incident.",[11,1610,1612],{"id":1611},"cloud-inheritance-and-the-baa","Cloud inheritance and the BAA",[16,1614,1615],{},"For the portion of your ePHI that lives with a hyperscale cloud provider, the provider's physical controls are inherited through the BAA. You should still do three things.",[137,1617,1618,1624,1630],{},[74,1619,1620,1623],{},[59,1621,1622],{},"Document the inheritance."," Map each §164.310(a) specification to the provider control that covers it, and cite the provider's compliance attestations (SOC 2, HITRUST, or equivalent).",[74,1625,1626,1629],{},[59,1627,1628],{},"Scope the boundary."," Make explicit what is and is not inherited. A cloud provider does not cover your office, your laptop, or your home workspace.",[74,1631,1632,1635],{},[59,1633,1634],{},"Keep the BAA current."," Provider BAAs change. Track versions and re-review when providers update their terms.",[11,1637,1335],{"id":1334},[16,1639,1640,1641,1645,1646,1649,1650,1652],{},"Facility access controls pair with several other safeguards. ",[23,1642,1644],{"href":1643},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","Workstation and device controls"," pick up where facility controls end, governing the endpoints inside the facility. ",[23,1647,1648],{"href":1448},"Contingency planning"," shares the contingency operations specification and exercises it during DR tests. The ",[23,1651,1187],{"href":1186}," identifies which facilities, regions, and configurations carry the greatest physical risk and directs investment there.",[16,1654,1655,1656,1658],{},"Access control and validation also tie back to ",[23,1657,1350],{"href":1349},". Workforce members need to know what to do when they see an unbadged visitor in a restricted area, how to handle tailgating at the main entrance, and where to escalate suspected physical security concerns. Training transforms the policy into active vigilance.",[11,1660,1358],{"id":1357},[137,1662,1663,1669,1675,1681,1687,1693],{},[74,1664,1665,1668],{},[59,1666,1667],{},"Office-only thinking."," The plan covers the main office but not co-working spaces, satellite facilities, or home offices where workforce members routinely handle PHI.",[74,1670,1671,1674],{},[59,1672,1673],{},"Orphaned badge access."," Terminated workforce members retain badge access for days or weeks because deprovisioning is not tied to the HR offboarding event.",[74,1676,1677,1680],{},[59,1678,1679],{},"Untested contingency access."," When a DR event actually happens, no one can prove they have authority to enter a facility, and recovery is delayed.",[74,1682,1683,1686],{},[59,1684,1685],{},"Visitor log on paper only."," The log is on a clipboard at reception, no photo ID is captured, and the book is discarded annually. There is nothing to review after an incident.",[74,1688,1689,1692],{},[59,1690,1691],{},"No maintenance record trail."," Construction and facility work bypass the normal ticket flow, so a door cut for cabling six months ago never made it into the security record.",[74,1694,1695,1698],{},[59,1696,1697],{},"Cloud inheritance undocumented."," The organization relies on a cloud provider for physical safeguards but cannot produce the mapping during an audit, and the cloud provider's BAA in the evidence locker is two years old.",[11,1700,1406],{"id":1405},[16,1702,1703],{},"episki maps §164.310(a) to your facilities, cloud providers, and remote work program so the full scope of physical safeguards is visible in one place. Visitor management, badge review, maintenance records, and cloud inheritance attestations feed the evidence locker; facility risk notes feed the HIPAA risk analysis; and role-based physical access reviews run on the same schedule as logical access reviews. When a customer asks for your physical security posture, the answer is ready.",[16,1705,1412,1706,1416],{},[23,1707,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":1709},[1710,1711,1717,1718,1719,1720,1721,1722],{"id":1468,"depth":258,"text":1469},{"id":1485,"depth":258,"text":1486,"children":1712},[1713,1714,1715,1716],{"id":1492,"depth":264,"text":1493},{"id":1506,"depth":264,"text":1507},{"id":1516,"depth":264,"text":1517},{"id":1526,"depth":264,"text":1527},{"id":1536,"depth":258,"text":1537},{"id":1569,"depth":258,"text":1570},{"id":1611,"depth":258,"text":1612},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.310(a) requires physical safeguards over the facilities that house ePHI. Here is how to implement access controls, visitor management, and contingency operations.",{"items":1725},[1726,1729,1732,1735],{"label":1727,"content":1728},"Do cloud-only SaaS companies need facility access controls?","Yes, but the scope is narrower. Your hyperscale cloud provider inherits most data center controls through its BAA, but you still need facility access controls for your offices, any location where workforce members handle PHI, and any physical media you ship or receive.",{"label":1730,"content":1731},"What counts as a facility under HIPAA?","A facility is the physical premises and interior and exterior of any building that contains electronic information systems or ePHI. This includes data centers, offices, clinics, warehouses holding devices, and any location where workforce members routinely access ePHI.",{"label":1733,"content":1734},"Are visitor logs required under HIPAA?","Visitor logs are not explicitly required by rule, but they are the most common evidence that facility access controls are operating. OCR audit protocol asks how the organization controls access for visitors, vendors, and maintenance personnel, and a log is the standard answer.",{"label":1736,"content":1737},"How does remote work change facility access controls?","Remote work shifts the facility boundary to the workforce member's home. Your controls must address home office expectations, shared spaces, physical security of devices, and the handling of printed PHI — because all of those are now inside the facility for HIPAA purposes.",{},[293,1450,1451,1452],[300,1741,1742,1454],"workstation-and-device-controls","contingency-planning",{"title":1744,"description":1745},"HIPAA Facility Access Controls - §164.310(a) Physical Safeguards Guide","Implement HIPAA facility access controls under §164.310(a). Contingency operations, facility security plans, access validation, and maintenance records.","5.frameworks\u002Fhipaa\u002Ffacility-access-controls","8840pyLYjYlEDDgbJIxRgnyBuP1Jq9iorYZyb9_20gY",{"id":1749,"title":1750,"body":1751,"description":2088,"extension":278,"faq":2089,"frameworkSlug":293,"lastUpdated":294,"meta":2103,"navigation":296,"path":2104,"relatedTerms":2105,"relatedTopics":2107,"seo":2108,"stem":2111,"__hash__":2112},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fhitech-and-omnibus.md","HITECH Act and the HIPAA Omnibus Rule",{"type":8,"value":1752,"toc":2064},[1753,1757,1760,1763,1777,1781,1784,1788,1791,1794,1798,1801,1804,1808,1811,1815,1818,1822,1825,1829,1832,1836,1839,1846,1850,1853,1857,1860,1864,1867,1871,1874,1878,1881,1885,1888,1892,1990,1994,1997,2000,2002,2015,2017,2055,2057,2060],[11,1754,1756],{"id":1755},"why-hitech-and-the-omnibus-rule-matter","Why HITECH and the Omnibus Rule matter",[16,1758,1759],{},"Original HIPAA — the 1996 law and its initial Privacy and Security Rules — created the framework for protecting patient health information in the United States. But by the mid-2000s, two realities had outgrown that framework. First, business associates handled a huge and growing share of PHI, yet their only legal obligation was through contract, not regulation. Second, electronic health records were about to be adopted at unprecedented scale, dramatically expanding the volume and mobility of ePHI.",[16,1761,1762],{},"HITECH and the Omnibus Rule addressed both realities. HITECH — the Health Information Technology for Economic and Clinical Health Act, enacted February 17, 2009 as Title XIII of the American Recovery and Reinvestment Act — statutorily extended HIPAA obligations to business associates, created a federal Breach Notification Rule, increased civil penalties, and funded EHR adoption through the Meaningful Use program. The 2013 HIPAA Omnibus Rule then translated HITECH into binding regulation and layered on additional changes, producing the modern HIPAA framework that every covered entity and business associate operates under today.",[16,1764,1765,1766,1768,1769,1771,1772,1774,1775,42],{},"For the broader HIPAA framework context, see the ",[23,1767,1182],{"href":35},". For related detail, see the ",[23,1770,31],{"href":30},", the ",[23,1773,26],{"href":25},", and the ",[23,1776,411],{"href":297},[11,1778,1780],{"id":1779},"what-hitech-changed","What HITECH changed",[16,1782,1783],{},"HITECH is the larger of the two shifts in substance, even though the Omnibus Rule is where most of the regulatory text actually lives.",[51,1785,1787],{"id":1786},"direct-liability-for-business-associates","Direct liability for business associates",[16,1789,1790],{},"Before HITECH, the Security Rule and most of the Privacy Rule applied only to covered entities. Business associates were bound to HIPAA only through their BAAs — contractual, not regulatory. HITECH changed that at §13401, making the Security Rule and specified Privacy Rule obligations directly applicable to business associates. OCR can now enforce HIPAA against a business associate directly, without the covered entity in the middle.",[16,1792,1793],{},"In practice, this is the change that pulled every healthcare-facing SaaS company directly into the HIPAA enforcement orbit.",[51,1795,1797],{"id":1796},"federal-breach-notification-requirements","Federal breach notification requirements",[16,1799,1800],{},"HITECH §13402 created the first federal Breach Notification Rule. Before HITECH, breach notification was governed by a patchwork of state laws with inconsistent definitions and timelines. HITECH established a uniform federal floor for unsecured PHI: notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (annually for smaller breaches, within 60 days for breaches of 500 or more), and notify the media for breaches of 500 or more in a state or jurisdiction.",[16,1802,1803],{},"Business associates must notify the covered entity, who in turn notifies the individuals. The four-factor risk assessment that determines whether a violation constitutes a reportable breach originates here, though the Omnibus Rule tightened it.",[51,1805,1807],{"id":1806},"increased-civil-penalties","Increased civil penalties",[16,1809,1810],{},"HITECH §13410(d) restructured HIPAA civil monetary penalties into the four-tier scheme that remains in effect: unknowing violations, reasonable cause, willful neglect corrected, and willful neglect uncorrected. Maximum annual penalties reached $1.5 million per violation category, adjusted annually for inflation. State attorneys general gained authority to bring enforcement actions.",[51,1812,1814],{"id":1813},"meaningful-use-and-the-ehr-buildout","Meaningful Use and the EHR buildout",[16,1816,1817],{},"HITECH also funded the nationwide rollout of electronic health records through Medicare and Medicaid incentive payments, later restructured as the Promoting Interoperability programs. The effect was to multiply the volume of electronic PHI subject to HIPAA protections — and to multiply the number of SaaS vendors building in the healthcare space.",[51,1819,1821],{"id":1820},"patient-access-to-electronic-records","Patient access to electronic records",[16,1823,1824],{},"HITECH §13405(e) strengthened individual access rights for ePHI held in EHRs. Individuals could request an electronic copy and direct that copy to a third party. Fees for electronic copies were limited to labor costs, eliminating the markup that some providers had applied to paper copies.",[11,1826,1828],{"id":1827},"what-the-2013-omnibus-rule-changed","What the 2013 Omnibus Rule changed",[16,1830,1831],{},"The HIPAA Omnibus Rule — published January 25, 2013, effective March 26, 2013, with compliance required by September 23, 2013 — implemented HITECH and added further changes across all four HIPAA rules. Seven changes stand out.",[51,1833,1835],{"id":1834},"baa-obligations-extended-to-subcontractors","BAA obligations extended to subcontractors",[16,1837,1838],{},"Before Omnibus, BAAs flowed one hop: covered entity to business associate. Omnibus required business associates to execute BAAs with any subcontractor that creates, receives, maintains, or transmits PHI on their behalf, and made those subcontractors business associates in their own right. The effect was to close the pass-through loophole and align the chain of PHI custody with the chain of legal responsibility.",[16,1840,1841,1842,1845],{},"See the ",[23,1843,1844],{"href":178},"business associate agreements"," guide for the full BAA content requirements.",[51,1847,1849],{"id":1848},"breach-definition-tightened","Breach definition tightened",[16,1851,1852],{},"Omnibus replaced the HITECH \"significant risk of harm\" test with a presumption of breach and a four-factor risk assessment. Under the revised rule, any impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through the four factors that there is a low probability the PHI has been compromised. The shift favored notification over non-notification and made marginal cases more likely to be reported.",[51,1854,1856],{"id":1855},"genetic-information-protections","Genetic information protections",[16,1858,1859],{},"Omnibus incorporated the Genetic Information Nondiscrimination Act (GINA) into HIPAA, clarifying that genetic information is PHI and prohibiting the use or disclosure of genetic information by health plans for underwriting purposes.",[51,1861,1863],{"id":1862},"stronger-patient-rights","Stronger patient rights",[16,1865,1866],{},"Patients gained the right to restrict disclosures to health plans when they pay out of pocket in full for a service, the right to receive electronic copies of their ePHI in EHR systems within 30 days, and stronger authorization requirements for the sale of PHI and for marketing communications.",[51,1868,1870],{"id":1869},"updated-notice-of-privacy-practices","Updated Notice of Privacy Practices",[16,1872,1873],{},"Every covered entity had to update its Notice of Privacy Practices to reflect the new rules, including the breach notification obligation, the expanded patient rights, and the uses of PHI for marketing and fundraising that now required authorization.",[51,1875,1877],{"id":1876},"enforcement-teeth","Enforcement teeth",[16,1879,1880],{},"Omnibus codified the HITECH penalty tiers, required HHS to conduct periodic audits, and clarified that willful neglect findings require formal investigation and penalty. The era of informal OCR letters closing investigations without consequence ended.",[51,1882,1884],{"id":1883},"liability-for-agents","Liability for agents",[16,1886,1887],{},"Omnibus made clear that covered entities are liable for the acts of their business associates that are agents under federal common law — a narrow but meaningful exposure that forced sharper scrutiny of control over business associate operations.",[11,1889,1891],{"id":1890},"original-hipaa-vs-post-omnibus-hipaa-at-a-glance","Original HIPAA vs post-Omnibus HIPAA at a glance",[1893,1894,1895,1911],"table",{},[1896,1897,1898],"thead",{},[1899,1900,1901,1905,1908],"tr",{},[1902,1903,1904],"th",{},"Topic",[1902,1906,1907],{},"Original HIPAA (pre-2009)",[1902,1909,1910],{},"Post-HITECH \u002F Omnibus",[1912,1913,1914,1925,1935,1946,1957,1968,1979],"tbody",{},[1899,1915,1916,1919,1922],{},[1917,1918,464],"td",{},[1917,1920,1921],{},"Contractual only (via BAA)",[1917,1923,1924],{},"Direct regulatory liability",[1899,1926,1927,1929,1932],{},[1917,1928,351],{},[1917,1930,1931],{},"Not explicitly covered",[1917,1933,1934],{},"Covered as business associates",[1899,1936,1937,1940,1943],{},[1917,1938,1939],{},"Breach notification",[1917,1941,1942],{},"State-law patchwork",[1917,1944,1945],{},"Federal rule, 60-day deadline",[1899,1947,1948,1951,1954],{},[1917,1949,1950],{},"Civil penalties",[1917,1952,1953],{},"Up to $25,000 per year, per violation category",[1917,1955,1956],{},"Four-tier structure, up to $1.5M per year, per category",[1899,1958,1959,1962,1965],{},[1917,1960,1961],{},"State attorney general enforcement",[1917,1963,1964],{},"Not authorized",[1917,1966,1967],{},"Authorized by HITECH",[1899,1969,1970,1973,1976],{},[1917,1971,1972],{},"Electronic access to PHI",[1917,1974,1975],{},"Paper-oriented",[1917,1977,1978],{},"Electronic copy within 30 days",[1899,1980,1981,1984,1987],{},[1917,1982,1983],{},"Genetic information",[1917,1985,1986],{},"Covered in part",[1917,1988,1989],{},"Covered explicitly, underwriting prohibited",[11,1991,1993],{"id":1992},"how-hitech-and-omnibus-changed-operational-practice","How HITECH and Omnibus changed operational practice",[16,1995,1996],{},"For covered entities, the biggest operational change was BAA renegotiation — every BAA in force had to be updated to meet the Omnibus content requirements. For business associates, the change was existential: overnight, every vendor with PHI access was directly on the hook for the Security Rule, the Breach Notification Rule, and the relevant Privacy Rule obligations.",[16,1998,1999],{},"For modern healthcare SaaS companies, the practical implication is that \"we are a business associate\" is no longer a contractual fact — it is a regulatory status with its own documentation, risk analysis, breach reporting, and audit exposure. The HITECH and Omnibus changes are the reason a small SaaS vendor can now receive an OCR enforcement letter in its own right.",[11,2001,1335],{"id":1334},[16,2003,2004,2005,1771,2007,1771,2009,2011,2012,2014],{},"HITECH and Omnibus are not separate frameworks to track — they are layered into the modern HIPAA rules. You satisfy them by complying with the ",[23,2006,31],{"href":30},[23,2008,26],{"href":25},[23,2010,411],{"href":297},", and the BAA requirements at ",[23,2013,1844],{"href":178},". The reason to understand the history is that it explains which obligations apply to which parties, and why the BAA flow-down, breach notification, and penalty structures look the way they do today.",[11,2016,1358],{"id":1357},[137,2018,2019,2025,2031,2037,2043,2049],{},[74,2020,2021,2024],{},[59,2022,2023],{},"Stale BAAs."," Some BAAs on file still reflect pre-Omnibus templates, missing subcontractor flow-down, breach notification language, and updated permitted use categories.",[74,2026,2027,2030],{},[59,2028,2029],{},"Outdated Notice of Privacy Practices."," The notice has not been refreshed since 2013, missing language required by subsequent guidance and regulatory updates.",[74,2032,2033,2036],{},[59,2034,2035],{},"Breach analyses that apply the old test."," Analysts still ask whether a disclosure caused \"significant risk of harm,\" rather than applying the four-factor test from Omnibus. The old test is defunct.",[74,2038,2039,2042],{},[59,2040,2041],{},"Undercounted subcontractors."," A business associate has not papered BAAs with its subcontractors because it treats them as \"just vendors.\" Omnibus closed that gap.",[74,2044,2045,2048],{},[59,2046,2047],{},"No risk analysis refresh after material change."," HITECH and Omnibus introduced new obligations that should have triggered a risk analysis update. Many organizations never did one.",[74,2050,2051,2054],{},[59,2052,2053],{},"Confusing HITECH, HITRUST, and HIPAA."," Operators sometimes use the three names interchangeably. HITECH is federal law, HIPAA is federal law and regulations, and HITRUST is a private certification.",[11,2056,1406],{"id":1405},[16,2058,2059],{},"episki carries the modern HIPAA regulatory structure in its bones. BAA templates reflect Omnibus Rule requirements; breach analysis workflows apply the four-factor test automatically; risk analyses incorporate HITECH-era threats like EHR interoperability and vendor sprawl; and policy libraries reference the underlying regulation so you always know which clause a control satisfies.",[16,2061,1412,2062,1416],{},[23,2063,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2065},[2066,2067,2074,2083,2084,2085,2086,2087],{"id":1755,"depth":258,"text":1756},{"id":1779,"depth":258,"text":1780,"children":2068},[2069,2070,2071,2072,2073],{"id":1786,"depth":264,"text":1787},{"id":1796,"depth":264,"text":1797},{"id":1806,"depth":264,"text":1807},{"id":1813,"depth":264,"text":1814},{"id":1820,"depth":264,"text":1821},{"id":1827,"depth":258,"text":1828,"children":2075},[2076,2077,2078,2079,2080,2081,2082],{"id":1834,"depth":264,"text":1835},{"id":1848,"depth":264,"text":1849},{"id":1855,"depth":264,"text":1856},{"id":1862,"depth":264,"text":1863},{"id":1869,"depth":264,"text":1870},{"id":1876,"depth":264,"text":1877},{"id":1883,"depth":264,"text":1884},{"id":1890,"depth":258,"text":1891},{"id":1992,"depth":258,"text":1993},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"The 2009 HITECH Act and the 2013 HIPAA Omnibus Rule reshaped HIPAA - extending it to business associates, creating breach notification, and raising penalties. Here is what changed.",{"items":2090},[2091,2094,2097,2100],{"label":2092,"content":2093},"What is the HITECH Act?","The Health Information Technology for Economic and Clinical Health Act was signed into law in 2009 as part of the American Recovery and Reinvestment Act. It extended HIPAA obligations directly to business associates, introduced federal breach notification requirements, increased civil monetary penalties, and funded the nationwide adoption of electronic health records.",{"label":2095,"content":2096},"What is the HIPAA Omnibus Rule?","The 2013 HIPAA Omnibus Rule is the regulation that implemented HITECH and made additional changes to the Privacy, Security, Breach Notification, and Enforcement Rules. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the breach definition, strengthened patient access rights, and aligned HIPAA with the Genetic Information Nondiscrimination Act.",{"label":2098,"content":2099},"Do business associates have direct HIPAA liability?","Yes, since HITECH. Before 2009, business associates were bound to HIPAA only through the contractual obligations of a BAA. After HITECH, business associates became directly liable for compliance with the HIPAA Security Rule and certain Privacy Rule obligations, and OCR can enforce against them directly.",{"label":2101,"content":2102},"What did the Omnibus Rule change for BAAs?","The Omnibus Rule extended BAA requirements to subcontractors of business associates, tightened what a compliant BAA must contain, and made subcontractors directly liable under HIPAA. It also required covered entities and business associates to update their BAA templates by the compliance date in 2013 and 2014.",{},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus",[293,1450,2106,1451,1452],"baa",[550,302,301,300],{"title":2109,"description":2110},"HITECH Act & HIPAA Omnibus Rule - What Changed From Original HIPAA","How the 2009 HITECH Act and 2013 HIPAA Omnibus Rule expanded HIPAA to business associates, introduced breach notification, and increased civil penalties.","5.frameworks\u002Fhipaa\u002Fhitech-and-omnibus","MfJqKIqi-cHUA-dvwY87Y4hwnTFsW3lArdJ8FBLVgoM",{"id":2114,"title":2115,"body":2116,"description":2353,"extension":278,"faq":2354,"frameworkSlug":293,"lastUpdated":294,"meta":2368,"navigation":296,"path":2369,"relatedTerms":2370,"relatedTopics":2371,"seo":2373,"stem":2376,"__hash__":2377},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fminimum-necessary-rule.md","HIPAA Minimum Necessary Rule",{"type":8,"value":2117,"toc":2337},[2118,2122,2125,2128,2135,2139,2142,2146,2149,2153,2156,2160,2163,2167,2170,2174,2177,2197,2200,2204,2207,2239,2242,2246,2249,2252,2256,2259,2262,2264,2279,2282,2284,2328,2330,2333],[11,2119,2121],{"id":2120},"why-the-hipaa-minimum-necessary-rule-matters","Why the HIPAA minimum necessary rule matters",[16,2123,2124],{},"The HIPAA minimum necessary standard — codified at 45 CFR §164.502(b) and elaborated at §164.514(d) — is one of the Privacy Rule's most consequential provisions. In a single sentence, it requires covered entities and business associates to \"make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.\"",[16,2126,2127],{},"The rule is the Privacy Rule equivalent of least privilege. It operates on four planes simultaneously: internal uses of PHI by the workforce, routine disclosures to outside parties, non-routine disclosures evaluated case by case, and requests the organization makes to others. Each plane requires different controls, and most OCR enforcement actions that cite minimum necessary violations fail on at least one of them.",[16,2129,2130,2131,1179,2133,42],{},"For the broader Privacy Rule context, see the ",[23,2132,31],{"href":30},[23,2134,1182],{"href":35},[11,2136,2138],{"id":2137},"what-the-standard-actually-requires","What the standard actually requires",[16,2140,2141],{},"§164.502(b) establishes the general obligation, and §164.514(d) details how to implement it. The implementing rule requires four things.",[51,2143,2145],{"id":2144},"policies-and-procedures-for-internal-uses-164514d2","Policies and procedures for internal uses — §164.514(d)(2)",[16,2147,2148],{},"Covered entities must identify the persons or classes of persons in the workforce who need access to PHI to carry out their duties, specify the categories of PHI to which access is needed, and identify any conditions appropriate to such access. The practical output is a role-based access model.",[51,2150,2152],{"id":2151},"standard-protocols-for-routine-disclosures-164514d3i","Standard protocols for routine disclosures — §164.514(d)(3)(i)",[16,2154,2155],{},"For disclosures that happen repeatedly — billing submissions, lab result transmissions, utilization review exchanges — the organization must develop standard protocols that limit the PHI disclosed to what is reasonably necessary for the stated purpose. The protocols themselves become policy documents.",[51,2157,2159],{"id":2158},"criteria-for-non-routine-disclosures-164514d3ii","Criteria for non-routine disclosures — §164.514(d)(3)(ii)",[16,2161,2162],{},"For disclosures that are not routine, the organization must establish criteria designed to limit the disclosure and a review procedure that applies those criteria. Each non-routine disclosure then gets an individualized review against the criteria.",[51,2164,2166],{"id":2165},"reliance-on-requester-representations-164514d3iii","Reliance on requester representations — §164.514(d)(3)(iii)",[16,2168,2169],{},"When another covered entity, a public official, or a professional asserts that the information requested is the minimum necessary for a stated purpose, the disclosing entity may reasonably rely on that representation in many circumstances. The reliance is not automatic — it depends on the requester and the context — and the organization must document its reasoning.",[11,2171,2173],{"id":2172},"exceptions-to-the-minimum-necessary-standard","Exceptions to the minimum necessary standard",[16,2175,2176],{},"§164.502(b)(2) lists six specific situations where the minimum necessary standard does not apply.",[137,2178,2179,2182,2185,2188,2191,2194],{},[74,2180,2181],{},"Disclosures to, or requests by, a healthcare provider for treatment.",[74,2183,2184],{},"Uses or disclosures made to the individual who is the subject of the PHI.",[74,2186,2187],{},"Uses or disclosures made pursuant to a valid authorization signed by the individual.",[74,2189,2190],{},"Disclosures made to HHS for enforcement or compliance purposes.",[74,2192,2193],{},"Uses or disclosures required by law.",[74,2195,2196],{},"Uses or disclosures required for HIPAA compliance with Subparts A and E of Part 164.",[16,2198,2199],{},"The treatment exception is the most significant and the most misunderstood. It applies to disclosures between healthcare providers for treatment purposes — the receiving clinician may need information the requesting clinician cannot predict. It does not apply to internal uses of PHI within an organization's treatment workforce, which are still governed by the general least-access principle of role-based access.",[11,2201,2203],{"id":2202},"role-based-access-as-the-default-implementation","Role-based access as the default implementation",[16,2205,2206],{},"Most organizations implement the internal-use portion of the minimum necessary standard through role-based access control (RBAC). A defensible RBAC implementation has five components.",[71,2208,2209,2215,2221,2227,2233],{},[74,2210,2211,2214],{},[59,2212,2213],{},"Role inventory."," Every workforce member is assigned to one or more defined roles. Undefined roles are not allowed.",[74,2216,2217,2220],{},[59,2218,2219],{},"Role-to-data mapping."," Each role is mapped to the categories of PHI necessary for its functions. Mappings are reviewed at least annually and after material organizational change.",[74,2222,2223,2226],{},[59,2224,2225],{},"System enforcement."," RBAC is enforced in production systems, not just in policy documents. Access controls in EHRs, CRMs, data warehouses, and internal tools align to the mapping.",[74,2228,2229,2232],{},[59,2230,2231],{},"Access review."," At least quarterly, access is reviewed and reconciled with current role assignments. Reviews produce evidence, not just affirmations.",[74,2234,2235,2238],{},[59,2236,2237],{},"Exception handling."," When a workforce member needs access outside their role for a specific task, the exception is time-bounded, approved, documented, and revoked automatically on expiration.",[16,2240,2241],{},"Attribute-based access control (ABAC) and policy-based access control layer on top of RBAC for cases where the necessary access depends on patient relationship, episode of care, or data sensitivity. These are increasingly common in mature EHR deployments.",[11,2243,2245],{"id":2244},"routine-disclosures-where-the-protocol-lives","Routine disclosures: where the protocol lives",[16,2247,2248],{},"Routine disclosures are the quiet backbone of most covered entities. Claims submissions, lab orders, referrals, public health reporting, and payment inquiries are all routine. Each one should be governed by a written protocol that specifies the purpose, the permitted recipients, the specific data elements, and the form or channel used.",[16,2250,2251],{},"The protocol is also where de-identification and limited data sets enter the picture. If a disclosure purpose can be accomplished with a limited data set, requiring a signed data use agreement from the recipient, the minimum necessary obligation pushes strongly toward that option. If it can be accomplished with de-identified data, the obligation pushes further.",[11,2253,2255],{"id":2254},"non-routine-disclosures-the-review-step","Non-routine disclosures: the review step",[16,2257,2258],{},"Non-routine disclosures are the ones that show up most often in breach investigations. A law enforcement request, a subpoena, an insurer audit, a researcher's data request — each is different enough to require individual review. The policy should specify who reviews non-routine requests, what criteria they apply, and what documentation they produce.",[16,2260,2261],{},"Keep the criteria short and binding: purpose, minimum data elements, recipient authority, and retention expectation. The review record should reference the criteria explicitly.",[11,2263,1335],{"id":1334},[16,2265,2266,2267,2270,2271,2273,2274,2278],{},"The minimum necessary standard is a Privacy Rule obligation, but it depends on Security Rule controls to operate. ",[23,2268,2269],{"href":1349},"Workforce training"," teaches workforce members the difference between access they have and access they should use. The ",[23,2272,1187],{"href":1186}," surfaces systems where technical controls do not enforce the role-based access model your policy describes. The ",[23,2275,2277],{"href":2276},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," gives enforcement authority to the access rules the standard establishes.",[16,2280,2281],{},"It also connects directly to audit controls. Unique user identification and activity logging are the evidence that role-based access is working as intended — and the mechanism that surfaces minimum necessary violations.",[11,2283,1358],{"id":1357},[137,2285,2286,2292,2298,2304,2310,2316,2322],{},[74,2287,2288,2291],{},[59,2289,2290],{},"Policy without system enforcement."," The written policy describes role-based access, but the EHR and internal tools grant every workforce member broad access. The gap is the finding.",[74,2293,2294,2297],{},[59,2295,2296],{},"Role sprawl."," The role inventory has ballooned to hundreds of ad hoc roles, each with slight permission differences. The mapping is no longer reviewable in practice.",[74,2299,2300,2303],{},[59,2301,2302],{},"No access recertification."," Access was appropriate at provisioning, but workforce members have changed roles repeatedly without a scheduled review, accumulating permissions.",[74,2305,2306,2309],{},[59,2307,2308],{},"Treatment exception stretched."," The organization treats the treatment exception as license for any workforce member in a care setting to view any patient record. OCR has disagreed loudly and publicly.",[74,2311,2312,2315],{},[59,2313,2314],{},"Routine disclosure by habit."," Claims and lab flows include more PHI than the receiving party actually needs, because \"that is how the template has always been built.\"",[74,2317,2318,2321],{},[59,2319,2320],{},"Non-routine reviews are informal."," Non-routine disclosures get an email blessing from counsel but no structured review record, so the rationale is unretrievable years later.",[74,2323,2324,2327],{},[59,2325,2326],{},"Reliance without documentation."," Disclosures are made in reliance on another party's minimum-necessary representation, but the reasoning is not recorded, so OCR cannot verify the reasonableness of the reliance.",[11,2329,1406],{"id":1405},[16,2331,2332],{},"episki brings role-to-data mappings, access review campaigns, routine disclosure protocols, and non-routine disclosure workflows into a single HIPAA workspace. Reviews run on a schedule, evidence accumulates automatically, and exceptions are time-bounded and auditable. When a customer asks how you implement the minimum necessary standard — or when an OCR investigation asks for a specific disclosure record — you produce it in minutes, not days.",[16,2334,1412,2335,1416],{},[23,2336,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2338},[2339,2340,2346,2347,2348,2349,2350,2351,2352],{"id":2120,"depth":258,"text":2121},{"id":2137,"depth":258,"text":2138,"children":2341},[2342,2343,2344,2345],{"id":2144,"depth":264,"text":2145},{"id":2151,"depth":264,"text":2152},{"id":2158,"depth":264,"text":2159},{"id":2165,"depth":264,"text":2166},{"id":2172,"depth":258,"text":2173},{"id":2202,"depth":258,"text":2203},{"id":2244,"depth":258,"text":2245},{"id":2254,"depth":258,"text":2255},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"The HIPAA minimum necessary standard at §164.502(b) limits PHI use and disclosure to what is reasonably necessary. Here is how to implement it in role-based access.",{"items":2355},[2356,2359,2362,2365],{"label":2357,"content":2358},"What is the HIPAA minimum necessary rule?","The minimum necessary standard at §164.502(b) requires covered entities and business associates to make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose. It is a Privacy Rule requirement and applies to most uses and disclosures.",{"label":2360,"content":2361},"When does the minimum necessary rule not apply?","The standard does not apply to disclosures to the individual who is the subject of the information, uses or disclosures made pursuant to a valid authorization, uses or disclosures required for treatment, uses or disclosures required by law, or disclosures to HHS for enforcement investigations.",{"label":2363,"content":2364},"Does minimum necessary apply to treatment?","No. Disclosures for treatment purposes between providers are exempt from the minimum necessary standard — a receiving clinician may need information the requesting clinician cannot anticipate. The exception is narrow to treatment; payment and operations disclosures remain bound by the standard.",{"label":2366,"content":2367},"How does minimum necessary relate to role-based access?","Role-based access is the most common implementation technique for the internal-use portion of the standard. Define roles, map each role to the categories of PHI necessary for job functions, enforce those mappings in systems, and review them periodically.",{},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule",[293,1450,1451,1452],[301,300,2372,1454],"workforce-training",{"title":2374,"description":2375},"HIPAA Minimum Necessary Rule - §164.502(b) Standard & Implementation","Implement the HIPAA minimum necessary standard under §164.502(b). Role-based access, exceptions, routine versus non-routine disclosures, and documentation.","5.frameworks\u002Fhipaa\u002Fminimum-necessary-rule","oW0aLoDhMfyQxXI33hAZwo8yFsSrk2aMZGNG0yhWEkU",{"id":2379,"title":31,"body":2380,"description":2602,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":2603,"navigation":296,"path":30,"relatedTerms":2604,"relatedTopics":2605,"seo":2606,"stem":2609,"__hash__":2610},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fprivacy-rule.md",{"type":8,"value":2381,"toc":2583},[2382,2386,2389,2395,2404,2408,2411,2415,2418,2421,2447,2454,2458,2461,2465,2468,2472,2475,2479,2482,2486,2489,2493,2496,2499,2519,2522,2525,2528,2532,2535,2539,2542,2546,2553,2557,2560,2573,2577],[11,2383,2385],{"id":2384},"what-is-the-hipaa-privacy-rule","What is the HIPAA Privacy Rule?",[16,2387,2388],{},"The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for the protection of individually identifiable health information. It defines who may access protected health information (PHI), under what circumstances PHI may be used or disclosed, and what rights patients have over their own health data.",[16,2390,2391,2392,2394],{},"Unlike the ",[23,2393,26],{"href":25},", which focuses exclusively on electronic PHI, the Privacy Rule covers PHI in any form — electronic, paper, or oral. It applies to all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and, through the HITECH Act, to business associates as well.",[16,2396,2397,2398,2400,2401,2403],{},"For a complete overview of ",[23,2399,36],{"href":35}," requirements, visit the main framework page. The ",[23,2402,41],{"href":40}," provides foundational definitions of key terms.",[11,2405,2407],{"id":2406},"protected-health-information-defined","Protected health information defined",[16,2409,2410],{},"PHI is any individually identifiable health information held or transmitted by a covered entity or business associate in any form. The Privacy Rule identifies 18 specific identifiers (names, dates, Social Security numbers, medical record numbers, email addresses, biometric identifiers, and others) that make health information individually identifiable. Removing all 18 identifiers through proper de-identification produces data that falls outside the Privacy Rule's scope.",[11,2412,2414],{"id":2413},"the-minimum-necessary-standard","The minimum necessary standard",[16,2416,2417],{},"One of the Privacy Rule's most consequential requirements is the minimum necessary standard. This principle states that covered entities and business associates must make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum amount necessary to accomplish the intended purpose.",[16,2419,2420],{},"The minimum necessary standard applies to:",[137,2422,2423,2429,2435,2441],{},[74,2424,2425,2428],{},[59,2426,2427],{},"Internal uses"," — workforce members should have access only to the PHI they need for their job functions. Role-based access policies are the most common implementation.",[74,2430,2431,2434],{},[59,2432,2433],{},"Routine disclosures"," — for recurring types of disclosures, organizations should establish standard protocols that limit the information shared.",[74,2436,2437,2440],{},[59,2438,2439],{},"Non-routine disclosures"," — for individual requests, the organization must review each request and limit the disclosure to what is reasonably necessary.",[74,2442,2443,2446],{},[59,2444,2445],{},"Requests to other entities"," — when requesting PHI from another covered entity, the organization must limit its request to what is reasonably necessary.",[16,2448,2449,2450,2453],{},"The minimum necessary standard does ",[59,2451,2452],{},"not"," apply to disclosures made to the individual who is the subject of the information, disclosures authorized by the individual, uses or disclosures required for treatment, disclosures required by law, or disclosures to HHS for compliance investigations.",[11,2455,2457],{"id":2456},"patient-rights-under-the-privacy-rule","Patient rights under the Privacy Rule",[16,2459,2460],{},"The Privacy Rule grants individuals significant control over their health information. These rights are enforceable, and organizations must have documented processes to honor them.",[51,2462,2464],{"id":2463},"right-to-access","Right to access",[16,2466,2467],{},"Individuals may inspect and obtain copies of their PHI. The covered entity must respond within 30 days (one 30-day extension permitted) and may charge a reasonable, cost-based fee.",[51,2469,2471],{"id":2470},"right-to-request-amendment","Right to request amendment",[16,2473,2474],{},"Individuals may request amendments to inaccurate or incomplete PHI. The entity must act within 60 days and provide written denial with an opportunity for the individual to submit a disagreement statement.",[51,2476,2478],{"id":2477},"right-to-an-accounting-of-disclosures","Right to an accounting of disclosures",[16,2480,2481],{},"Individuals may request a list of PHI disclosures made during the prior six years, excluding disclosures for treatment, payment, operations, and those authorized by the individual.",[51,2483,2485],{"id":2484},"right-to-request-restrictions-and-confidential-communications","Right to request restrictions and confidential communications",[16,2487,2488],{},"Individuals may request restrictions on PHI use for treatment, payment, or operations. The entity must comply when the individual pays out of pocket and requests non-disclosure to a health plan. Individuals may also request alternative communication methods or locations.",[11,2490,2492],{"id":2491},"notice-of-privacy-practices-npp","Notice of Privacy Practices (NPP)",[16,2494,2495],{},"The Notice of Privacy Practices is a foundational document under the Privacy Rule. It must be provided to every individual at the first point of service (for healthcare providers with a direct treatment relationship) or upon request.",[16,2497,2498],{},"The NPP must include:",[137,2500,2501,2504,2507,2510,2513,2516],{},[74,2502,2503],{},"A description of how the entity may use and disclose PHI",[74,2505,2506],{},"The individual's rights regarding their PHI",[74,2508,2509],{},"The entity's legal duties with respect to PHI",[74,2511,2512],{},"Contact information for the entity's privacy official",[74,2514,2515],{},"Contact information for filing complaints with the entity and with HHS",[74,2517,2518],{},"The effective date of the notice",[16,2520,2521],{},"The NPP must be prominently posted at the entity's physical location and on its website if it maintains one. Any material change to privacy practices requires a revised NPP and updated distribution.",[11,2523,389],{"id":2524},"permitted-uses-and-disclosures",[16,2526,2527],{},"The Privacy Rule defines specific categories of permitted uses and disclosures. Understanding these categories is essential for compliance, as any use or disclosure that falls outside them requires written patient authorization.",[51,2529,2531],{"id":2530},"uses-and-disclosures-without-authorization","Uses and disclosures without authorization",[16,2533,2534],{},"PHI may be used or disclosed without individual authorization for treatment, payment, healthcare operations, public health activities, health oversight, judicial and administrative proceedings, law enforcement purposes, research (with IRB approval), preventing serious threats to health or safety, essential government functions, workers' compensation, and reporting abuse or neglect.",[51,2536,2538],{"id":2537},"uses-and-disclosures-requiring-authorization","Uses and disclosures requiring authorization",[16,2540,2541],{},"Any use or disclosure not covered by the permitted categories above requires a valid written authorization from the individual. Authorizations must include a description of the information, the persons authorized to make and receive the disclosure, an expiration date, and the individual's signature. Marketing communications, the sale of PHI, and psychotherapy notes almost always require authorization.",[11,2543,2545],{"id":2544},"business-associates-and-the-privacy-rule","Business associates and the Privacy Rule",[16,2547,2548,2549,2552],{},"The Privacy Rule requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard PHI. These assurances are formalized through ",[23,2550,2551],{"href":178},"Business Associate Agreements (BAAs)",". The HITECH Act extended many Privacy Rule requirements directly to business associates, making them independently liable for compliance.",[11,2554,2556],{"id":2555},"enforcement","Enforcement",[16,2558,2559],{},"The HHS Office for Civil Rights enforces the Privacy Rule through investigations triggered by complaints or compliance reviews. Penalties mirror those of the Security Rule, ranging from $100 to $50,000 per violation with annual maximums of $1.5 million per category. State attorneys general may also bring actions for Privacy Rule violations under the HITECH Act.",[16,2561,2562,2563,2566,2567,2569,2570,2572],{},"For ",[23,2564,2565],{"href":238},"healthcare organizations"," establishing or strengthening their privacy program, the ",[23,2568,247],{"href":246}," includes a complete walkthrough of Privacy Rule obligations alongside Security Rule and ",[23,2571,411],{"href":297}," requirements.",[11,2574,2576],{"id":2575},"practical-steps-for-compliance","Practical steps for compliance",[16,2578,2579,2580,2582],{},"Organizations building a Privacy Rule compliance program should designate a privacy official, conduct a PHI inventory across all systems and workflows, develop and distribute the Notice of Privacy Practices, implement minimum necessary policies with role-based access controls, train all workforce members at onboarding and regularly thereafter, establish documented procedures for patient rights requests, execute ",[23,2581,835],{"href":178}," with all business associates before sharing PHI, and implement a complaint process allowing individuals to report privacy concerns without retaliation.",{"title":257,"searchDepth":258,"depth":258,"links":2584},[2585,2586,2587,2588,2594,2595,2599,2600,2601],{"id":2384,"depth":258,"text":2385},{"id":2406,"depth":258,"text":2407},{"id":2413,"depth":258,"text":2414},{"id":2456,"depth":258,"text":2457,"children":2589},[2590,2591,2592,2593],{"id":2463,"depth":264,"text":2464},{"id":2470,"depth":264,"text":2471},{"id":2477,"depth":264,"text":2478},{"id":2484,"depth":264,"text":2485},{"id":2491,"depth":258,"text":2492},{"id":2524,"depth":258,"text":389,"children":2596},[2597,2598],{"id":2530,"depth":264,"text":2531},{"id":2537,"depth":264,"text":2538},{"id":2544,"depth":258,"text":2545},{"id":2555,"depth":258,"text":2556},{"id":2575,"depth":258,"text":2576},"The HIPAA Privacy Rule governs the use and disclosure of protected health information, establishes patient rights, and sets the minimum necessary standard.",{},[293],[300,550,302,303],{"title":2607,"description":2608},"HIPAA Privacy Rule - Patient Rights, PHI Disclosures & Compliance Guide","Understand the HIPAA Privacy Rule including minimum necessary standard, patient rights, permitted disclosures, and Notice of Privacy Practices requirements.","5.frameworks\u002Fhipaa\u002Fprivacy-rule","OfUJph-DV0iDq4L1N_bzj2O5Zhe8YsiW1zB5h1yu8I8",{"id":2612,"title":2613,"body":2614,"description":2945,"extension":278,"faq":2946,"frameworkSlug":293,"lastUpdated":294,"meta":2960,"navigation":296,"path":1186,"relatedTerms":2961,"relatedTopics":2962,"seo":2963,"stem":2966,"__hash__":2967},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Frisk-analysis.md","HIPAA Risk Analysis",{"type":8,"value":2615,"toc":2933},[2616,2620,2623,2626,2629,2636,2640,2643,2699,2702,2706,2709,2712,2726,2729,2733,2736,2739,2765,2768,2772,2775,2778,2781,2784,2788,2791,2817,2820,2824,2827,2847,2858,2860,2872,2874,2924,2926,2929],[11,2617,2619],{"id":2618},"why-hipaa-risk-analysis-matters","Why HIPAA risk analysis matters",[16,2621,2622],{},"HIPAA §164.308(a)(1)(ii)(A) — the Risk Analysis implementation specification — requires covered entities and business associates to \"conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.\" It sits at the top of the Security Management Process standard and is the foundation on which the rest of the Security Rule is built.",[16,2624,2625],{},"Everything downstream — the policies you write, the controls you deploy, the contingency plan you exercise, the sanctions you apply — should trace back to findings in the risk analysis. Without it, compliance becomes a checklist exercise divorced from actual risk. With it, limited time and budget flow to the systems and scenarios that matter most.",[16,2627,2628],{},"OCR has made the point repeatedly. In its published resolution agreements, missing or inadequate risk analyses are the single most cited finding — present in a majority of major enforcement actions from the last decade. That pattern reflects a consistent regulator view: an organization that cannot demonstrate an accurate and thorough HIPAA risk analysis has not started its compliance program.",[16,2630,2631,2632,1179,2634,42],{},"For the broader Security Rule context, see the ",[23,2633,26],{"href":25},[23,2635,1182],{"href":35},[11,2637,2639],{"id":2638},"what-accurate-and-thorough-actually-requires","What \"accurate and thorough\" actually requires",[16,2641,2642],{},"HHS guidance — most notably the 2010 Final Guidance on Risk Analysis Requirements — defines what \"accurate and thorough\" means in practice. Nine elements must be addressed.",[71,2644,2645,2651,2657,2663,2669,2675,2681,2687,2693],{},[74,2646,2647,2650],{},[59,2648,2649],{},"Scope of the analysis."," Cover every system, application, and process that creates, receives, maintains, or transmits ePHI, including portable media, remote access, and third-party systems.",[74,2652,2653,2656],{},[59,2654,2655],{},"Data collection."," Gather information about how ePHI is stored, received, maintained, and transmitted. This includes interviewing workforce members and reviewing documentation, not just running scans.",[74,2658,2659,2662],{},[59,2660,2661],{},"Identification and documentation of potential threats and vulnerabilities."," Threats are the sources of harm — natural, human, environmental. Vulnerabilities are the weaknesses threats can exploit.",[74,2664,2665,2668],{},[59,2666,2667],{},"Assessment of current security measures."," Document the controls already in place and how effectively they reduce risk.",[74,2670,2671,2674],{},[59,2672,2673],{},"Determination of the likelihood of threat occurrence."," Qualitatively or quantitatively, assess how likely each threat is to materialize given current controls.",[74,2676,2677,2680],{},[59,2678,2679],{},"Determination of the potential impact of threat occurrence."," Assess the consequence to confidentiality, integrity, and availability of ePHI if the threat materializes.",[74,2682,2683,2686],{},[59,2684,2685],{},"Determination of the level of risk."," Combine likelihood and impact to produce a risk rating.",[74,2688,2689,2692],{},[59,2690,2691],{},"Finalized documentation."," Written output that can be produced on demand.",[74,2694,2695,2698],{},[59,2696,2697],{},"Periodic review and updates."," A living document, refreshed at defined intervals and after material change.",[16,2700,2701],{},"These nine elements map cleanly onto NIST Special Publication 800-30 Revision 1, which is why most HIPAA programs adopt 800-30 as their methodology.",[11,2703,2705],{"id":2704},"scope-the-most-common-source-of-failure","Scope: the most common source of failure",[16,2707,2708],{},"The single most common HIPAA risk analysis failure is an incomplete scope. OCR repeatedly finds that organizations assessed the EHR, the email system, and the main file server — but not the developer laptops, the analytics warehouse, the backup tapes, the clinical tablets, the text message workflow a customer support team built on the side, or the twenty business associates whose systems jointly touch the same PHI.",[16,2710,2711],{},"A defensible scope begins with a PHI data flow map. Answer four questions for every system in the organization.",[137,2713,2714,2717,2720,2723],{},[74,2715,2716],{},"Does this system create, receive, maintain, or transmit ePHI?",[74,2718,2719],{},"If yes, what categories of PHI, and at what volume?",[74,2721,2722],{},"Who else touches the data — upstream, downstream, or in parallel?",[74,2724,2725],{},"What happens when the data leaves the system?",[16,2727,2728],{},"Every system that answers yes to the first question is in scope. Systems that currently answer no but are planned to answer yes in the next twelve months should also be captured so the analysis stays ahead of the build plan.",[11,2730,2732],{"id":2731},"threats-and-vulnerabilities","Threats and vulnerabilities",[16,2734,2735],{},"NIST SP 800-30 separates threats from vulnerabilities — a useful distinction that prevents the common error of treating a missing control as a threat.",[16,2737,2738],{},"Threat categories include:",[137,2740,2741,2747,2753,2759],{},[74,2742,2743,2746],{},[59,2744,2745],{},"Adversarial threats"," — external attackers, malicious insiders, organized crime, nation-state actors.",[74,2748,2749,2752],{},[59,2750,2751],{},"Accidental threats"," — workforce errors, misconfigured systems, mis-sent emails, lost devices.",[74,2754,2755,2758],{},[59,2756,2757],{},"Structural threats"," — hardware failures, software bugs, vendor outages, capacity exhaustion.",[74,2760,2761,2764],{},[59,2762,2763],{},"Environmental threats"," — fire, flood, power failure, pandemic.",[16,2766,2767],{},"For each in-scope system, inventory the threats that realistically apply and the vulnerabilities that could let those threats materialize. Industry threat intelligence, OCR enforcement patterns, and your own incident history are all valid inputs.",[11,2769,2771],{"id":2770},"likelihood-and-impact","Likelihood and impact",[16,2773,2774],{},"Likelihood and impact can be expressed qualitatively (low, moderate, high, very high) or quantitatively (probability ranges and dollar figures). Most HIPAA programs start qualitative and tighten over time as better data becomes available.",[16,2776,2777],{},"A defensible likelihood assessment considers the threat source's motivation, capability, and opportunity; the effectiveness of current controls; and the frequency with which similar events have occurred historically in the organization's sector.",[16,2779,2780],{},"A defensible impact assessment considers the confidentiality, integrity, and availability consequences; the volume and sensitivity of PHI affected; the regulatory and contractual consequences; and the downstream effects on patients or end users.",[16,2782,2783],{},"The risk level is a function of the two, often represented in a heat map. Risks above a defined threshold feed the risk management plan required by §164.308(a)(1)(ii)(B).",[11,2785,2787],{"id":2786},"documentation-that-survives-audit","Documentation that survives audit",[16,2789,2790],{},"The risk analysis artifact itself must be written, retrievable, and referenced throughout the rest of the program. A defensible artifact includes:",[137,2792,2793,2796,2799,2802,2805,2808,2811,2814],{},[74,2794,2795],{},"Scope statement and asset inventory.",[74,2797,2798],{},"Methodology used, with explicit reference to NIST SP 800-30 or the equivalent.",[74,2800,2801],{},"Threat catalog and vulnerability catalog.",[74,2803,2804],{},"Inventory of current controls.",[74,2806,2807],{},"Likelihood and impact ratings for each risk, with rationale.",[74,2809,2810],{},"Risk register sorted by priority, feeding the risk management plan.",[74,2812,2813],{},"Change log documenting updates.",[74,2815,2816],{},"Signatures or approvals from the HIPAA security official and executive leadership.",[16,2818,2819],{},"Retain for at least six years from creation or last effective date. Because this is a living document, the retention clock resets every time the artifact is updated.",[11,2821,2823],{"id":2822},"integrating-risk-analysis-into-the-operating-rhythm","Integrating risk analysis into the operating rhythm",[16,2825,2826],{},"A risk analysis that runs once and then gathers dust is the worst possible outcome — it creates a false sense of completion. Build the refresh into the operating rhythm.",[137,2828,2829,2835,2841],{},[74,2830,2831,2834],{},[59,2832,2833],{},"Quarterly."," Review the risk register, update ratings as controls mature or threats evolve, and close risks that have been adequately mitigated.",[74,2836,2837,2840],{},[59,2838,2839],{},"Annually."," Run a full refresh. Revisit scope, re-interview owners, re-run threat modeling, and produce an updated artifact.",[74,2842,2843,2846],{},[59,2844,2845],{},"Event-driven."," Trigger a targeted refresh after a material change — new system, new customer segment, significant incident, regulatory update, organizational restructuring.",[16,2848,2849,2850,2853,2854,2857],{},"Tie the refresh cadence to the ",[23,2851,2852],{"href":1448},"contingency planning"," test calendar and the ",[23,2855,2856],{"href":246},"compliance checklist"," review calendar so the full program moves together.",[11,2859,1335],{"id":1334},[16,2861,2862,2863,2865,2866,2868,2869,2871],{},"The risk analysis is the connective tissue of a HIPAA program. It sets priorities for the ",[23,2864,26],{"href":25}," controls you invest in. It shapes the risk management plan at §164.308(a)(1)(ii)(B). It informs the testing calendar for ",[23,2867,2852],{"href":1448},". It surfaces the scenarios that ",[23,2870,1350],{"href":1349}," should address. It feeds the threat scenarios your incident response runbooks rehearse. And it anchors the conversation with customers and regulators when they ask how you prioritize your compliance program.",[11,2873,1358],{"id":1357},[137,2875,2876,2882,2888,2894,2900,2906,2912,2918],{},[74,2877,2878,2881],{},[59,2879,2880],{},"Scope gaps."," The analysis covers the obvious systems and misses the edges — developer laptops, shadow IT, analytics warehouses, third-party SaaS with ad hoc BAAs.",[74,2883,2884,2887],{},[59,2885,2886],{},"Vulnerability scan as risk analysis."," A pen test report or a CVE scan gets stapled to a cover page and labeled a risk analysis. OCR has rejected this pattern consistently.",[74,2889,2890,2893],{},[59,2891,2892],{},"Generic threat catalog."," The threat list is a copy of a consultant template with no tailoring to the organization's actual technology and workforce.",[74,2895,2896,2899],{},[59,2897,2898],{},"No likelihood or impact reasoning."," Risks are rated \"high\" or \"medium\" with no written justification, so the ratings are not defensible a year later.",[74,2901,2902,2905],{},[59,2903,2904],{},"Artifact from two years ago."," The risk analysis on file predates significant changes in the environment, and the change log is empty.",[74,2907,2908,2911],{},[59,2909,2910],{},"No linkage to the risk management plan."," Risks are identified but not prioritized, and there is no mitigation plan tied to the register.",[74,2913,2914,2917],{},[59,2915,2916],{},"Single-person exercise."," The security officer wrote the risk analysis alone, without input from engineering, operations, clinical, or legal. Gaps are inevitable.",[74,2919,2920,2923],{},[59,2921,2922],{},"Business associates excluded."," Risks the organization inherits from its BAAs are missing, even though OCR has made clear those risks are in scope.",[11,2925,1406],{"id":1405},[16,2927,2928],{},"episki brings HIPAA risk analysis into the same workspace as the rest of your compliance program. The risk register is linked to assets, controls, and policies; scope is refreshed automatically as systems are added to inventory; threat and vulnerability catalogs are pre-built and tailored to healthtech; likelihood, impact, and rationale are captured in structured fields that survive personnel changes; and the annual refresh runs as a guided workflow with evidence rolling up for auditors and customers.",[16,2930,1412,2931,1416],{},[23,2932,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":2934},[2935,2936,2937,2938,2939,2940,2941,2942,2943,2944],{"id":2618,"depth":258,"text":2619},{"id":2638,"depth":258,"text":2639},{"id":2704,"depth":258,"text":2705},{"id":2731,"depth":258,"text":2732},{"id":2770,"depth":258,"text":2771},{"id":2786,"depth":258,"text":2787},{"id":2822,"depth":258,"text":2823},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis for every system that handles ePHI. Here is how to run one using NIST SP 800-30.",{"items":2947},[2948,2951,2954,2957],{"label":2949,"content":2950},"Is a HIPAA risk analysis required?","Yes. §164.308(a)(1)(ii)(A) is a required implementation specification within the Security Management Process standard. Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.",{"label":2952,"content":2953},"How often should we refresh our HIPAA risk analysis?","HIPAA does not specify a cadence, but OCR guidance and mature practice converge on refreshing at least annually and after any material change — new systems, new customers with bespoke requirements, significant incidents, or regulatory updates. A stale risk analysis is one of the most common OCR findings.",{"label":2955,"content":2956},"What framework should we use for HIPAA risk analysis?","NIST Special Publication 800-30 is the methodology OCR cites most frequently. It provides a structured approach to asset identification, threat identification, vulnerability identification, likelihood and impact determination, and risk prioritization. HHS has published its own risk analysis guidance that aligns with NIST SP 800-30.",{"label":2958,"content":2959},"Does a vulnerability scan count as a HIPAA risk analysis?","No. A vulnerability scan is one input to a risk analysis, not a substitute for it. A HIPAA risk analysis must cover organizational, physical, administrative, and technical risks — not just technical vulnerabilities. OCR has explicitly rejected vulnerability-scan-only approaches as insufficient.",{},[293,1450,1451,1452],[300,1742,303,2372],{"title":2964,"description":2965},"HIPAA Risk Analysis - §164.308(a)(1)(ii)(A) NIST 800-30 Methodology","Run a defensible HIPAA risk analysis under §164.308(a)(1)(ii)(A) using NIST SP 800-30. Asset inventory, threat modeling, likelihood, impact, and documentation.","5.frameworks\u002Fhipaa\u002Frisk-analysis","if1-x0W6KLoHNWUYA_lcod_9bulcnf4cn1-aiE7pLiA",{"id":2969,"title":2970,"body":2971,"description":3249,"extension":278,"faq":3250,"frameworkSlug":293,"lastUpdated":294,"meta":3264,"navigation":296,"path":2276,"relatedTerms":3265,"relatedTopics":3266,"seo":3267,"stem":3270,"__hash__":3271},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fsanctions-policy.md","HIPAA Sanctions Policy",{"type":8,"value":2972,"toc":3232},[2973,2977,2980,2983,2990,2994,2997,3008,3011,3014,3018,3021,3059,3062,3066,3069,3073,3076,3080,3083,3087,3090,3094,3097,3101,3104,3108,3111,3125,3128,3130,3133,3165,3168,3170,3180,3183,3185,3223,3225,3228],[11,2974,2976],{"id":2975},"why-a-hipaa-sanctions-policy-matters","Why a HIPAA sanctions policy matters",[16,2978,2979],{},"HIPAA §164.308(a)(1)(ii)(C) is short but mandatory: covered entities and business associates must \"apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.\" It is one of the required implementation specifications within the Security Management Process standard — there is no addressable alternative. Either you have a sanctions policy that you actually enforce, or you are out of compliance.",[16,2981,2982],{},"The purpose of the policy is twofold. First, it deters policy violations by making consequences explicit. Second, it creates an auditable record that the organization takes its HIPAA obligations seriously — which matters not only during OCR investigations but also during customer security reviews, where a consistently enforced sanctions policy signals a mature program.",[16,2984,2985,2986,1179,2988,42],{},"For the broader context of administrative safeguards, see the ",[23,2987,26],{"href":25},[23,2989,1182],{"href":35},[11,2991,2993],{"id":2992},"what-the-rule-actually-requires","What the rule actually requires",[16,2995,2996],{},"§164.308(a)(1)(ii)(C) requires three things.",[71,2998,2999,3002,3005],{},[74,3000,3001],{},"A written sanctions policy that applies to workforce members who fail to comply with security policies and procedures.",[74,3003,3004],{},"Consistent application of that policy when violations occur.",[74,3006,3007],{},"Documentation of sanctions imposed, retained for at least six years.",[16,3009,3010],{},"The rule does not prescribe specific sanctions. OCR guidance and enforcement history make clear that sanctions must be proportionate to the violation, applied consistently regardless of seniority, and documented in a way that survives personnel changes.",[16,3012,3013],{},"The Privacy Rule at §164.530(e) imposes a parallel sanctions obligation for violations of the Privacy Rule. Most programs write a single policy that covers both Security and Privacy Rule violations, which simplifies administration and messaging.",[11,3015,3017],{"id":3016},"defining-what-counts-as-a-violation","Defining what counts as a violation",[16,3019,3020],{},"A sanctions policy is only enforceable if workforce members know what would trigger it. Your policy should enumerate representative categories of violations, not an exhaustive list.",[137,3022,3023,3029,3035,3041,3047,3053],{},[74,3024,3025,3028],{},[59,3026,3027],{},"Unauthorized access to PHI."," Looking up a patient, customer, or co-worker's record without a legitimate business reason.",[74,3030,3031,3034],{},[59,3032,3033],{},"Improper disclosure of PHI."," Sharing PHI with a person not authorized to receive it — including family members, friends, or unvetted vendors.",[74,3036,3037,3040],{},[59,3038,3039],{},"Policy shortcuts."," Sharing passwords, disabling multi-factor, using personal email to send PHI, or loading PHI onto unencrypted personal devices.",[74,3042,3043,3046],{},[59,3044,3045],{},"Failure to report."," Knowing about a suspected breach and failing to report it through the documented incident path.",[74,3048,3049,3052],{},[59,3050,3051],{},"Retaliation."," Punishing or discouraging a workforce member who reports a suspected HIPAA violation in good faith.",[74,3054,3055,3058],{},[59,3056,3057],{},"Willful misuse."," Selling, altering, or destroying PHI for personal gain, curiosity, or malice — the category that most often triggers criminal penalties.",[16,3060,3061],{},"Define each category in plain language and reference the underlying HIPAA requirement. That linkage matters: if you later sanction someone for \"unauthorized access,\" the violation cited in the record should be clearly tied to the written policy.",[11,3063,3065],{"id":3064},"progressive-discipline","Progressive discipline",[16,3067,3068],{},"Progressive discipline is the most common sanctions structure because it scales fairly across a wide range of violations. A typical ladder looks like this.",[51,3070,3072],{"id":3071},"step-1-verbal-counseling-plus-retraining","Step 1 — Verbal counseling plus retraining",[16,3074,3075],{},"For minor, first-time, accidental violations — for example, a new workforce member sending PHI over unencrypted email because they misunderstood the acceptable use policy — verbal counseling plus targeted retraining is usually appropriate. Document the conversation, the retraining completed, and the workforce member's acknowledgment.",[51,3077,3079],{"id":3078},"step-2-written-warning","Step 2 — Written warning",[16,3081,3082],{},"For repeated minor violations or a first violation that created real but containable risk, a written warning enters the workforce member's HIPAA file. The warning cites the policy, describes the behavior, and specifies what must change.",[51,3084,3086],{"id":3085},"step-3-suspension-and-access-review","Step 3 — Suspension and access review",[16,3088,3089],{},"For significant violations — for example, unauthorized access to the record of a person known to the workforce member — consider suspending system access pending investigation, conducting a full access review, and retraining before reinstatement. Suspension communicates that the organization distinguishes between carelessness and deliberate policy breach.",[51,3091,3093],{"id":3092},"step-4-termination","Step 4 — Termination",[16,3095,3096],{},"For egregious, willful, or repeated violations, termination is the appropriate sanction. Terminations tied to PHI misuse should include immediate revocation of all access, legal review, and consideration of law enforcement referral. Where the facts warrant it, report to OCR under the breach notification rule.",[51,3098,3100],{"id":3099},"step-5-referral-for-criminal-prosecution","Step 5 — Referral for criminal prosecution",[16,3102,3103],{},"Willful misuse of PHI for personal gain, transfer for commercial advantage, or malicious harm can trigger criminal penalties up to $250,000 and 10 years of imprisonment under 42 USC §1320d-6. Coordinate with counsel before any referral, but do not treat this as theoretical — OCR has publicly pursued these cases.",[11,3105,3107],{"id":3106},"consistency-is-the-hardest-part","Consistency is the hardest part",[16,3109,3110],{},"The policy works only if it applies the same way across the organization. OCR resolution agreements consistently cite inconsistent sanctions as evidence of a broken program. Two patterns create the most exposure.",[137,3112,3113,3119],{},[74,3114,3115,3118],{},[59,3116,3117],{},"Status asymmetry."," A junior employee is sanctioned for accessing a record they should not have seen, while a senior clinician or executive commits the same violation and is counseled informally. The gap undermines every sanction that follows.",[74,3120,3121,3124],{},[59,3122,3123],{},"Context asymmetry."," The same violation is treated as minor when it comes from the CEO's favorite team and serious when it comes from another. Both asymmetries are visible in the long tail of sanction records.",[16,3126,3127],{},"Build a review step into serious sanctions. A short panel — legal, HR, and the privacy or security official — can ensure consistency across cases and create a defensible record of deliberation.",[11,3129,2787],{"id":2786},[16,3131,3132],{},"Your sanctions records should answer five questions without ambiguity.",[137,3134,3135,3141,3147,3153,3159],{},[74,3136,3137,3140],{},[59,3138,3139],{},"Who was sanctioned?"," Keyed to unique workforce identifier.",[74,3142,3143,3146],{},[59,3144,3145],{},"What happened?"," A factual narrative of the violation, including systems involved, PHI at risk, and how it was discovered.",[74,3148,3149,3152],{},[59,3150,3151],{},"Which policy was violated?"," The specific section of the sanctions policy and any underlying security or privacy policies.",[74,3154,3155,3158],{},[59,3156,3157],{},"What sanction was applied?"," The specific action, its effective date, and any conditions (retraining, access review, probation).",[74,3160,3161,3164],{},[59,3162,3163],{},"Who approved it?"," Signatures from the approving manager, HR, and — for serious sanctions — the privacy or security official.",[16,3166,3167],{},"Retain these records for at least six years. Keep them in a location separate from general HR files so they can be produced without exposing unrelated personnel information.",[11,3169,1335],{"id":1334},[16,3171,3172,3173,3175,3176,3179],{},"A sanctions policy is part of a connected set of administrative safeguards. It pairs with ",[23,3174,1350],{"href":1349},", because you cannot fairly sanction a workforce member for a policy they were never taught. It pairs with the ",[23,3177,3178],{"href":2369},"minimum necessary rule",", because role-based access is only enforceable if violations carry consequences. It pairs with audit controls, because audit logs surface the unauthorized access patterns that sanctions are intended to address.",[16,3181,3182],{},"It also pairs with your breach response. Many sanctions cases begin as incident investigations, and the quality of the investigation — the evidence captured, the systems reviewed, the timeline reconstructed — determines whether the sanction will hold up in a subsequent dispute.",[11,3184,1358],{"id":1357},[137,3186,3187,3193,3199,3205,3211,3217],{},[74,3188,3189,3192],{},[59,3190,3191],{},"Policy in a drawer."," A sanctions policy exists, but no one at the organization can name a single case where it was applied. Either violations are being missed or they are being handled inconsistently.",[74,3194,3195,3198],{},[59,3196,3197],{},"No escalation path."," Managers apply informal sanctions on their own without involving HR, legal, or the privacy or security official, creating inconsistent outcomes and poor documentation.",[74,3200,3201,3204],{},[59,3202,3203],{},"Sanctions are treated as HR-only."," The privacy officer learns about a PHI misuse case months later, after OCR reporting windows have closed.",[74,3206,3207,3210],{},[59,3208,3209],{},"Retaliation risk."," A workforce member who reports a suspected violation is later sanctioned for an unrelated performance issue, creating the appearance of retaliation. Separate the processes visibly.",[74,3212,3213,3216],{},[59,3214,3215],{},"Contractor gaps."," The policy covers employees but not contractors with equivalent access, even though HIPAA's definition of workforce covers both.",[74,3218,3219,3222],{},[59,3220,3221],{},"Missing sanctions for senior staff."," No executive has ever been sanctioned, even after clear policy violations. During audits this is a leading indicator of selective enforcement.",[11,3224,1406],{"id":1405},[16,3226,3227],{},"episki ties sanctions records directly to the workforce member, the policy they violated, and the systems involved — so sanctions feed your broader HIPAA program instead of living in a siloed HR folder. Pre-built templates cover progressive discipline, documentation requirements, and escalation routing; workflow automation routes serious cases to the privacy or security official; and retention timers keep sanction records available for the full six-year window.",[16,3229,1412,3230,1416],{},[23,3231,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":3233},[3234,3235,3236,3237,3244,3245,3246,3247,3248],{"id":2975,"depth":258,"text":2976},{"id":2992,"depth":258,"text":2993},{"id":3016,"depth":258,"text":3017},{"id":3064,"depth":258,"text":3065,"children":3238},[3239,3240,3241,3242,3243],{"id":3071,"depth":264,"text":3072},{"id":3078,"depth":264,"text":3079},{"id":3085,"depth":264,"text":3086},{"id":3092,"depth":264,"text":3093},{"id":3099,"depth":264,"text":3100},{"id":3106,"depth":258,"text":3107},{"id":2786,"depth":258,"text":2787},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(1)(ii)(C) requires a sanctions policy for workforce members who violate HIPAA. Here is how to design one that is fair, consistent, and defensible.",{"items":3251},[3252,3255,3258,3261],{"label":3253,"content":3254},"Is a sanctions policy required by HIPAA?","Yes. 45 CFR §164.308(a)(1)(ii)(C) is a required — not addressable — implementation specification. Every covered entity and business associate must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures.",{"label":3256,"content":3257},"What happens if a workforce member violates HIPAA?","The response depends on the severity, intent, and harm caused. Progressive discipline typically starts with retraining for minor accidental violations and escalates through written warnings, suspension, termination, and referral for criminal prosecution for willful misuse of PHI.",{"label":3259,"content":3260},"Do we have to fire employees for HIPAA violations?","No. HIPAA requires appropriate sanctions, not specific sanctions. Termination is appropriate for egregious, willful, or repeated violations. For honest mistakes, retraining plus documented counseling is often more appropriate and more likely to change behavior across the workforce.",{"label":3262,"content":3263},"How long must we retain sanction records?","HIPAA requires retention of policies and documentation for at least six years from creation or last effective date. Individual sanction records should be retained for the same period and kept in a location separate from general HR files so they can be produced on demand during an audit.",{},[293,1450,1451,1452],[2372,300,301,303],{"title":3268,"description":3269},"HIPAA Sanctions Policy - §164.308(a)(1)(ii)(C) Requirements & Examples","Build a HIPAA sanctions policy that satisfies §164.308(a)(1)(ii)(C). Progressive discipline, documentation, and common OCR findings for workforce violations.","5.frameworks\u002Fhipaa\u002Fsanctions-policy","3t3ZLT-67YrHlg2YxS8tWwiQIhmAqpbTHNm9HUWBH7s",{"id":3273,"title":26,"body":3274,"description":3578,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":3579,"navigation":296,"path":25,"relatedTerms":3580,"relatedTopics":3581,"seo":3582,"stem":3585,"__hash__":3586},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fsecurity-rule.md",{"type":8,"value":3275,"toc":3562},[3276,3280,3286,3289,3298,3302,3306,3309,3312,3359,3363,3366,3369,3395,3399,3402,3404,3436,3440,3450,3454,3457,3461,3464,3484,3487,3491,3494,3497,3501,3508,3512,3515,3547,3555,3559],[11,3277,3279],{"id":3278},"what-is-the-hipaa-security-rule","What is the HIPAA Security Rule?",[16,3281,3282,3283,3285],{},"The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) sets the national floor for protecting electronic protected health information (ePHI). While the ",[23,3284,31],{"href":30}," covers all forms of PHI, the Security Rule focuses exclusively on ePHI — any protected health information that is created, received, maintained, or transmitted in electronic form.",[16,3287,3288],{},"Every covered entity and business associate that handles ePHI must implement a set of safeguards designed to ensure the confidentiality, integrity, and availability of that data. The rule is intentionally flexible: it recognizes that a two-person dental practice faces different risks than a national hospital chain, so it allows organizations to choose how they meet each standard based on their size, complexity, and risk profile.",[16,3290,3291,3292,3294,3295,3297],{},"For a broader overview of ",[23,3293,36],{"href":35}," requirements, see the main framework page. You can also review the ",[23,3296,41],{"href":40}," for foundational definitions.",[11,3299,3301],{"id":3300},"the-three-safeguard-categories","The three safeguard categories",[51,3303,3305],{"id":3304},"administrative-safeguards","Administrative safeguards",[16,3307,3308],{},"Administrative safeguards are the policies, procedures, and organizational measures that manage the selection, development, and implementation of security controls. They typically consume the most time and resources because they touch every part of the organization.",[16,3310,3311],{},"Key standards within administrative safeguards include:",[137,3313,3314,3320,3326,3332,3342,3348,3353],{},[74,3315,3316,3319],{},[59,3317,3318],{},"Security management process"," — conduct a thorough risk analysis, implement risk management measures, apply sanctions for policy violations, and review information system activity regularly.",[74,3321,3322,3325],{},[59,3323,3324],{},"Assigned security responsibility"," — designate a single security official accountable for developing and implementing security policies. This person does not need to perform every task, but they must own the program.",[74,3327,3328,3331],{},[59,3329,3330],{},"Workforce security"," — establish procedures for authorizing access, supervising workforce members who interact with ePHI, and terminating access when employment ends.",[74,3333,3334,3337,3338,3341],{},[59,3335,3336],{},"Information access management"," — implement policies that grant access to ePHI only when a workforce member's role requires it. This aligns closely with the ",[23,3339,3340],{"href":30},"Privacy Rule's"," minimum necessary standard.",[74,3343,3344,3347],{},[59,3345,3346],{},"Security awareness and training"," — deliver periodic training on password management, malicious software protection, log-in monitoring, and security reminders.",[74,3349,3350,3352],{},[59,3351,1648],{}," — maintain a data backup plan, disaster recovery plan, and emergency mode operation plan. Test and revise these plans on a defined schedule.",[74,3354,3355,3358],{},[59,3356,3357],{},"Evaluation"," — perform periodic technical and non-technical evaluations in response to environmental or operational changes.",[51,3360,3362],{"id":3361},"physical-safeguards","Physical safeguards",[16,3364,3365],{},"Physical safeguards protect the electronic systems, equipment, and buildings that house ePHI from unauthorized physical access, tampering, and natural hazards.",[16,3367,3368],{},"Key standards include:",[137,3370,3371,3377,3383,3389],{},[74,3372,3373,3376],{},[59,3374,3375],{},"Facility access controls"," — implement policies governing who may physically enter areas where ePHI systems reside. This covers contingency operations, facility security plans, access control and validation procedures, and maintenance records.",[74,3378,3379,3382],{},[59,3380,3381],{},"Workstation use"," — define the functions performed at each workstation and the physical attributes of its surroundings that protect ePHI. A laptop used in a public coffee shop carries different risks than a desktop inside a locked server room.",[74,3384,3385,3388],{},[59,3386,3387],{},"Workstation security"," — implement physical safeguards for all workstations that access ePHI, restricting access to authorized users only.",[74,3390,3391,3394],{},[59,3392,3393],{},"Device and media controls"," — govern the receipt, removal, backup, storage, reuse, and disposal of hardware and electronic media containing ePHI. This includes maintaining records of device movements and creating retrievable exact copies of ePHI before equipment is moved.",[51,3396,3398],{"id":3397},"technical-safeguards","Technical safeguards",[16,3400,3401],{},"Technical safeguards are the technology and related policies that protect ePHI and control access to it. These are the controls most familiar to engineering and IT teams.",[16,3403,3368],{},[137,3405,3406,3412,3418,3424,3430],{},[74,3407,3408,3411],{},[59,3409,3410],{},"Access control"," — implement technical measures allowing only authorized persons to access ePHI. This includes unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.",[74,3413,3414,3417],{},[59,3415,3416],{},"Audit controls"," — deploy hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.",[74,3419,3420,3423],{},[59,3421,3422],{},"Integrity"," — protect ePHI from improper alteration or destruction, including mechanisms to authenticate that data has not been changed without authorization.",[74,3425,3426,3429],{},[59,3427,3428],{},"Person or entity authentication"," — verify that any person or entity seeking access to ePHI is who they claim to be.",[74,3431,3432,3435],{},[59,3433,3434],{},"Transmission security"," — guard against unauthorized access to ePHI during electronic transmission, including integrity controls and encryption.",[11,3437,3439],{"id":3438},"required-vs-addressable-specifications","Required vs addressable specifications",[16,3441,3442,3443,27,3446,3449],{},"One of the most misunderstood aspects of the Security Rule is the distinction between ",[59,3444,3445],{},"required",[59,3447,3448],{},"addressable"," implementation specifications.",[51,3451,3453],{"id":3452},"required-specifications","Required specifications",[16,3455,3456],{},"A required specification must be implemented exactly as described. There is no flexibility. Examples include conducting a risk analysis, assigning a security official, and implementing audit controls. If a standard has a required specification, the organization must put it in place — period.",[51,3458,3460],{"id":3459},"addressable-specifications","Addressable specifications",[16,3462,3463],{},"An addressable specification does not mean optional. Instead, the organization must perform a documented assessment to determine whether the specification is a reasonable and appropriate safeguard in its environment. There are three possible outcomes:",[71,3465,3466,3472,3478],{},[74,3467,3468,3471],{},[59,3469,3470],{},"Implement the specification as written"," — if the assessment concludes the specification is reasonable and appropriate, implement it.",[74,3473,3474,3477],{},[59,3475,3476],{},"Implement an equivalent alternative"," — if the specification is not reasonable and appropriate but the underlying standard still needs to be met, implement an alternative measure that achieves the same protective purpose and document the rationale.",[74,3479,3480,3483],{},[59,3481,3482],{},"Do not implement"," — if the specification is not reasonable and appropriate and the standard can be met without it, document the rationale and the factors considered.",[16,3485,3486],{},"The critical requirement is documentation. Regardless of the path chosen, the organization must maintain written records of its analysis and decision. Auditors and the HHS Office for Civil Rights expect to see evidence of thoughtful evaluation, not blanket dismissals.",[11,3488,3490],{"id":3489},"risk-analysis-the-foundation-of-compliance","Risk analysis: the foundation of compliance",[16,3492,3493],{},"The Security Rule's risk analysis requirement underpins the entire program. A compliant risk analysis should identify all systems that handle ePHI, document anticipated threats and vulnerabilities, assess current security measures, determine likelihood and impact of threats, assign risk levels, and prioritize remediation. Every step must be documented.",[16,3495,3496],{},"Risk analysis is not a one-time activity. Organizations must review and update their analysis in response to environmental or operational changes, new threats, and security incidents.",[11,3498,3500],{"id":3499},"organizational-requirements","Organizational requirements",[16,3502,3503,3504,3507],{},"Covered entities must obtain satisfactory assurances from their business associates — typically through a ",[23,3505,3506],{"href":178},"Business Associate Agreement (BAA)"," — that the associate will appropriately safeguard ePHI. Business associates are directly liable for Security Rule compliance under the HITECH Act.",[11,3509,3511],{"id":3510},"common-security-rule-gaps","Common Security Rule gaps",[16,3513,3514],{},"Organizations preparing for audits frequently discover recurring gaps:",[137,3516,3517,3523,3529,3535,3541],{},[74,3518,3519,3522],{},[59,3520,3521],{},"Incomplete or outdated risk analysis"," — the single most cited deficiency in HHS enforcement actions.",[74,3524,3525,3528],{},[59,3526,3527],{},"Lack of encryption"," — organizations that skip encryption must document an equivalent alternative, and many cannot.",[74,3530,3531,3534],{},[59,3532,3533],{},"Missing audit logs"," — logging capability alone is insufficient if no one reviews the output.",[74,3536,3537,3540],{},[59,3538,3539],{},"Inadequate access management"," — role changes and departures create orphaned accounts with unnecessary ePHI access.",[74,3542,3543,3546],{},[59,3544,3545],{},"No contingency testing"," — an untested disaster recovery plan provides little real protection.",[16,3548,2562,3549,3551,3552,3554],{},[23,3550,2565],{"href":238}," building their Security Rule program, the ",[23,3553,247],{"href":246}," provides a structured walkthrough of every major requirement.",[11,3556,3558],{"id":3557},"enforcement-and-penalties","Enforcement and penalties",[16,3560,3561],{},"The HHS Office for Civil Rights (OCR) enforces the Security Rule through complaint investigations, compliance reviews, and audits. Penalties range from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal violations can result in fines up to $250,000 and imprisonment.",{"title":257,"searchDepth":258,"depth":258,"links":3563},[3564,3565,3570,3574,3575,3576,3577],{"id":3278,"depth":258,"text":3279},{"id":3300,"depth":258,"text":3301,"children":3566},[3567,3568,3569],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":3438,"depth":258,"text":3439,"children":3571},[3572,3573],{"id":3452,"depth":264,"text":3453},{"id":3459,"depth":264,"text":3460},{"id":3489,"depth":258,"text":3490},{"id":3499,"depth":258,"text":3500},{"id":3510,"depth":258,"text":3511},{"id":3557,"depth":258,"text":3558},"The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.",{},[293],[301,550,302,303],{"title":3583,"description":3584},"HIPAA Security Rule - Safeguards, Specifications & Compliance Guide","Learn how the HIPAA Security Rule protects ePHI with administrative, physical, and technical safeguards. Understand required vs addressable specifications.","5.frameworks\u002Fhipaa\u002Fsecurity-rule","1ApyZTSCEbGuhEpHJFdKF5uezLHHjsf-XEOonfqi-oU",{"id":3588,"title":3589,"body":3590,"description":3833,"extension":278,"faq":3834,"frameworkSlug":293,"lastUpdated":294,"meta":3848,"navigation":296,"path":1349,"relatedTerms":3849,"relatedTopics":3850,"seo":3852,"stem":3855,"__hash__":3856},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fworkforce-training.md","HIPAA Workforce Training Requirements",{"type":8,"value":3591,"toc":3818},[3592,3596,3599,3602,3609,3611,3614,3618,3621,3624,3628,3631,3634,3638,3641,3644,3648,3651,3655,3658,3678,3681,3685,3688,3707,3710,3714,3717,3749,3752,3754,3766,3769,3771,3808,3810,3813],[11,3593,3595],{"id":3594},"why-hipaa-workforce-training-matters","Why HIPAA workforce training matters",[16,3597,3598],{},"HIPAA §164.308(a)(5) — the Security Awareness and Training standard — requires every covered entity and business associate to implement a security awareness and training program for all members of its workforce, including management. It is one of four implementation specifications that sit inside a single administrative safeguard, but in practice it is the standard OCR cites most often when it finds that a workforce member \"should have known better.\"",[16,3600,3601],{},"Training is the control that turns written policy into enforceable behavior. A well-designed program reduces the probability of accidental disclosures, phishing-driven breaches, and misuse of protected health information. A poorly designed program — or, worse, an undocumented one — is one of the fastest ways to escalate a small incident into a resolution agreement and corrective action plan.",[16,3603,1176,3604,3606,3607,42],{},[23,3605,26],{"href":25}," overview and the ",[23,3608,1182],{"href":35},[11,3610,1486],{"id":1485},[16,3612,3613],{},"§164.308(a)(5)(ii) lists four addressable implementation specifications that a compliant program must address. \"Addressable\" does not mean optional — if an organization chooses not to implement one of these specifications, it must document why and implement an equivalent alternative.",[51,3615,3617],{"id":3616},"security-reminders-164308a5iia","Security reminders — §164.308(a)(5)(ii)(A)",[16,3619,3620],{},"Security reminders are periodic communications that keep HIPAA obligations visible between formal training sessions. These can take the form of email newsletters, Slack posts, intranet banners, phishing test feedback, or short videos. The goal is to keep attention high between annual refreshers, when attention inevitably drifts.",[16,3622,3623],{},"Operationalize security reminders with a calendar. Many programs deliver a monthly theme — password hygiene in January, phishing awareness in February, PHI handling in March, and so on — with supporting content aligned to current threats. Document the cadence, the topics covered, and the distribution list.",[51,3625,3627],{"id":3626},"protection-from-malicious-software-164308a5iib","Protection from malicious software — §164.308(a)(5)(ii)(B)",[16,3629,3630],{},"Training on malicious software covers how workforce members recognize and report suspicious files, attachments, and links. Modern training extends this beyond classic antivirus warnings to cover ransomware, business email compromise, credential theft, and the social engineering patterns that precede a PHI exfiltration event.",[16,3632,3633],{},"This specification pairs with your technical safeguards. Workforce members should understand that endpoint detection tools are not a replacement for vigilance — they are a backstop. The training should teach the specific reporting path: who to contact, how quickly, and what to preserve.",[51,3635,3637],{"id":3636},"log-in-monitoring-164308a5iic","Log-in monitoring — §164.308(a)(5)(ii)(C)",[16,3639,3640],{},"Log-in monitoring training teaches workforce members to recognize and report abnormal authentication events, including unexpected multi-factor prompts, unfamiliar devices on their account, unrecognized sign-in locations, and account lockouts that they did not cause. It also covers the workforce member's role in promptly reporting lost or stolen credentials.",[16,3642,3643],{},"Back this training with technical evidence: surface sign-in anomalies in a dashboard the security team reviews weekly, and include the workforce expectation in your acceptable use policy.",[51,3645,3647],{"id":3646},"password-management-164308a5iid","Password management — §164.308(a)(5)(ii)(D)",[16,3649,3650],{},"Password management training sets the expectation for how credentials are created, stored, rotated, and retired. The NIST SP 800-63B shift away from forced periodic rotation has been adopted by most HIPAA programs, but every program still needs a policy on length, complexity, reuse, password manager usage, and multi-factor enrollment. Training should reinforce that expectation with examples, not abstractions.",[11,3652,3654],{"id":3653},"what-belongs-in-the-training-curriculum","What belongs in the training curriculum",[16,3656,3657],{},"A defensible curriculum goes beyond the four specifications. At minimum, every workforce member should leave training able to answer six questions.",[137,3659,3660,3663,3666,3669,3672,3675],{},[74,3661,3662],{},"What counts as PHI, and which systems at this organization contain it?",[74,3664,3665],{},"What can I do with PHI in my role, and what is forbidden?",[74,3667,3668],{},"How do I report a suspected breach, and what is the timeline?",[74,3670,3671],{},"What are my obligations around devices, workstations, and removable media?",[74,3673,3674],{},"What happens if I violate HIPAA policy?",[74,3676,3677],{},"Where do I go when I am unsure?",[16,3679,3680],{},"Role-specific modules layer on top. Engineers need deeper training on access control, logging, and secure development. Customer support teams need training on verifying identity before disclosing PHI. Sales and success teams need training on what they can and cannot say during customer calls and demos. Executives need training on their incident response obligations and the tone they set for the broader organization.",[11,3682,3684],{"id":3683},"cadence-and-triggers","Cadence and triggers",[16,3686,3687],{},"HIPAA does not prescribe a training cadence, but OCR audit protocol expectations and industry practice converge on three triggers.",[71,3689,3690,3696,3701],{},[74,3691,3692,3695],{},[59,3693,3694],{},"Onboarding."," Every new workforce member must complete training before accessing PHI. Gate access on completion — do not rely on managers to verify.",[74,3697,3698,3700],{},[59,3699,2839],{}," Refresh training at least once per year. Many mature programs split this into shorter quarterly modules to combat attention fatigue.",[74,3702,3703,3706],{},[59,3704,3705],{},"Material change."," Re-train when a policy, system, or regulation changes meaningfully. The 2013 Omnibus Rule is the canonical example — every HIPAA program had to re-train after it took effect. Smaller material changes (a new EHR vendor, a new customer with bespoke data handling requirements) warrant targeted refreshers.",[16,3708,3709],{},"Layer on top a just-in-time triggers: after a workforce member fails a phishing simulation, after a near-miss incident, after a policy violation that did not rise to the level of sanctions, or after a high-profile industry breach that exposes a new attack pattern.",[11,3711,3713],{"id":3712},"documentation-that-holds-up-under-ocr-review","Documentation that holds up under OCR review",[16,3715,3716],{},"Every OCR HIPAA audit protocol includes a specific item on training documentation. Your records should answer five questions without ambiguity.",[137,3718,3719,3725,3731,3737,3743],{},[74,3720,3721,3724],{},[59,3722,3723],{},"Who trained?"," Roster keyed to unique workforce member identifiers, not just names.",[74,3726,3727,3730],{},[59,3728,3729],{},"What did they train on?"," The specific module, version, and learning objectives.",[74,3732,3733,3736],{},[59,3734,3735],{},"When did they train?"," Completion date, not assignment date.",[74,3738,3739,3742],{},[59,3740,3741],{},"How do you know they understood?"," Knowledge check scores, attestation language, or role-play results.",[74,3744,3745,3748],{},[59,3746,3747],{},"How long will you keep it?"," At least six years from creation or last effective date of the material.",[16,3750,3751],{},"Learning management systems simplify this, but they are not required. A structured folder, a training register, and signed acknowledgments can satisfy OCR if they are consistent and retrievable. What fails is ad-hoc records: an email here, a slide deck there, no way to prove who completed what.",[11,3753,1335],{"id":1334},[16,3755,3756,3757,3759,3760,3762,3763,3765],{},"Workforce training is one of several interlocking administrative safeguards. It pairs tightly with the ",[23,3758,2277],{"href":2276}," — you cannot fairly sanction a workforce member for a policy they were never taught. It pairs with the ",[23,3761,3178],{"href":2369},", because role-based access only works when workforce members understand the limits of their access. It pairs with ",[23,3764,2852],{"href":1448},", because the people who execute an emergency mode operation plan have to have rehearsed it.",[16,3767,3768],{},"Training also feeds your risk analysis. Gaps surfaced in knowledge checks, incident post-mortems, or phishing simulation results are vulnerabilities in the meaning of §164.308(a)(1)(ii)(A) and should feed the next iteration of the program.",[11,3770,1358],{"id":1357},[137,3772,3773,3779,3785,3791,3796,3802],{},[74,3774,3775,3778],{},[59,3776,3777],{},"Training exists, but no one can prove it."," The training happened, but completion records are scattered across email, LMS exports, and personal notes. During an audit, the gap in the paper trail is treated as a gap in the control.",[74,3780,3781,3784],{},[59,3782,3783],{},"One-size-fits-all curriculum."," A single generic module for every role means engineers are bored and customer support is under-prepared. Risk accumulates at both ends.",[74,3786,3787,3790],{},[59,3788,3789],{},"Annual refresher only."," A single yearly session cannot compete with an entire year of phishing attempts and policy changes. Reminders and just-in-time triggers matter.",[74,3792,3793,3795],{},[59,3794,3215],{}," Long-tenured contractors with persistent PHI access never get refreshed. Treat contractors as workforce members from day one.",[74,3797,3798,3801],{},[59,3799,3800],{},"No knowledge check."," Watching a video is not training. Without an assessment, there is no evidence of comprehension — and OCR treats comprehension as the point.",[74,3803,3804,3807],{},[59,3805,3806],{},"Training runs forever after offboarding."," When a workforce member leaves, their LMS account stays active and skews completion metrics. Include training deactivation in your offboarding checklist.",[11,3809,1406],{"id":1405},[16,3811,3812],{},"episki ships a workforce training library mapped directly to §164.308(a)(5) and the rest of the Security Rule administrative safeguards. Onboarding, annual, and just-in-time modules come pre-built; role-specific modules layer on top; and completion, quiz scores, and attestation records flow into the evidence locker that auditors and customers review. Training records tie back to the workforce member, their role, and the systems they access — so gaps show up automatically instead of surfacing during a customer audit.",[16,3814,1412,3815,3817],{},[23,3816,1415],{"href":35}," or start a free trial from the top of this page.",{"title":257,"searchDepth":258,"depth":258,"links":3819},[3820,3821,3827,3828,3829,3830,3831,3832],{"id":3594,"depth":258,"text":3595},{"id":1485,"depth":258,"text":1486,"children":3822},[3823,3824,3825,3826],{"id":3616,"depth":264,"text":3617},{"id":3626,"depth":264,"text":3627},{"id":3636,"depth":264,"text":3637},{"id":3646,"depth":264,"text":3647},{"id":3653,"depth":258,"text":3654},{"id":3683,"depth":258,"text":3684},{"id":3712,"depth":258,"text":3713},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.308(a)(5) requires a security awareness and training program for every workforce member. Here is how to design, deliver, and document it.",{"items":3835},[3836,3839,3842,3845],{"label":3837,"content":3838},"How often is HIPAA workforce training required?","HIPAA does not prescribe a specific cadence, but OCR guidance and industry practice converge on training at hire, at least annually thereafter, and whenever there is a material change to policies, systems, or the threat landscape. Most mature programs also deliver short monthly or quarterly security reminders.",{"label":3840,"content":3841},"Who counts as a workforce member under HIPAA?","Workforce members include employees, volunteers, trainees, interns, and contractors whose work for the covered entity or business associate is under its direct control, whether or not they are paid. Every workforce member with access to PHI must receive training appropriate to their role.",{"label":3843,"content":3844},"Do business associates have to train their workforce?","Yes. The 2013 Omnibus Rule made business associates directly liable for compliance with the Security Rule, including §164.308(a)(5). Business associates must implement a security awareness and training program and document its delivery.",{"label":3846,"content":3847},"What should HIPAA training documentation include?","Retain rosters of who completed each module, the date of completion, the version of the material used, the learning objectives, and evidence of knowledge checks or attestations. Retain documentation for at least six years from creation or last effective date.",{},[293,1450,1451,1452],[3851,300,301,303],"sanctions-policy",{"title":3853,"description":3854},"HIPAA Workforce Training - §164.308(a)(5) Requirements & Documentation","Build a HIPAA workforce training program that satisfies §164.308(a)(5). Cadence, content, delivery methods, and documentation expectations from OCR.","5.frameworks\u002Fhipaa\u002Fworkforce-training","QHKGk1SWCPvDGG5zG1NDi-6CBEmIXt5ARmnCmJImKeI",{"id":3858,"title":3859,"body":3860,"description":4117,"extension":278,"faq":4118,"frameworkSlug":293,"lastUpdated":294,"meta":4132,"navigation":296,"path":1643,"relatedTerms":4133,"relatedTopics":4134,"seo":4135,"stem":4138,"__hash__":4139},"frameworkTopics\u002F5.frameworks\u002Fhipaa\u002Fworkstation-and-device-controls.md","HIPAA Workstation and Device Controls",{"type":8,"value":3861,"toc":4102},[3862,3866,3869,3872,3881,3885,3888,3891,3911,3914,3918,3921,3924,3927,3931,3934,3938,3941,3961,3964,3968,3971,3975,3978,3982,3985,3989,3992,4030,4033,4035,4047,4049,4093,4095,4098],[11,3863,3865],{"id":3864},"why-hipaa-workstation-and-device-controls-matter","Why HIPAA workstation and device controls matter",[16,3867,3868],{},"The HIPAA Security Rule dedicates three separate standards to the endpoints where workforce members interact with ePHI. §164.310(b) covers workstation use, §164.310(c) covers workstation security, and §164.310(d) covers device and media controls. Together they establish the expectations for every laptop, phone, kiosk, thumb drive, and backup tape that ever touches protected health information.",[16,3870,3871],{},"These standards have aged well because the regulators wrote them in technology-neutral language. Workstations in 1998 were beige towers bolted to desks. Workstations in 2026 are MacBooks in a coffee shop, iPads in a clinical bag, and shared kiosks at a reception desk. The requirements still apply — and the threats they address (lost devices, shared screens, improperly disposed media) have survived every hardware generation.",[16,3873,1478,3874,1179,3876,3878,3879,42],{},[23,3875,26],{"href":25},[23,3877,1182],{"href":35},". For the facility-level perimeter, see ",[23,3880,1345],{"href":1344},[11,3882,3884],{"id":3883},"workstation-use-164310b","Workstation use — §164.310(b)",[16,3886,3887],{},"The workstation use standard requires covered entities and business associates to \"implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.\"",[16,3889,3890],{},"In practice, the workstation use policy answers three questions.",[71,3892,3893,3899,3905],{},[74,3894,3895,3898],{},[59,3896,3897],{},"What functions are allowed on each workstation class?"," A developer laptop can write code and access test data. A clinical terminal can enter orders and view records. A personal phone enrolled in MDM can receive email notifications. Mixing functions expands risk — draw the lines intentionally.",[74,3900,3901,3904],{},[59,3902,3903],{},"How must those functions be performed?"," Specific expectations for screen positioning, privacy screens, locked rooms, approved Wi-Fi networks, and acceptable software. This is where the policy translates into daily workforce habits.",[74,3906,3907,3910],{},[59,3908,3909],{},"What surroundings are acceptable?"," Public spaces, shared living spaces, airports, and client sites each carry different risks. The policy should call out the surroundings where PHI work is prohibited outright.",[16,3912,3913],{},"Different workstation classes warrant different expectations. Publish a short matrix so workforce members can find their class without reading the full policy.",[11,3915,3917],{"id":3916},"workstation-security-164310c","Workstation security — §164.310(c)",[16,3919,3920],{},"The workstation security standard requires \"physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.\" This is a single specification, and it is required — not addressable.",[16,3922,3923],{},"Workstation security covers the physical controls that prevent an unauthorized person from interacting with an ePHI-capable workstation. In shared environments, that might mean cable locks, locked rooms, or privacy screens. For mobile devices, it means device-level authentication, automatic screen lock, and remote wipe capability. For fixed clinical terminals, it means positioning screens out of patient and visitor view.",[16,3925,3926],{},"A useful test: could a visitor, a janitorial contractor, or another workforce member without authorized access reach the workstation, unlock it, and view ePHI during a normal day? If the answer is yes, the control needs work.",[11,3928,3930],{"id":3929},"device-and-media-controls-164310d","Device and media controls — §164.310(d)",[16,3932,3933],{},"The device and media controls standard governs \"the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.\" Four implementation specifications sit underneath it — two required, two addressable.",[51,3935,3937],{"id":3936},"disposal-required-164310d2i","Disposal — required — §164.310(d)(2)(i)",[16,3939,3940],{},"Disposal requires policies and procedures to address the final disposition of ePHI and the hardware or media on which it is stored. NIST Special Publication 800-88 Rev. 1 is the industry standard. It distinguishes three levels of sanitization.",[137,3942,3943,3949,3955],{},[74,3944,3945,3948],{},[59,3946,3947],{},"Clear"," — logical techniques that overwrite data, suitable for media being reused in the same protection environment.",[74,3950,3951,3954],{},[59,3952,3953],{},"Purge"," — physical or logical techniques that render data recovery infeasible with state-of-the-art laboratory techniques, suitable for media leaving the organization's control.",[74,3956,3957,3960],{},[59,3958,3959],{},"Destroy"," — physical destruction (shredding, incineration, melting) so that media cannot be reused at all.",[16,3962,3963],{},"Select the level based on media type and confidentiality risk. Retain certificates of destruction from third-party disposal vendors. The most common OCR finding in this area is a missing certificate — not a failed sanitization technique.",[51,3965,3967],{"id":3966},"media-re-use-required-164310d2ii","Media re-use — required — §164.310(d)(2)(ii)",[16,3969,3970],{},"Media re-use requires removal of ePHI from electronic media before the media are made available for re-use. This is the sanitization step for devices that stay inside the organization — a laptop reassigned from one workforce member to another, a tablet moved between clinical roles, a backup drive repurposed for a test environment. Document the sanitization method, date, and responsible owner.",[51,3972,3974],{"id":3973},"accountability-addressable-164310d2iii","Accountability — addressable — §164.310(d)(2)(iii)",[16,3976,3977],{},"Accountability requires records of the movements of hardware and electronic media and the person responsible. Modern MDM and endpoint inventory tools handle most of this automatically for corporate devices. Gaps typically appear at the edges: portable backup drives, shipped development hardware, and devices loaned to contractors.",[51,3979,3981],{"id":3980},"data-backup-and-storage-addressable-164310d2iv","Data backup and storage — addressable — §164.310(d)(2)(iv)",[16,3983,3984],{},"Data backup and storage requires creating a retrievable, exact copy of ePHI before the equipment is moved, when needed. This overlaps with the contingency plan's backup specification — most programs satisfy both with the same backup infrastructure.",[11,3986,3988],{"id":3987},"building-a-modern-endpoint-program","Building a modern endpoint program",[16,3990,3991],{},"A defensible workstation and device program for a 2026 workforce includes six layers.",[71,3993,3994,4000,4006,4012,4018,4024],{},[74,3995,3996,3999],{},[59,3997,3998],{},"Inventory."," Every device that could handle ePHI is enrolled and tracked. Unmanaged devices are either blocked or registered under a clear exception process.",[74,4001,4002,4005],{},[59,4003,4004],{},"Configuration baseline."," Full-disk encryption, screen lock, MFA, automatic patching, approved software, and logging. Enforce through MDM.",[74,4007,4008,4011],{},[59,4009,4010],{},"Access controls."," Unique user identification, conditional access based on device posture, and role-based application access tied back to the Security Rule's access control standard.",[74,4013,4014,4017],{},[59,4015,4016],{},"Monitoring."," Endpoint detection, audit log collection, and alerting for anomalous behavior. Monitoring is also how you satisfy the audit controls standard in the Security Rule.",[74,4019,4020,4023],{},[59,4021,4022],{},"Lifecycle management."," Structured onboarding issues devices in a known-good state; structured offboarding recovers, sanitizes, and retires them with a documented trail.",[74,4025,4026,4029],{},[59,4027,4028],{},"Incident response integration."," Lost, stolen, or compromised devices trigger a defined runbook that ties back to your Breach Notification Rule procedures.",[16,4031,4032],{},"For healthcare environments with a wide range of device types — infusion pumps, imaging workstations, clinical tablets, workstation-on-wheels — add a medical device security program that addresses the specific risks of devices the IT organization may not fully control.",[11,4034,1335],{"id":1334},[16,4036,4037,4038,4040,4041,4043,4044,4046],{},"Workstation and device controls live at the intersection of physical and technical safeguards. They pair with ",[23,4039,1345],{"href":1344}," to define the outer perimeter. They pair with the Security Rule's access control, audit controls, and encryption standards on the technical side. They pair with ",[23,4042,1350],{"href":1349}," because workstation expectations only operate if the people at the keyboard know them. And they pair with the ",[23,4045,2277],{"href":2276},", because a workforce member who ignores workstation policy must face consistent consequences.",[11,4048,1358],{"id":1357},[137,4050,4051,4057,4063,4069,4075,4081,4087],{},[74,4052,4053,4056],{},[59,4054,4055],{},"Personal devices in the gray zone."," Workforce members use personal phones to read ePHI-laden email \"sometimes,\" but no MDM enrollment and no formal policy ever gets written. Every lost phone becomes a potential breach.",[74,4058,4059,4062],{},[59,4060,4061],{},"Disposal without certificates."," Devices leave the organization through informal channels — an IT manager's car trunk on the way to a recycler — without signed certificates of destruction.",[74,4064,4065,4068],{},[59,4066,4067],{},"Shared clinical terminals with generic logins."," Audit logs cannot attribute actions to individual workforce members, collapsing the Security Rule's unique user identification requirement.",[74,4070,4071,4074],{},[59,4072,4073],{},"Unencrypted backup media."," Production systems are encrypted, but offline backups on portable drives are not. A lost drive becomes a reportable breach.",[74,4076,4077,4080],{},[59,4078,4079],{},"Old hardware in closets."," Retired devices accumulate in storage, some still containing ePHI, none on the inventory, none scheduled for disposal.",[74,4082,4083,4086],{},[59,4084,4085],{},"Home office blind spot."," Workforce members print ePHI at home \"occasionally,\" and there is no guidance on storage or disposal. Printed PHI falls under the Privacy Rule regardless of whether anyone thinks about the print job.",[74,4088,4089,4092],{},[59,4090,4091],{},"No deprovisioning tie-in."," Device recovery at offboarding is a manual checklist that managers sometimes complete, so retired workforce members occasionally retain a company laptop with ePHI access for weeks.",[11,4094,1406],{"id":1405},[16,4096,4097],{},"episki connects device inventory, MDM posture, and disposal records into the HIPAA evidence locker that auditors and customers review. Workstation use policies, encryption attestations, certificates of destruction, and lost-device runbooks live alongside the §164.310(b), (c), and (d) controls they satisfy. Offboarding checklists tie into the HR event so device recovery and access revocation run on the same timeline. Workforce members see the policy that applies to their device class, and you see the gaps before an auditor does.",[16,4099,1412,4100,1416],{},[23,4101,1415],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":4103},[4104,4105,4106,4107,4113,4114,4115,4116],{"id":3864,"depth":258,"text":3865},{"id":3883,"depth":258,"text":3884},{"id":3916,"depth":258,"text":3917},{"id":3929,"depth":258,"text":3930,"children":4108},[4109,4110,4111,4112],{"id":3936,"depth":264,"text":3937},{"id":3966,"depth":264,"text":3967},{"id":3973,"depth":264,"text":3974},{"id":3980,"depth":264,"text":3981},{"id":3987,"depth":258,"text":3988},{"id":1334,"depth":258,"text":1335},{"id":1357,"depth":258,"text":1358},{"id":1405,"depth":258,"text":1406},"HIPAA §164.310(b), (c), and (d) govern workstation use, workstation security, and device and media controls. Here is how to implement them for a modern workforce.",{"items":4119},[4120,4123,4126,4129],{"label":4121,"content":4122},"What counts as a workstation under HIPAA?","A workstation is any electronic computing device — laptop, desktop, tablet, kiosk, or fixed clinical terminal — used to perform functions involving ePHI, along with the electronic media stored in its immediate environment. HHS guidance is deliberately broad so policies age well as form factors change.",{"label":4124,"content":4125},"Do personal devices have to meet HIPAA workstation controls?","If a personal device is used to access, store, or transmit ePHI, it is a workstation under HIPAA and must meet the same controls as a corporate-issued device. Most mature programs either prohibit personal devices or enroll them in mobile device management with enforced encryption, screen lock, and remote wipe.",{"label":4127,"content":4128},"How should we dispose of devices that contained ePHI?","Media disposal under §164.310(d)(2)(i) requires policies and procedures to address the final disposition of ePHI and the media on which it is stored. NIST SP 800-88 is the industry standard for sanitization — choose clear, purge, or destroy based on media type and confidentiality needs, and retain disposal records for at least six years.",{"label":4130,"content":4131},"Are encrypted laptops a HIPAA requirement?","Encryption is an addressable specification under the Security Rule, but in practice it is the only defensible control for portable devices. An unencrypted lost laptop containing ePHI is the canonical OCR breach scenario — and unencrypted devices fail every customer security review.",{},[293,1450,1451,1452],[300,1455,2372,303],{"title":4136,"description":4137},"HIPAA Workstation & Device Controls - §164.310(b)(c)(d) Guide","Implement HIPAA workstation use, workstation security, and device and media controls under §164.310(b)(c)(d). Endpoint policy, media disposal, and MDM.","5.frameworks\u002Fhipaa\u002Fworkstation-and-device-controls","nNal5DPDcHTJrEbqmtVnVFrjH-NV14DMC8pOZCf4tRw",{"id":4141,"title":4142,"advantages":4143,"body":4165,"checklist":4626,"cta":4635,"description":257,"extension":278,"faq":4638,"hero":4656,"lastUpdated":4672,"meta":4673,"name":4510,"navigation":296,"path":35,"resources":4674,"seo":4687,"slug":293,"stats":4690,"stem":4700,"__hash__":4701},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[4144,4151,4158],{"title":4145,"description":4146,"bullets":4147},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[4148,4149,4150],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":4152,"description":4153,"bullets":4154},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[4155,4156,4157],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":4159,"description":4160,"bullets":4161},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[4162,4163,4164],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":8,"value":4166,"toc":4599},[4167,4171,4174,4185,4188,4192,4195,4237,4241,4244,4249,4253,4256,4260,4268,4288,4291,4295,4302,4310,4314,4317,4321,4324,4327,4336,4340,4343,4346,4348,4360,4362,4371,4373,4376,4382,4386,4389,4392,4397,4400,4406,4409,4412,4418,4421,4444,4447,4450,4453,4458,4462,4465,4491,4494,4497,4501,4504,4523,4526,4530,4538,4542,4545,4574,4581,4585,4588,4596],[11,4168,4170],{"id":4169},"what-is-hipaa","What is HIPAA?",[16,4172,4173],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[16,4175,4176,4177,4181,4182,4184],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[23,4178,4180],{"href":4179},"\u002Fglossary\u002Fphi","protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[23,4183,41],{"href":40}," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[16,4186,4187],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[11,4189,4191],{"id":4190},"a-brief-history-of-hipaa","A brief history of HIPAA",[16,4193,4194],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[137,4196,4197,4203,4209,4215,4225,4231],{},[74,4198,4199,4202],{},[59,4200,4201],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[74,4204,4205,4208],{},[59,4206,4207],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[74,4210,4211,4214],{},[59,4212,4213],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[74,4216,4217,4220,4221,4224],{},[59,4218,4219],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[23,4222,4223],{"href":2104},"HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[74,4226,4227,4230],{},[59,4228,4229],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[74,4232,4233,4236],{},[59,4234,4235],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[51,4238,4240],{"id":4239},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[16,4242,4243],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[16,4245,4246,4247,42],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[23,4248,4240],{"href":2104},[11,4250,4252],{"id":4251},"who-hipaa-applies-to","Who HIPAA applies to",[16,4254,4255],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[51,4257,4259],{"id":4258},"covered-entities","Covered entities",[16,4261,4262,4263,4267],{},"A ",[23,4264,4266],{"href":4265},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[137,4269,4270,4276,4282],{},[74,4271,4272,4275],{},[59,4273,4274],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[74,4277,4278,4281],{},[59,4279,4280],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[74,4283,4284,4287],{},[59,4285,4286],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[16,4289,4290],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[51,4292,4294],{"id":4293},"business-associates","Business associates",[16,4296,4262,4297,4301],{},[23,4298,4300],{"href":4299},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[16,4303,4304,4305,4309],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[23,4306,4308],{"href":4307},"\u002Fglossary\u002Fbaa","business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[51,4311,4313],{"id":4312},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[16,4315,4316],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[11,4318,4320],{"id":4319},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[16,4322,4323],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[16,4325,4326],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[16,4328,4329,4330,4332,4333,4335],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[23,4331,31],{"href":30}," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[23,4334,3178],{"href":2369}," page.",[11,4337,4339],{"id":4338},"the-hipaa-security-rule","The HIPAA Security Rule",[16,4341,4342],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[16,4344,4345],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[51,4347,3305],{"id":3304},[16,4349,4350,4351,4353,4354,4356,4357,4359],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[23,4352,1350],{"href":1349},", a ",[23,4355,2277],{"href":2276}," for workforce violations, access management, ",[23,4358,2852],{"href":1448},", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[51,4361,3362],{"id":3361},[16,4363,4364,4365,573,4367,4370],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[23,4366,1345],{"href":1344},[23,4368,4369],{"href":1643},"workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[51,4372,3398],{"id":3397},[16,4374,4375],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[16,4377,4378,4379,4381],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[23,4380,26],{"href":25}," guide.",[11,4383,4385],{"id":4384},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[16,4387,4388],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[16,4390,4391],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[16,4393,4394,4395,4381],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[23,4396,6],{"href":297},[11,4398,4399],{"id":302},"Business associate agreements",[16,4401,4402,4403,4405],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[23,4404,4308],{"href":178}," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[16,4407,4408],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[11,4410,247],{"id":4411},"hipaa-compliance-checklist",[16,4413,4414,4415,4417],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[23,4416,247],{"href":246}," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[16,4419,4420],{},"At a high level, a complete HIPAA program includes:",[137,4422,4423,4426,4429,4432,4435,4438,4441],{},[74,4424,4425],{},"A current risk analysis and documented risk management plan.",[74,4427,4428],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[74,4430,4431],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[74,4433,4434],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[74,4436,4437],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[74,4439,4440],{},"An incident response runbook aligned to the Breach Notification Rule.",[74,4442,4443],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[11,4445,1187],{"id":4446},"hipaa-risk-analysis",[16,4448,4449],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[16,4451,4452],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[16,4454,4455,4456,4381],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[23,4457,1187],{"href":1186},[11,4459,4461],{"id":4460},"penalties-and-enforcement","Penalties and enforcement",[16,4463,4464],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[137,4466,4467,4473,4479,4485],{},[74,4468,4469,4472],{},[59,4470,4471],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[74,4474,4475,4478],{},[59,4476,4477],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[74,4480,4481,4484],{},[59,4482,4483],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[74,4486,4487,4490],{},[59,4488,4489],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[16,4492,4493],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[16,4495,4496],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[11,4498,4500],{"id":4499},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[16,4502,4503],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[137,4505,4506,4512,4517],{},[74,4507,4508,4511],{},[59,4509,4510],{},"HIPAA"," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[74,4513,4514,4516],{},[59,4515,4223],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[74,4518,4519,4522],{},[59,4520,4521],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[16,4524,4525],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[51,4527,4529],{"id":4528},"hipaa-and-soc-2","HIPAA and SOC 2",[16,4531,4532,4533,4537],{},"Many SaaS companies pursue ",[23,4534,4536],{"href":4535},"\u002Fframeworks\u002Fsoc2","SOC 2"," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[11,4539,4541],{"id":4540},"getting-hipaa-compliant","Getting HIPAA compliant",[16,4543,4544],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[71,4546,4547,4550,4553,4556,4559,4562,4565,4568,4571],{},[74,4548,4549],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[74,4551,4552],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[74,4554,4555],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[74,4557,4558],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[74,4560,4561],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[74,4563,4564],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[74,4566,4567],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[74,4569,4570],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[74,4572,4573],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[16,4575,4576,4577,4580],{},"For companies operating in the broader ",[23,4578,4579],{"href":238},"healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[11,4582,4584],{"id":4583},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[16,4586,4587],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[16,4589,4590,4591,4595],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[23,4592,4594],{"href":4593},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[16,4597,4598],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":257,"searchDepth":258,"depth":258,"links":4600},[4601,4602,4605,4610,4611,4616,4617,4618,4619,4620,4621,4624,4625],{"id":4169,"depth":258,"text":4170},{"id":4190,"depth":258,"text":4191,"children":4603},[4604],{"id":4239,"depth":264,"text":4240},{"id":4251,"depth":258,"text":4252,"children":4606},[4607,4608,4609],{"id":4258,"depth":264,"text":4259},{"id":4293,"depth":264,"text":4294},{"id":4312,"depth":264,"text":4313},{"id":4319,"depth":258,"text":4320},{"id":4338,"depth":258,"text":4339,"children":4612},[4613,4614,4615],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":4384,"depth":258,"text":4385},{"id":302,"depth":258,"text":4399},{"id":4411,"depth":258,"text":247},{"id":4446,"depth":258,"text":1187},{"id":4460,"depth":258,"text":4461},{"id":4499,"depth":258,"text":4500,"children":4622},[4623],{"id":4528,"depth":264,"text":4529},{"id":4540,"depth":258,"text":4541},{"id":4583,"depth":258,"text":4584},{"title":4627,"description":4628,"items":4629},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[4630,4631,4632,4633,4634],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":4636,"description":4637},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":4639,"items":4640},"HIPAA compliance frequently asked questions",[4641,4644,4647,4650,4653],{"label":4642,"content":4643},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":4645,"content":4646},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":4648,"content":4649},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":4651,"content":4652},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":4654,"content":4655},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":4657,"title":4658,"description":4659,"links":4660},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[4661,4665],{"label":4662,"icon":4663,"to":4664},"Start HIPAA trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},"Book a demo","i-lucide-message-circle","neutral","subtle","\u002Fdemo","_blank","2026-04-27",{},{"headline":4675,"title":4675,"description":4676,"items":4677},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[4678,4681,4684],{"title":4679,"description":4680},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":4682,"description":4683},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":4685,"description":4686},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":4688,"description":4689},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.",[4691,4694,4697],{"value":4692,"description":4693},"30-day rollout","Average time to production monitoring across safeguards.",{"value":4695,"description":4696},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":4698,"description":4699},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","9IldK-wXldOkZs8WFGmDWXYF8To1wETqwKkhsGGUW04",[4703,5266],{"id":4704,"title":4705,"body":4706,"description":257,"extension":278,"lastUpdated":294,"meta":5248,"navigation":296,"path":5249,"relatedFrameworks":5250,"relatedTerms":5256,"seo":5260,"slug":5263,"stem":5264,"term":4711,"__hash__":5265},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":4707,"toc":5234},[4708,4712,4715,4719,4722,4748,4752,4758,4764,4770,4776,4780,4783,4789,4806,4812,4826,4832,4843,4847,4850,4901,4905,4908,4922,4926,4929,4952,4956,4959,5008,5012,5015,5129,5132,5135,5164,5168,5174,5177,5214,5217,5220,5223,5227],[11,4709,4711],{"id":4710},"what-is-access-control","What is Access Control?",[16,4713,4714],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[51,4716,4718],{"id":4717},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[16,4720,4721],{},"Access control is built on several foundational principles:",[137,4723,4724,4730,4736,4742],{},[74,4725,4726,4729],{},[59,4727,4728],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[74,4731,4732,4735],{},[59,4733,4734],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[74,4737,4738,4741],{},[59,4739,4740],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[74,4743,4744,4747],{},[59,4745,4746],{},"Default deny"," — access is denied by default unless explicitly granted",[51,4749,4751],{"id":4750},"what-are-the-types-of-access-control","What are the types of access control?",[16,4753,4754,4757],{},[59,4755,4756],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,4759,4760,4763],{},[59,4761,4762],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,4765,4766,4769],{},[59,4767,4768],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,4771,4772,4775],{},[59,4773,4774],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[51,4777,4779],{"id":4778},"what-are-access-control-components","What are access control components?",[16,4781,4782],{},"A complete access control program addresses:",[16,4784,4785,4788],{},[59,4786,4787],{},"Authentication"," — verifying the identity of users:",[137,4790,4791,4794,4797,4800,4803],{},[74,4792,4793],{},"Passwords and passphrases",[74,4795,4796],{},"Multi-factor authentication (MFA)",[74,4798,4799],{},"Single sign-on (SSO)",[74,4801,4802],{},"Biometric authentication",[74,4804,4805],{},"Certificate-based authentication",[16,4807,4808,4811],{},[59,4809,4810],{},"Authorization"," — determining what authenticated users can do:",[137,4813,4814,4817,4820,4823],{},[74,4815,4816],{},"Permission assignments",[74,4818,4819],{},"Role definitions",[74,4821,4822],{},"Access control lists",[74,4824,4825],{},"Policy enforcement points",[16,4827,4828,4831],{},[59,4829,4830],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[137,4833,4834,4837,4840],{},[74,4835,4836],{},"Provisioning (granting access when hired or role changes)",[74,4838,4839],{},"Review (periodic access certification)",[74,4841,4842],{},"Deprovisioning (revoking access upon termination or role change)",[51,4844,4846],{"id":4845},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[16,4848,4849],{},"Every major framework requires access control:",[137,4851,4852,4859,4873,4883,4892],{},[74,4853,4854,4858],{},[59,4855,4856],{},[23,4857,4536],{"href":4535}," — CC6.1 through CC6.8 cover logical and physical access controls",[74,4860,4861,4867,4868,4872],{},[59,4862,4863],{},[23,4864,4866],{"href":4865},"\u002Fframeworks\u002Fiso27001","ISO 27001"," — ",[23,4869,4871],{"href":4870},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[74,4874,4875,4879,4880,4882],{},[59,4876,4877],{},[23,4878,4510],{"href":35}," — the ",[23,4881,228],{"href":25}," requires access controls for ePHI (45 CFR 164.312(a))",[74,4884,4885,4891],{},[59,4886,4887],{},[23,4888,4890],{"href":4889},"\u002Fframeworks\u002Fpci","PCI DSS"," — Requirements 7 and 8 address access restriction and user identification",[74,4893,4894,4900],{},[59,4895,4896],{},[23,4897,4899],{"href":4898},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[51,4902,4904],{"id":4903},"what-are-access-reviews","What are access reviews?",[16,4906,4907],{},"Regular access reviews (also called access certifications) are a critical control:",[137,4909,4910,4913,4916,4919],{},[74,4911,4912],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[74,4914,4915],{},"Verify that access aligns with current job responsibilities",[74,4917,4918],{},"Identify and remove excessive or unnecessary access",[74,4920,4921],{},"Document review results and remediation actions",[51,4923,4925],{"id":4924},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[16,4927,4928],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[137,4930,4931,4934,4937,4940,4943,4946,4949],{},[74,4932,4933],{},"Excessive permissions that accumulate over time (privilege creep)",[74,4935,4936],{},"Shared or generic accounts that prevent individual accountability",[74,4938,4939],{},"Delayed deprovisioning when employees leave or change roles",[74,4941,4942],{},"Lack of MFA on critical systems and remote access paths",[74,4944,4945],{},"Inconsistent access review processes with no documented remediation",[74,4947,4948],{},"Service accounts with standing privileged access and no rotation schedule",[74,4950,4951],{},"Lack of visibility into SaaS application access outside the corporate IdP",[51,4953,4955],{"id":4954},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[16,4957,4958],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[71,4960,4961,4967,4973,4979,4985,4991,5002],{},[74,4962,4963,4966],{},[59,4964,4965],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[74,4968,4969,4972],{},[59,4970,4971],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[74,4974,4975,4978],{},[59,4976,4977],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[74,4980,4981,4984],{},[59,4982,4983],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[74,4986,4987,4990],{},[59,4988,4989],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[74,4992,4993,4996,4997,5001],{},[59,4994,4995],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[23,4998,5000],{"href":4999},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[74,5003,5004,5007],{},[59,5005,5006],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[51,5009,5011],{"id":5010},"what-are-the-access-control-requirements","What are the access control requirements?",[16,5013,5014],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[1893,5016,5017,5034],{},[1896,5018,5019],{},[1899,5020,5021,5024,5026,5028,5030,5032],{},[1902,5022,5023],{},"Requirement",[1902,5025,4536],{},[1902,5027,4866],{},[1902,5029,4510],{},[1902,5031,4890],{},[1902,5033,4899],{},[1912,5035,5036,5056,5075,5095,5112],{},[1899,5037,5038,5041,5044,5047,5050,5053],{},[1917,5039,5040],{},"Unique user IDs",[1917,5042,5043],{},"CC6.1",[1917,5045,5046],{},"A.5.16",[1917,5048,5049],{},"§164.312(a)(2)(i)",[1917,5051,5052],{},"Req 8.2.1",[1917,5054,5055],{},"PR.AC-1",[1899,5057,5058,5061,5063,5066,5069,5072],{},[1917,5059,5060],{},"MFA",[1917,5062,5043],{},[1917,5064,5065],{},"A.8.5",[1917,5067,5068],{},"Addressable",[1917,5070,5071],{},"Req 8.4",[1917,5073,5074],{},"PR.AC-7",[1899,5076,5077,5080,5083,5086,5089,5092],{},[1917,5078,5079],{},"Access reviews",[1917,5081,5082],{},"CC6.2",[1917,5084,5085],{},"A.5.18",[1917,5087,5088],{},"§164.312(a)(1)",[1917,5090,5091],{},"Req 7.2",[1917,5093,5094],{},"PR.AC-4",[1899,5096,5097,5099,5102,5105,5107,5110],{},[1917,5098,4728],{},[1917,5100,5101],{},"CC6.3",[1917,5103,5104],{},"A.5.15",[1917,5106,5088],{},[1917,5108,5109],{},"Req 7.1",[1917,5111,5094],{},[1899,5113,5114,5117,5119,5121,5124,5127],{},[1917,5115,5116],{},"Deprovisioning",[1917,5118,5082],{},[1917,5120,5085],{},[1917,5122,5123],{},"§164.312(a)(2)(ii)",[1917,5125,5126],{},"Req 8.2.6",[1917,5128,5055],{},[16,5130,5131],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,5133,5134],{},"A few notes on framework-specific nuances:",[137,5136,5137,5142,5150,5157],{},[74,5138,5139,5141],{},[59,5140,4510],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[74,5143,5144,5149],{},[59,5145,5146,5148],{},[23,5147,4890],{"href":4889}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[74,5151,5152,5156],{},[59,5153,5154],{},[23,5155,4536],{"href":4535}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[74,5158,5159,5163],{},[59,5160,5161],{},[23,5162,4899],{"href":4898}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[51,5165,5167],{"id":5166},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[16,5169,5170,5171,42],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[59,5172,5173],{},"never trust, always verify",[16,5175,5176],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[137,5178,5179,5185,5191,5202,5208],{},[74,5180,5181,5184],{},[59,5182,5183],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[74,5186,5187,5190],{},[59,5188,5189],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[74,5192,5193,5196,5197,5201],{},[59,5194,5195],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[23,5198,5200],{"href":5199},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[74,5203,5204,5207],{},[59,5205,5206],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[74,5209,5210,5213],{},[59,5211,5212],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,5215,5216],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,5218,5219],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,5221,5222],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[51,5224,5226],{"id":5225},"how-does-episki-help-with-access-control","How does episki help with access control?",[16,5228,5229,5230,42],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[23,5231,5233],{"href":5232},"\u002Fframeworks","compliance platform",{"title":257,"searchDepth":258,"depth":258,"links":5235},[5236],{"id":4710,"depth":258,"text":4711,"children":5237},[5238,5239,5240,5241,5242,5243,5244,5245,5246,5247],{"id":4717,"depth":264,"text":4718},{"id":4750,"depth":264,"text":4751},{"id":4778,"depth":264,"text":4779},{"id":4845,"depth":264,"text":4846},{"id":4903,"depth":264,"text":4904},{"id":4924,"depth":264,"text":4925},{"id":4954,"depth":264,"text":4955},{"id":5010,"depth":264,"text":5011},{"id":5166,"depth":264,"text":5167},{"id":5225,"depth":264,"text":5226},{},"\u002Fglossary\u002Faccess-control",[5251,5252,5253,293,5254,5255],"cmmc","soc2","iso27001","pci","nistcsf",[5257,5258,5200,5259],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":5261,"description":5262},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":5267,"title":5268,"body":5269,"description":257,"extension":278,"lastUpdated":294,"meta":5487,"navigation":296,"path":4999,"relatedFrameworks":5488,"relatedTerms":5489,"seo":5493,"slug":5258,"stem":5496,"term":5274,"__hash__":5497},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":8,"value":5270,"toc":5477},[5271,5275,5278,5282,5285,5323,5326,5346,5350,5353,5375,5379,5382,5426,5430,5433,5447,5451,5468,5472],[11,5272,5274],{"id":5273},"what-is-an-audit-trail","What is an Audit Trail?",[16,5276,5277],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[51,5279,5281],{"id":5280},"what-do-audit-trails-capture","What do audit trails capture?",[16,5283,5284],{},"Effective audit trails typically record:",[137,5286,5287,5293,5299,5305,5311,5317],{},[74,5288,5289,5292],{},[59,5290,5291],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[74,5294,5295,5298],{},[59,5296,5297],{},"System events"," — configuration changes, service starts and stops, errors, failures",[74,5300,5301,5304],{},[59,5302,5303],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[74,5306,5307,5310],{},[59,5308,5309],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[74,5312,5313,5316],{},[59,5314,5315],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[74,5318,5319,5322],{},[59,5320,5321],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[16,5324,5325],{},"Each audit trail entry should include:",[137,5327,5328,5331,5334,5337,5340,5343],{},[74,5329,5330],{},"Timestamp (synchronized across systems)",[74,5332,5333],{},"User or system identity",[74,5335,5336],{},"Action performed",[74,5338,5339],{},"Target resource or data",[74,5341,5342],{},"Outcome (success or failure)",[74,5344,5345],{},"Source (IP address, device, or location)",[51,5347,5349],{"id":5348},"what-are-the-audit-trail-requirements","What are the audit trail requirements?",[16,5351,5352],{},"Multiple compliance frameworks require audit trails:",[137,5354,5355,5360,5365,5370],{},[74,5356,5357,5359],{},[59,5358,4536],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[74,5361,5362,5364],{},[59,5363,4866],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[74,5366,5367,5369],{},[59,5368,4510],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[74,5371,5372,5374],{},[59,5373,4890],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[51,5376,5378],{"id":5377},"how-do-you-implement-audit-trails","How do you implement audit trails?",[16,5380,5381],{},"To implement effective audit trails:",[71,5383,5384,5390,5396,5402,5408,5414,5420],{},[74,5385,5386,5389],{},[59,5387,5388],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[74,5391,5392,5395],{},[59,5393,5394],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[74,5397,5398,5401],{},[59,5399,5400],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[74,5403,5404,5407],{},[59,5405,5406],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[74,5409,5410,5413],{},[59,5411,5412],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[74,5415,5416,5419],{},[59,5417,5418],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[74,5421,5422,5425],{},[59,5423,5424],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[51,5427,5429],{"id":5428},"how-long-should-audit-trails-be-retained","How long should audit trails be retained?",[16,5431,5432],{},"Retention requirements vary by framework and jurisdiction:",[137,5434,5435,5438,5441,5444],{},[74,5436,5437],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[74,5439,5440],{},"HIPAA requires documentation retention for 6 years",[74,5442,5443],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[74,5445,5446],{},"SOC 2 audit periods typically require evidence covering the observation period",[51,5448,5450],{"id":5449},"what-are-common-pitfalls-with-audit-trails","What are common pitfalls with audit trails?",[137,5452,5453,5456,5459,5462,5465],{},[74,5454,5455],{},"Insufficient logging — missing critical events or systems",[74,5457,5458],{},"Log overload — logging too much without meaningful analysis",[74,5460,5461],{},"No log protection — allowing administrators to modify or delete logs",[74,5463,5464],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[74,5466,5467],{},"No review process — collecting logs but never analyzing them",[51,5469,5471],{"id":5470},"how-does-episki-help-with-audit-trails","How does episki help with audit trails?",[16,5473,5474,5475,42],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[23,5476,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":5478},[5479],{"id":5273,"depth":258,"text":5274,"children":5480},[5481,5482,5483,5484,5485,5486],{"id":5280,"depth":264,"text":5281},{"id":5348,"depth":264,"text":5349},{"id":5377,"depth":264,"text":5378},{"id":5428,"depth":264,"text":5429},{"id":5449,"depth":264,"text":5450},{"id":5470,"depth":264,"text":5471},{},[5252,5253,293,5254],[5490,5263,5491,5492],"evidence-collection","continuous-monitoring","incident-response",{"title":5494,"description":5495},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","wGJCFb9Xcb1bQvrLNHVniHH6roxZCmzstztRki0-h68",[5499,5668],{"id":5,"title":6,"body":5500,"description":277,"extension":278,"faq":5658,"frameworkSlug":293,"lastUpdated":294,"meta":5664,"navigation":296,"path":297,"relatedTerms":5665,"relatedTopics":5666,"seo":5667,"stem":307,"__hash__":308},{"type":8,"value":5501,"toc":5640},[5502,5504,5506,5516,5518,5520,5522,5526,5528,5530,5548,5550,5552,5554,5556,5558,5560,5564,5566,5568,5570,5580,5582,5584,5588,5590,5596,5598,5600,5604,5606,5610,5612,5622,5626,5628,5632,5636,5638],[11,5503,14],{"id":13},[16,5505,18],{},[16,5507,21,5508,27,5510,32,5512,37,5514,42],{},[23,5509,26],{"href":25},[23,5511,31],{"href":30},[23,5513,36],{"href":35},[23,5515,41],{"href":40},[11,5517,46],{"id":45},[16,5519,49],{},[51,5521,54],{"id":53},[16,5523,57,5524,62],{},[59,5525,61],{},[51,5527,66],{"id":65},[16,5529,69],{},[71,5531,5532,5536,5540,5544],{},[74,5533,5534,79],{},[59,5535,78],{},[74,5537,5538,85],{},[59,5539,84],{},[74,5541,5542,91],{},[59,5543,90],{},[74,5545,5546,97],{},[59,5547,96],{},[16,5549,100],{},[51,5551,104],{"id":103},[16,5553,107],{},[11,5555,111],{"id":110},[16,5557,114],{},[51,5559,118],{"id":117},[16,5561,121,5562,125],{},[59,5563,124],{},[16,5565,128],{},[51,5567,132],{"id":131},[16,5569,135],{},[137,5571,5572,5576],{},[74,5573,5574,144],{},[59,5575,143],{},[74,5577,5578,150],{},[59,5579,149],{},[16,5581,153],{},[51,5583,157],{"id":156},[16,5585,160,5586,164],{},[59,5587,163],{},[51,5589,168],{"id":167},[16,5591,171,5592,175,5594,180],{},[59,5593,174],{},[23,5595,179],{"href":178},[16,5597,183],{},[11,5599,187],{"id":186},[16,5601,190,5602,194],{},[59,5603,193],{},[11,5605,198],{"id":197},[16,5607,201,5608,205],{},[59,5609,204],{},[16,5611,208],{},[137,5613,5614,5618],{},[74,5615,5616,216],{},[59,5617,215],{},[74,5619,5620,222],{},[59,5621,221],{},[16,5623,225,5624,229],{},[23,5625,228],{"href":25},[11,5627,233],{"id":232},[16,5629,5630,240],{},[23,5631,239],{"href":238},[16,5633,243,5634,248],{},[23,5635,247],{"href":246},[11,5637,252],{"id":251},[16,5639,255],{},{"title":257,"searchDepth":258,"depth":258,"links":5641},[5642,5643,5648,5654,5655,5656,5657],{"id":13,"depth":258,"text":14},{"id":45,"depth":258,"text":46,"children":5644},[5645,5646,5647],{"id":53,"depth":264,"text":54},{"id":65,"depth":264,"text":66},{"id":103,"depth":264,"text":104},{"id":110,"depth":258,"text":111,"children":5649},[5650,5651,5652,5653],{"id":117,"depth":264,"text":118},{"id":131,"depth":264,"text":132},{"id":156,"depth":264,"text":157},{"id":167,"depth":264,"text":168},{"id":186,"depth":258,"text":187},{"id":197,"depth":258,"text":198},{"id":232,"depth":258,"text":233},{"id":251,"depth":258,"text":252},{"items":5659},[5660,5661,5662,5663],{"label":282,"content":283},{"label":285,"content":286},{"label":288,"content":289},{"label":291,"content":292},{},[293],[300,301,302,303],{"title":305,"description":306},{"id":310,"title":311,"body":5669,"description":545,"extension":278,"faq":546,"frameworkSlug":293,"lastUpdated":294,"meta":5824,"navigation":296,"path":178,"relatedTerms":5825,"relatedTopics":5826,"seo":5827,"stem":554,"__hash__":555},{"type":8,"value":5670,"toc":5807},[5671,5673,5675,5677,5683,5685,5691,5693,5695,5697,5699,5703,5705,5707,5709,5711,5713,5753,5755,5759,5761,5763,5765,5767,5769,5771,5773,5777,5779,5781,5803],[11,5672,317],{"id":316},[16,5674,320],{},[16,5676,323],{},[16,5678,326,5679,329,5681,42],{},[23,5680,36],{"href":35},[23,5682,41],{"href":40},[11,5684,335],{"id":334},[16,5686,338,5687,341,5689,42],{},[23,5688,228],{"href":25},[23,5690,344],{"href":30},[16,5692,347],{},[51,5694,351],{"id":350},[16,5696,354],{},[11,5698,358],{"id":357},[16,5700,361,5701,365],{},[59,5702,364],{},[51,5704,369],{"id":368},[16,5706,372],{},[11,5708,376],{"id":375},[16,5710,379],{},[16,5712,382],{},[137,5714,5715,5721,5727,5733,5737,5741,5745,5749],{},[74,5716,5717,390,5719,393],{},[59,5718,389],{},[23,5720,344],{"href":30},[74,5722,5723,399,5725,402],{},[59,5724,398],{},[23,5726,228],{"href":25},[74,5728,5729,408,5731,412],{},[59,5730,407],{},[23,5732,411],{"href":297},[74,5734,5735,418],{},[59,5736,417],{},[74,5738,5739,424],{},[59,5740,423],{},[74,5742,5743,430],{},[59,5744,429],{},[74,5746,5747,436],{},[59,5748,435],{},[74,5750,5751,442],{},[59,5752,441],{},[11,5754,446],{"id":445},[16,5756,449,5757,453],{},[59,5758,452],{},[51,5760,457],{"id":456},[16,5762,460],{},[51,5764,464],{"id":463},[16,5766,467],{},[51,5768,471],{"id":470},[16,5770,474],{},[11,5772,478],{"id":477},[16,5774,5775,483],{},[23,5776,239],{"href":238},[11,5778,487],{"id":486},[16,5780,490],{},[137,5782,5783,5787,5791,5795,5799],{},[74,5784,5785,498],{},[59,5786,497],{},[74,5788,5789,504],{},[59,5790,503],{},[74,5792,5793,510],{},[59,5794,509],{},[74,5796,5797,516],{},[59,5798,515],{},[74,5800,5801,522],{},[59,5802,521],{},[16,5804,243,5805,527],{},[23,5806,247],{"href":246},{"title":257,"searchDepth":258,"depth":258,"links":5808},[5809,5810,5813,5816,5817,5822,5823],{"id":316,"depth":258,"text":317},{"id":334,"depth":258,"text":335,"children":5811},[5812],{"id":350,"depth":264,"text":351},{"id":357,"depth":258,"text":358,"children":5814},[5815],{"id":368,"depth":264,"text":369},{"id":375,"depth":258,"text":376},{"id":445,"depth":258,"text":446,"children":5818},[5819,5820,5821],{"id":456,"depth":264,"text":457},{"id":463,"depth":264,"text":464},{"id":470,"depth":264,"text":471},{"id":477,"depth":258,"text":478},{"id":486,"depth":258,"text":487},{},[293],[300,301,550,303],{"title":552,"description":553},{"id":4141,"title":4142,"advantages":5829,"body":5836,"checklist":6143,"cta":6145,"description":257,"extension":278,"faq":6146,"hero":6153,"lastUpdated":4672,"meta":6157,"name":4510,"navigation":296,"path":35,"resources":6158,"seo":6163,"slug":293,"stats":6164,"stem":4700,"__hash__":4701},[5830,5832,5834],{"title":4145,"description":4146,"bullets":5831},[4148,4149,4150],{"title":4152,"description":4153,"bullets":5833},[4155,4156,4157],{"title":4159,"description":4160,"bullets":5835},[4162,4163,4164],{"type":8,"value":5837,"toc":6116},[5838,5840,5842,5848,5850,5852,5854,5882,5884,5886,5890,5892,5894,5896,5900,5914,5916,5918,5922,5926,5928,5930,5932,5934,5936,5942,5944,5946,5948,5950,5958,5960,5966,5968,5970,5974,5976,5978,5980,5984,5986,5990,5992,5994,5998,6000,6016,6018,6020,6022,6026,6028,6030,6048,6050,6052,6054,6056,6070,6072,6074,6078,6080,6082,6102,6106,6108,6110,6114],[11,5839,4170],{"id":4169},[16,5841,4173],{},[16,5843,4176,5844,4181,5846,4184],{},[23,5845,4180],{"href":4179},[23,5847,41],{"href":40},[16,5849,4187],{},[11,5851,4191],{"id":4190},[16,5853,4194],{},[137,5855,5856,5860,5864,5868,5874,5878],{},[74,5857,5858,4202],{},[59,5859,4201],{},[74,5861,5862,4208],{},[59,5863,4207],{},[74,5865,5866,4214],{},[59,5867,4213],{},[74,5869,5870,4220,5872,4224],{},[59,5871,4219],{},[23,5873,4223],{"href":2104},[74,5875,5876,4230],{},[59,5877,4229],{},[74,5879,5880,4236],{},[59,5881,4235],{},[51,5883,4240],{"id":4239},[16,5885,4243],{},[16,5887,4246,5888,42],{},[23,5889,4240],{"href":2104},[11,5891,4252],{"id":4251},[16,5893,4255],{},[51,5895,4259],{"id":4258},[16,5897,4262,5898,4267],{},[23,5899,4266],{"href":4265},[137,5901,5902,5906,5910],{},[74,5903,5904,4275],{},[59,5905,4274],{},[74,5907,5908,4281],{},[59,5909,4280],{},[74,5911,5912,4287],{},[59,5913,4286],{},[16,5915,4290],{},[51,5917,4294],{"id":4293},[16,5919,4262,5920,4301],{},[23,5921,4300],{"href":4299},[16,5923,4304,5924,4309],{},[23,5925,4308],{"href":4307},[51,5927,4313],{"id":4312},[16,5929,4316],{},[11,5931,4320],{"id":4319},[16,5933,4323],{},[16,5935,4326],{},[16,5937,4329,5938,4332,5940,4335],{},[23,5939,31],{"href":30},[23,5941,3178],{"href":2369},[11,5943,4339],{"id":4338},[16,5945,4342],{},[16,5947,4345],{},[51,5949,3305],{"id":3304},[16,5951,4350,5952,4353,5954,4356,5956,4359],{},[23,5953,1350],{"href":1349},[23,5955,2277],{"href":2276},[23,5957,2852],{"href":1448},[51,5959,3362],{"id":3361},[16,5961,4364,5962,573,5964,4370],{},[23,5963,1345],{"href":1344},[23,5965,4369],{"href":1643},[51,5967,3398],{"id":3397},[16,5969,4375],{},[16,5971,4378,5972,4381],{},[23,5973,26],{"href":25},[11,5975,4385],{"id":4384},[16,5977,4388],{},[16,5979,4391],{},[16,5981,4394,5982,4381],{},[23,5983,6],{"href":297},[11,5985,4399],{"id":302},[16,5987,4402,5988,4405],{},[23,5989,4308],{"href":178},[16,5991,4408],{},[11,5993,247],{"id":4411},[16,5995,4414,5996,4417],{},[23,5997,247],{"href":246},[16,5999,4420],{},[137,6001,6002,6004,6006,6008,6010,6012,6014],{},[74,6003,4425],{},[74,6005,4428],{},[74,6007,4431],{},[74,6009,4434],{},[74,6011,4437],{},[74,6013,4440],{},[74,6015,4443],{},[11,6017,1187],{"id":4446},[16,6019,4449],{},[16,6021,4452],{},[16,6023,4455,6024,4381],{},[23,6025,1187],{"href":1186},[11,6027,4461],{"id":4460},[16,6029,4464],{},[137,6031,6032,6036,6040,6044],{},[74,6033,6034,4472],{},[59,6035,4471],{},[74,6037,6038,4478],{},[59,6039,4477],{},[74,6041,6042,4484],{},[59,6043,4483],{},[74,6045,6046,4490],{},[59,6047,4489],{},[16,6049,4493],{},[16,6051,4496],{},[11,6053,4500],{"id":4499},[16,6055,4503],{},[137,6057,6058,6062,6066],{},[74,6059,6060,4511],{},[59,6061,4510],{},[74,6063,6064,4516],{},[59,6065,4223],{},[74,6067,6068,4522],{},[59,6069,4521],{},[16,6071,4525],{},[51,6073,4529],{"id":4528},[16,6075,4532,6076,4537],{},[23,6077,4536],{"href":4535},[11,6079,4541],{"id":4540},[16,6081,4544],{},[71,6083,6084,6086,6088,6090,6092,6094,6096,6098,6100],{},[74,6085,4549],{},[74,6087,4552],{},[74,6089,4555],{},[74,6091,4558],{},[74,6093,4561],{},[74,6095,4564],{},[74,6097,4567],{},[74,6099,4570],{},[74,6101,4573],{},[16,6103,4576,6104,4580],{},[23,6105,4579],{"href":238},[11,6107,4584],{"id":4583},[16,6109,4587],{},[16,6111,4590,6112,4595],{},[23,6113,4594],{"href":4593},[16,6115,4598],{},{"title":257,"searchDepth":258,"depth":258,"links":6117},[6118,6119,6122,6127,6128,6133,6134,6135,6136,6137,6138,6141,6142],{"id":4169,"depth":258,"text":4170},{"id":4190,"depth":258,"text":4191,"children":6120},[6121],{"id":4239,"depth":264,"text":4240},{"id":4251,"depth":258,"text":4252,"children":6123},[6124,6125,6126],{"id":4258,"depth":264,"text":4259},{"id":4293,"depth":264,"text":4294},{"id":4312,"depth":264,"text":4313},{"id":4319,"depth":258,"text":4320},{"id":4338,"depth":258,"text":4339,"children":6129},[6130,6131,6132],{"id":3304,"depth":264,"text":3305},{"id":3361,"depth":264,"text":3362},{"id":3397,"depth":264,"text":3398},{"id":4384,"depth":258,"text":4385},{"id":302,"depth":258,"text":4399},{"id":4411,"depth":258,"text":247},{"id":4446,"depth":258,"text":1187},{"id":4460,"depth":258,"text":4461},{"id":4499,"depth":258,"text":4500,"children":6139},[6140],{"id":4528,"depth":264,"text":4529},{"id":4540,"depth":258,"text":4541},{"id":4583,"depth":258,"text":4584},{"title":4627,"description":4628,"items":6144},[4630,4631,4632,4633,4634],{"title":4636,"description":4637},{"title":4639,"items":6147},[6148,6149,6150,6151,6152],{"label":4642,"content":4643},{"label":4645,"content":4646},{"label":4648,"content":4649},{"label":4651,"content":4652},{"label":4654,"content":4655},{"headline":4657,"title":4658,"description":4659,"links":6154},[6155,6156],{"label":4662,"icon":4663,"to":4664},{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},{},{"headline":4675,"title":4675,"description":4676,"items":6159},[6160,6161,6162],{"title":4679,"description":4680},{"title":4682,"description":4683},{"title":4685,"description":4686},{"title":4688,"description":4689},[6165,6166,6167],{"value":4692,"description":4693},{"value":4695,"description":4696},{"value":4698,"description":4699},{"id":6169,"title":6170,"body":6171,"comparison":6262,"competitorA":6307,"competitorB":6308,"cta":6309,"description":257,"extension":278,"faq":546,"hero":6312,"lastUpdated":4672,"meta":6320,"navigation":296,"path":6321,"seo":6322,"slug":6325,"slugA":6326,"slugB":6327,"stem":6328,"verdict":6329,"__hash__":6333},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":6172,"toc":6252},[6173,6177,6180,6184,6187,6193,6196,6200,6203,6206,6209,6213,6216,6219,6223,6226,6229,6233,6236,6239,6243,6246,6249],[11,6174,6176],{"id":6175},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[16,6178,6179],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[51,6181,6183],{"id":6182},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[16,6185,6186],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[16,6188,6189,6192],{},[59,6190,6191],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[16,6194,6195],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[51,6197,6199],{"id":6198},"the-dashboard-question","The dashboard question",[16,6201,6202],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[16,6204,6205],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[16,6207,6208],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[51,6210,6212],{"id":6211},"integration-depth","Integration depth",[16,6214,6215],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[16,6217,6218],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[51,6220,6222],{"id":6221},"pricing-opacity","Pricing opacity",[16,6224,6225],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[16,6227,6228],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[51,6230,6232],{"id":6231},"where-both-platforms-struggle","Where both platforms struggle",[16,6234,6235],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[16,6237,6238],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[51,6240,6242],{"id":6241},"the-case-for-a-different-approach","The case for a different approach",[16,6244,6245],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[16,6247,6248],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[16,6250,6251],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":257,"searchDepth":258,"depth":258,"links":6253},[6254],{"id":6175,"depth":258,"text":6176,"children":6255},[6256,6257,6258,6259,6260,6261],{"id":6182,"depth":264,"text":6183},{"id":6198,"depth":264,"text":6199},{"id":6211,"depth":264,"text":6212},{"id":6221,"depth":264,"text":6222},{"id":6231,"depth":264,"text":6232},{"id":6241,"depth":264,"text":6242},[6263,6268,6272,6277,6282,6287,6292,6297,6302],{"feature":6264,"competitorA":6265,"competitorB":6266,"episki":6267},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":6269,"competitorA":6270,"competitorB":6270,"episki":6271},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":6273,"competitorA":6274,"competitorB":6275,"episki":6276},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":6278,"competitorA":6279,"competitorB":6280,"episki":6281},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":6283,"competitorA":6284,"competitorB":6285,"episki":6286},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":6288,"competitorA":6289,"competitorB":6290,"episki":6291},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":6293,"competitorA":6294,"competitorB":6295,"episki":6296},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":6298,"competitorA":6299,"competitorB":6300,"episki":6301},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":6303,"competitorA":6304,"competitorB":6305,"episki":6306},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":6310,"description":6311},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":6313,"title":6314,"description":6315,"links":6316},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[6317,6319],{"label":6318,"icon":4663,"to":4664},"Try episki free",{"label":4666,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":6323,"description":6324},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":6330,"chooseB":6331,"chooseEpiski":6332},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","-9bT-xU4uDSMSn9zCOtrDaYtPz87mkvNHS5pQ2bXDTw",{"id":6335,"title":6307,"advantages":6336,"body":6358,"comparison":6409,"competitor":6307,"cta":6436,"description":257,"extension":278,"hero":6439,"lastUpdated":4672,"meta":6448,"navigation":296,"path":6449,"seo":6450,"slug":6326,"stem":6453,"__hash__":6454},"compare\u002F7.compare\u002Fdrata.md",[6337,6344,6351],{"title":6338,"description":6339,"bullets":6340},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[6341,6342,6343],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":6345,"description":6346,"bullets":6347},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[6348,6349,6350],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":6352,"description":6353,"bullets":6354},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[6355,6356,6357],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":6359,"toc":6404},[6360,6364,6367,6370,6390,6394,6397,6401],[11,6361,6363],{"id":6362},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[16,6365,6366],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[16,6368,6369],{},"Some teams look for alternatives when they need:",[137,6371,6372,6378,6384],{},[74,6373,6374,6377],{},[59,6375,6376],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[74,6379,6380,6383],{},[59,6381,6382],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[74,6385,6386,6389],{},[59,6387,6388],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[11,6391,6393],{"id":6392},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[16,6395,6396],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[11,6398,6400],{"id":6399},"when-episki-shines","When episki shines",[16,6402,6403],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":257,"searchDepth":258,"depth":258,"links":6405},[6406,6407,6408],{"id":6362,"depth":258,"text":6363},{"id":6392,"depth":258,"text":6393},{"id":6399,"depth":258,"text":6400},[6410,6412,6413,6417,6421,6424,6428,6432],{"feature":6264,"episki":6267,"competitor":6411},"Tiered pricing based on framework count and company size",{"feature":6269,"episki":6271,"competitor":6270},{"feature":6414,"episki":6415,"competitor":6416},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":6418,"episki":6419,"competitor":6420},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":6422,"episki":6291,"competitor":6423},"AI assistance","AI-powered compliance automation",{"feature":6425,"episki":6426,"competitor":6427},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":6429,"episki":6430,"competitor":6431},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":6433,"episki":6434,"competitor":6435},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":6437,"description":6438},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":6440,"title":6441,"description":6442,"links":6443},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[6444,6446],{"label":6445,"icon":4663,"to":4664},"Start free trial",{"label":6447,"icon":4667,"color":4668,"variant":4669,"to":4670,"target":4671},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":6451,"description":6452},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","cEQX4ERRc-uB7nEUxB1Uik-1ODue4boobvNZiV8Xrvk",[6456,6843,7000,7188,7368,7562,7741,7941,8155,8274,8394,8507,8665,8905,9449,9577,10102,10312,10433,10580,10784,11020],{"id":4704,"title":4705,"body":6457,"description":257,"extension":278,"lastUpdated":294,"meta":6839,"navigation":296,"path":5249,"relatedFrameworks":6840,"relatedTerms":6841,"seo":6842,"slug":5263,"stem":5264,"term":4711,"__hash__":5265},{"type":8,"value":6458,"toc":6825},[6459,6461,6463,6465,6467,6485,6487,6491,6495,6499,6503,6505,6507,6511,6523,6527,6537,6541,6549,6551,6553,6589,6591,6593,6603,6605,6607,6623,6625,6627,6659,6661,6663,6753,6755,6757,6781,6783,6787,6789,6813,6815,6817,6819,6821],[11,6460,4711],{"id":4710},[16,6462,4714],{},[51,6464,4718],{"id":4717},[16,6466,4721],{},[137,6468,6469,6473,6477,6481],{},[74,6470,6471,4729],{},[59,6472,4728],{},[74,6474,6475,4735],{},[59,6476,4734],{},[74,6478,6479,4741],{},[59,6480,4740],{},[74,6482,6483,4747],{},[59,6484,4746],{},[51,6486,4751],{"id":4750},[16,6488,6489,4757],{},[59,6490,4756],{},[16,6492,6493,4763],{},[59,6494,4762],{},[16,6496,6497,4769],{},[59,6498,4768],{},[16,6500,6501,4775],{},[59,6502,4774],{},[51,6504,4779],{"id":4778},[16,6506,4782],{},[16,6508,6509,4788],{},[59,6510,4787],{},[137,6512,6513,6515,6517,6519,6521],{},[74,6514,4793],{},[74,6516,4796],{},[74,6518,4799],{},[74,6520,4802],{},[74,6522,4805],{},[16,6524,6525,4811],{},[59,6526,4810],{},[137,6528,6529,6531,6533,6535],{},[74,6530,4816],{},[74,6532,4819],{},[74,6534,4822],{},[74,6536,4825],{},[16,6538,6539,4831],{},[59,6540,4830],{},[137,6542,6543,6545,6547],{},[74,6544,4836],{},[74,6546,4839],{},[74,6548,4842],{},[51,6550,4846],{"id":4845},[16,6552,4849],{},[137,6554,6555,6561,6569,6577,6583],{},[74,6556,6557,4858],{},[59,6558,6559],{},[23,6560,4536],{"href":4535},[74,6562,6563,4867,6567,4872],{},[59,6564,6565],{},[23,6566,4866],{"href":4865},[23,6568,4871],{"href":4870},[74,6570,6571,4879,6575,4882],{},[59,6572,6573],{},[23,6574,4510],{"href":35},[23,6576,228],{"href":25},[74,6578,6579,4891],{},[59,6580,6581],{},[23,6582,4890],{"href":4889},[74,6584,6585,4900],{},[59,6586,6587],{},[23,6588,4899],{"href":4898},[51,6590,4904],{"id":4903},[16,6592,4907],{},[137,6594,6595,6597,6599,6601],{},[74,6596,4912],{},[74,6598,4915],{},[74,6600,4918],{},[74,6602,4921],{},[51,6604,4925],{"id":4924},[16,6606,4928],{},[137,6608,6609,6611,6613,6615,6617,6619,6621],{},[74,6610,4933],{},[74,6612,4936],{},[74,6614,4939],{},[74,6616,4942],{},[74,6618,4945],{},[74,6620,4948],{},[74,6622,4951],{},[51,6624,4955],{"id":4954},[16,6626,4958],{},[71,6628,6629,6633,6637,6641,6645,6649,6655],{},[74,6630,6631,4966],{},[59,6632,4965],{},[74,6634,6635,4972],{},[59,6636,4971],{},[74,6638,6639,4978],{},[59,6640,4977],{},[74,6642,6643,4984],{},[59,6644,4983],{},[74,6646,6647,4990],{},[59,6648,4989],{},[74,6650,6651,4996,6653,5001],{},[59,6652,4995],{},[23,6654,5000],{"href":4999},[74,6656,6657,5007],{},[59,6658,5006],{},[51,6660,5011],{"id":5010},[16,6662,5014],{},[1893,6664,6665,6681],{},[1896,6666,6667],{},[1899,6668,6669,6671,6673,6675,6677,6679],{},[1902,6670,5023],{},[1902,6672,4536],{},[1902,6674,4866],{},[1902,6676,4510],{},[1902,6678,4890],{},[1902,6680,4899],{},[1912,6682,6683,6697,6711,6725,6739],{},[1899,6684,6685,6687,6689,6691,6693,6695],{},[1917,6686,5040],{},[1917,6688,5043],{},[1917,6690,5046],{},[1917,6692,5049],{},[1917,6694,5052],{},[1917,6696,5055],{},[1899,6698,6699,6701,6703,6705,6707,6709],{},[1917,6700,5060],{},[1917,6702,5043],{},[1917,6704,5065],{},[1917,6706,5068],{},[1917,6708,5071],{},[1917,6710,5074],{},[1899,6712,6713,6715,6717,6719,6721,6723],{},[1917,6714,5079],{},[1917,6716,5082],{},[1917,6718,5085],{},[1917,6720,5088],{},[1917,6722,5091],{},[1917,6724,5094],{},[1899,6726,6727,6729,6731,6733,6735,6737],{},[1917,6728,4728],{},[1917,6730,5101],{},[1917,6732,5104],{},[1917,6734,5088],{},[1917,6736,5109],{},[1917,6738,5094],{},[1899,6740,6741,6743,6745,6747,6749,6751],{},[1917,6742,5116],{},[1917,6744,5082],{},[1917,6746,5085],{},[1917,6748,5123],{},[1917,6750,5126],{},[1917,6752,5055],{},[16,6754,5131],{},[16,6756,5134],{},[137,6758,6759,6763,6769,6775],{},[74,6760,6761,5141],{},[59,6762,4510],{},[74,6764,6765,5149],{},[59,6766,6767,5148],{},[23,6768,4890],{"href":4889},[74,6770,6771,5156],{},[59,6772,6773],{},[23,6774,4536],{"href":4535},[74,6776,6777,5163],{},[59,6778,6779],{},[23,6780,4899],{"href":4898},[51,6782,5167],{"id":5166},[16,6784,5170,6785,42],{},[59,6786,5173],{},[16,6788,5176],{},[137,6790,6791,6795,6799,6805,6809],{},[74,6792,6793,5184],{},[59,6794,5183],{},[74,6796,6797,5190],{},[59,6798,5189],{},[74,6800,6801,5196,6803,5201],{},[59,6802,5195],{},[23,6804,5200],{"href":5199},[74,6806,6807,5207],{},[59,6808,5206],{},[74,6810,6811,5213],{},[59,6812,5212],{},[16,6814,5216],{},[16,6816,5219],{},[16,6818,5222],{},[51,6820,5226],{"id":5225},[16,6822,5229,6823,42],{},[23,6824,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":6826},[6827],{"id":4710,"depth":258,"text":4711,"children":6828},[6829,6830,6831,6832,6833,6834,6835,6836,6837,6838],{"id":4717,"depth":264,"text":4718},{"id":4750,"depth":264,"text":4751},{"id":4778,"depth":264,"text":4779},{"id":4845,"depth":264,"text":4846},{"id":4903,"depth":264,"text":4904},{"id":4924,"depth":264,"text":4925},{"id":4954,"depth":264,"text":4955},{"id":5010,"depth":264,"text":5011},{"id":5166,"depth":264,"text":5167},{"id":5225,"depth":264,"text":5226},{},[5251,5252,5253,293,5254,5255],[5257,5258,5200,5259],{"title":5261,"description":5262},{"id":5267,"title":5268,"body":6844,"description":257,"extension":278,"lastUpdated":294,"meta":6996,"navigation":296,"path":4999,"relatedFrameworks":6997,"relatedTerms":6998,"seo":6999,"slug":5258,"stem":5496,"term":5274,"__hash__":5497},{"type":8,"value":6845,"toc":6986},[6846,6848,6850,6852,6854,6880,6882,6896,6898,6900,6918,6920,6922,6952,6954,6956,6966,6968,6980,6982],[11,6847,5274],{"id":5273},[16,6849,5277],{},[51,6851,5281],{"id":5280},[16,6853,5284],{},[137,6855,6856,6860,6864,6868,6872,6876],{},[74,6857,6858,5292],{},[59,6859,5291],{},[74,6861,6862,5298],{},[59,6863,5297],{},[74,6865,6866,5304],{},[59,6867,5303],{},[74,6869,6870,5310],{},[59,6871,5309],{},[74,6873,6874,5316],{},[59,6875,5315],{},[74,6877,6878,5322],{},[59,6879,5321],{},[16,6881,5325],{},[137,6883,6884,6886,6888,6890,6892,6894],{},[74,6885,5330],{},[74,6887,5333],{},[74,6889,5336],{},[74,6891,5339],{},[74,6893,5342],{},[74,6895,5345],{},[51,6897,5349],{"id":5348},[16,6899,5352],{},[137,6901,6902,6906,6910,6914],{},[74,6903,6904,5359],{},[59,6905,4536],{},[74,6907,6908,5364],{},[59,6909,4866],{},[74,6911,6912,5369],{},[59,6913,4510],{},[74,6915,6916,5374],{},[59,6917,4890],{},[51,6919,5378],{"id":5377},[16,6921,5381],{},[71,6923,6924,6928,6932,6936,6940,6944,6948],{},[74,6925,6926,5389],{},[59,6927,5388],{},[74,6929,6930,5395],{},[59,6931,5394],{},[74,6933,6934,5401],{},[59,6935,5400],{},[74,6937,6938,5407],{},[59,6939,5406],{},[74,6941,6942,5413],{},[59,6943,5412],{},[74,6945,6946,5419],{},[59,6947,5418],{},[74,6949,6950,5425],{},[59,6951,5424],{},[51,6953,5429],{"id":5428},[16,6955,5432],{},[137,6957,6958,6960,6962,6964],{},[74,6959,5437],{},[74,6961,5440],{},[74,6963,5443],{},[74,6965,5446],{},[51,6967,5450],{"id":5449},[137,6969,6970,6972,6974,6976,6978],{},[74,6971,5455],{},[74,6973,5458],{},[74,6975,5461],{},[74,6977,5464],{},[74,6979,5467],{},[51,6981,5471],{"id":5470},[16,6983,5474,6984,42],{},[23,6985,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":6987},[6988],{"id":5273,"depth":258,"text":5274,"children":6989},[6990,6991,6992,6993,6994,6995],{"id":5280,"depth":264,"text":5281},{"id":5348,"depth":264,"text":5349},{"id":5377,"depth":264,"text":5378},{"id":5428,"depth":264,"text":5429},{"id":5449,"depth":264,"text":5450},{"id":5470,"depth":264,"text":5471},{},[5252,5253,293,5254],[5490,5263,5491,5492],{"title":5494,"description":5495},{"id":7001,"title":7002,"body":7003,"description":257,"extension":278,"lastUpdated":294,"meta":7180,"navigation":296,"path":4307,"relatedFrameworks":7181,"relatedTerms":7182,"seo":7183,"slug":2106,"stem":7186,"term":4645,"__hash__":7187},"glossary\u002F8.glossary\u002Fbaa.md","Baa",{"type":8,"value":7004,"toc":7170},[7005,7008,7011,7015,7018,7035,7038,7042,7045,7087,7091,7094,7114,7118,7121,7153,7157,7160,7164],[11,7006,4645],{"id":7007},"what-is-a-business-associate-agreement-baa",[16,7009,7010],{},"A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity and a business associate, or between two business associates. The BAA establishes the permitted uses and disclosures of Protected Health Information (PHI) and requires the business associate to implement appropriate safeguards to protect that information.",[51,7012,7014],{"id":7013},"why-are-baas-required","Why are BAAs required?",[16,7016,7017],{},"Under HIPAA, covered entities cannot simply hand over PHI to vendors and service providers without contractual protections. The BAA creates a legal obligation for the business associate to:",[137,7019,7020,7023,7026,7029,7032],{},[74,7021,7022],{},"Protect PHI with appropriate administrative, physical, and technical safeguards",[74,7024,7025],{},"Report security incidents and breaches to the covered entity",[74,7027,7028],{},"Limit the use and disclosure of PHI to the purposes specified in the agreement",[74,7030,7031],{},"Return or destroy PHI when the contract ends",[74,7033,7034],{},"Make PHI available for individual access requests when required",[16,7036,7037],{},"Without a BAA in place, sharing PHI with a business associate is itself a HIPAA violation, regardless of whether a breach actually occurs.",[51,7039,7041],{"id":7040},"what-are-the-required-elements-of-a-baa","What are the required elements of a BAA?",[16,7043,7044],{},"HIPAA regulations (45 CFR 164.504(e)) specify that a BAA must include:",[137,7046,7047,7052,7058,7064,7070,7076,7081],{},[74,7048,7049,7051],{},[59,7050,389],{}," — a description of what the business associate may and may not do with PHI",[74,7053,7054,7057],{},[59,7055,7056],{},"Safeguard requirements"," — an obligation to use appropriate safeguards to prevent unauthorized use or disclosure",[74,7059,7060,7063],{},[59,7061,7062],{},"Reporting obligations"," — requirements to report breaches, security incidents, and unauthorized disclosures",[74,7065,7066,7069],{},[59,7067,7068],{},"Subcontractor obligations"," — if the business associate engages subcontractors who will access PHI, the BAA must require those subcontractors to agree to the same restrictions",[74,7071,7072,7075],{},[59,7073,7074],{},"Individual rights"," — provisions supporting the covered entity's obligations regarding individual access to PHI",[74,7077,7078,7080],{},[59,7079,429],{}," — agreement to make practices, books, and records available to HHS for compliance determination",[74,7082,7083,7086],{},[59,7084,7085],{},"Termination provisions"," — conditions under which the agreement terminates and obligations for return or destruction of PHI",[51,7088,7090],{"id":7089},"when-is-a-baa-needed","When is a BAA needed?",[16,7092,7093],{},"A BAA is required whenever a covered entity engages a business associate that will create, receive, maintain, or transmit PHI on its behalf. Common scenarios include:",[137,7095,7096,7099,7102,7105,7108,7111],{},[74,7097,7098],{},"Cloud hosting providers storing ePHI",[74,7100,7101],{},"IT service providers with access to systems containing PHI",[74,7103,7104],{},"Billing and claims processing companies",[74,7106,7107],{},"Legal, accounting, or consulting firms reviewing PHI",[74,7109,7110],{},"SaaS applications processing health data",[74,7112,7113],{},"Shredding and data destruction companies",[51,7115,7117],{"id":7116},"what-are-common-mistakes-with-baas","What are common mistakes with BAAs?",[16,7119,7120],{},"Organizations frequently make errors with BAAs:",[137,7122,7123,7129,7135,7141,7147],{},[74,7124,7125,7128],{},[59,7126,7127],{},"Missing BAAs"," — using vendors that handle PHI without a signed BAA in place",[74,7130,7131,7134],{},[59,7132,7133],{},"Template overreliance"," — using generic templates without tailoring to the specific vendor relationship",[74,7136,7137,7140],{},[59,7138,7139],{},"No tracking"," — failing to maintain an inventory of all BAAs and their renewal dates",[74,7142,7143,7146],{},[59,7144,7145],{},"Stale agreements"," — not updating BAAs when the scope of services or PHI usage changes",[74,7148,7149,7152],{},[59,7150,7151],{},"Ignoring subcontractors"," — not requiring downstream BAAs when business associates engage their own subcontractors",[51,7154,7156],{"id":7155},"what-is-the-difference-between-a-baa-and-an-nda","What is the difference between a BAA and an NDA?",[16,7158,7159],{},"A BAA is not the same as a non-disclosure agreement (NDA). While an NDA protects confidential business information in general, a BAA addresses the specific HIPAA requirements for handling PHI. An NDA alone does not satisfy the HIPAA requirement for a BAA.",[51,7161,7163],{"id":7162},"how-does-episki-help-with-baas","How does episki help with BAAs?",[16,7165,7166,7167,42],{},"episki tracks all your business associate relationships and BAA status in one place. The platform sends renewal reminders, maintains a complete inventory of agreements, and flags vendors that handle PHI but lack a signed BAA. Learn more on our ",[23,7168,7169],{"href":35},"HIPAA compliance page",{"title":257,"searchDepth":258,"depth":258,"links":7171},[7172],{"id":7007,"depth":258,"text":4645,"children":7173},[7174,7175,7176,7177,7178,7179],{"id":7013,"depth":264,"text":7014},{"id":7040,"depth":264,"text":7041},{"id":7089,"depth":264,"text":7090},{"id":7116,"depth":264,"text":7117},{"id":7155,"depth":264,"text":7156},{"id":7162,"depth":264,"text":7163},{},[293],[293,1450,1452,1451,550],{"title":7184,"description":7185},"What is a Business Associate Agreement (BAA)? Definition & Compliance Guide","A Business Associate Agreement (BAA) is a HIPAA-required contract between covered entities and vendors who handle PHI. Learn what a BAA must include.","8.glossary\u002Fbaa","ayjPGXWGSuWKW0Y9ePgMv29PgZPw9CIRBQlvd9lLBrU",{"id":7189,"title":7190,"body":7191,"description":257,"extension":278,"lastUpdated":294,"meta":7358,"navigation":296,"path":7359,"relatedFrameworks":7360,"relatedTerms":7361,"seo":7363,"slug":550,"stem":7366,"term":7196,"__hash__":7367},"glossary\u002F8.glossary\u002Fbreach-notification.md","Breach Notification",{"type":8,"value":7192,"toc":7348},[7193,7197,7200,7202,7205,7231,7235,7240,7251,7256,7264,7269,7275,7279,7282,7293,7297,7300,7332,7336,7339,7343],[11,7194,7196],{"id":7195},"what-is-breach-notification","What is Breach Notification?",[16,7198,7199],{},"Breach notification is the process of informing affected individuals, regulatory authorities, and in some cases the media when a breach of Protected Health Information (PHI) occurs. Under HIPAA, the Breach Notification Rule (established by the HITECH Act and finalized in the 2013 Omnibus Rule) sets specific requirements for when and how notifications must be made.",[51,7201,46],{"id":45},[16,7203,7204],{},"Under HIPAA, a breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. There is a presumption that any impermissible use or disclosure is a breach unless the organization can demonstrate a low probability that PHI was compromised based on a four-factor risk assessment:",[71,7206,7207,7213,7219,7225],{},[74,7208,7209,7212],{},[59,7210,7211],{},"Nature and extent of PHI"," — what types of identifiers and information were involved",[74,7214,7215,7218],{},[59,7216,7217],{},"Unauthorized person"," — who impermissibly used or received the PHI",[74,7220,7221,7224],{},[59,7222,7223],{},"Whether PHI was actually acquired or viewed"," — as opposed to merely being accessible",[74,7226,7227,7230],{},[59,7228,7229],{},"Extent of risk mitigation"," — what steps were taken to reduce the risk of harm",[51,7232,7234],{"id":7233},"what-are-the-notification-requirements","What are the notification requirements?",[16,7236,7237,7239],{},[59,7238,118],{}," — covered entities must notify each affected individual whose PHI was breached. Notification must be:",[137,7241,7242,7245,7248],{},[74,7243,7244],{},"In writing, sent by first-class mail (or email if the individual has agreed to electronic communication)",[74,7246,7247],{},"Provided without unreasonable delay and no later than 60 days after discovery of the breach",[74,7249,7250],{},"Inclusive of a description of the breach, types of information involved, steps individuals should take, what the organization is doing in response, and contact information",[16,7252,7253,7255],{},[59,7254,132],{}," — covered entities must notify the Department of Health and Human Services:",[137,7257,7258,7261],{},[74,7259,7260],{},"For breaches affecting 500 or more individuals: notification must occur within 60 days, and these breaches are posted on the HHS \"Wall of Shame\"",[74,7262,7263],{},"For breaches affecting fewer than 500 individuals: notification may be submitted annually",[16,7265,7266,7268],{},[59,7267,157],{}," — for breaches affecting 500 or more individuals in a single state or jurisdiction, the covered entity must notify prominent media outlets in that area within 60 days.",[16,7270,7271,7274],{},[59,7272,7273],{},"Business associate notification"," — business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The covered entity is then responsible for individual, HHS, and media notifications.",[51,7276,7278],{"id":7277},"what-are-the-exceptions-to-breach-notification","What are the exceptions to breach notification?",[16,7280,7281],{},"Three narrow exceptions exist where an impermissible disclosure does not require notification:",[137,7283,7284,7287,7290],{},[74,7285,7286],{},"Unintentional access by a workforce member acting in good faith within the scope of their authority",[74,7288,7289],{},"Inadvertent disclosure between authorized persons within the same organization",[74,7291,7292],{},"The recipient would not reasonably be able to retain the information",[51,7294,7296],{"id":7295},"how-do-you-prepare-for-breach-notification","How do you prepare for breach notification?",[16,7298,7299],{},"Organizations should prepare before a breach occurs by:",[137,7301,7302,7308,7314,7320,7326],{},[74,7303,7304,7307],{},[59,7305,7306],{},"Developing a breach response plan"," — defining roles, responsibilities, and procedures for breach investigation and notification",[74,7309,7310,7313],{},[59,7311,7312],{},"Establishing an incident response team"," — identifying who will lead the response, including legal counsel, communications, IT, and compliance",[74,7315,7316,7319],{},[59,7317,7318],{},"Creating notification templates"," — pre-drafting notification letters that can be customized quickly",[74,7321,7322,7325],{},[59,7323,7324],{},"Training workforce members"," — ensuring employees know how to recognize and report potential breaches",[74,7327,7328,7331],{},[59,7329,7330],{},"Maintaining contact information"," — keeping current contact information for affected individuals",[51,7333,7335],{"id":7334},"what-are-the-penalties-for-failing-to-notify","What are the penalties for failing to notify?",[16,7337,7338],{},"Failure to provide timely breach notification can result in additional HIPAA penalties on top of penalties for the underlying breach. The tiered penalty structure applies, with willful neglect to notify carrying the highest fines.",[51,7340,7342],{"id":7341},"how-does-episki-help-with-breach-notification","How does episki help with breach notification?",[16,7344,7345,7346,42],{},"episki provides breach notification workflows that guide your team through the investigation, risk assessment, and notification process. The platform tracks timelines to ensure notifications are made within HIPAA-required deadlines and maintains documentation of all breach-related activities. Learn more on our ",[23,7347,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":7349},[7350],{"id":7195,"depth":258,"text":7196,"children":7351},[7352,7353,7354,7355,7356,7357],{"id":45,"depth":264,"text":46},{"id":7233,"depth":264,"text":7234},{"id":7277,"depth":264,"text":7278},{"id":7295,"depth":264,"text":7296},{"id":7334,"depth":264,"text":7335},{"id":7341,"depth":264,"text":7342},{},"\u002Fglossary\u002Fbreach-notification",[293],[293,1450,7362,1451,1452,5492],"hitech",{"title":7364,"description":7365},"What is Breach Notification? Definition & Compliance Guide","Breach notification under HIPAA requires organizations to notify individuals, HHS, and sometimes media when unsecured PHI is compromised. Learn the requirements.","8.glossary\u002Fbreach-notification","qeNCf-qPOFSLtufu4BSsGwe8IoM3trMyih-AmXa0E2k",{"id":7369,"title":7370,"body":7371,"description":257,"extension":278,"lastUpdated":294,"meta":7554,"navigation":296,"path":4299,"relatedFrameworks":7555,"relatedTerms":7556,"seo":7557,"slug":1452,"stem":7560,"term":7376,"__hash__":7561},"glossary\u002F8.glossary\u002Fbusiness-associate.md","Business Associate",{"type":8,"value":7372,"toc":7544},[7373,7377,7380,7384,7387,7431,7435,7438,7469,7473,7476,7487,7490,7494,7497,7511,7514,7518,7521,7532,7535,7539],[11,7374,7376],{"id":7375},"what-is-a-business-associate","What is a Business Associate?",[16,7378,7379],{},"A business associate (BA) under HIPAA is any person or organization that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity, or provides services to a covered entity that involve access to PHI. Business associates are directly subject to certain HIPAA requirements and must sign a Business Associate Agreement (BAA) with each covered entity they serve.",[51,7381,7383],{"id":7382},"what-are-common-examples-of-business-associates","What are common examples of business associates?",[16,7385,7386],{},"Many types of organizations qualify as business associates:",[137,7388,7389,7395,7401,7407,7413,7419,7425],{},[74,7390,7391,7394],{},[59,7392,7393],{},"Cloud service providers"," — hosting companies that store ePHI (such as AWS, Azure, or Google Cloud when used for health data)",[74,7396,7397,7400],{},[59,7398,7399],{},"IT service providers"," — managed service providers, consultants, or contractors with access to systems containing PHI",[74,7402,7403,7406],{},[59,7404,7405],{},"SaaS vendors"," — software platforms that process, store, or transmit PHI (EHR systems, telehealth platforms, billing software)",[74,7408,7409,7412],{},[59,7410,7411],{},"Billing and coding companies"," — organizations that process claims or handle billing data containing PHI",[74,7414,7415,7418],{},[59,7416,7417],{},"Legal and accounting firms"," — when their work involves reviewing or handling PHI",[74,7420,7421,7424],{},[59,7422,7423],{},"Data analytics firms"," — companies that analyze health data on behalf of covered entities",[74,7426,7427,7430],{},[59,7428,7429],{},"Shredding and destruction companies"," — vendors that dispose of physical or electronic media containing PHI",[51,7432,7434],{"id":7433},"what-are-business-associate-obligations","What are business associate obligations?",[16,7436,7437],{},"The HITECH Act extended direct liability to business associates for certain HIPAA requirements. Business associates must:",[137,7439,7440,7445,7451,7457,7463],{},[74,7441,7442,7444],{},[59,7443,769],{}," — maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the PHI they handle",[74,7446,7447,7450],{},[59,7448,7449],{},"Report breaches"," — notify the covered entity of any breach of unsecured PHI without unreasonable delay, and no later than 60 days after discovery",[74,7452,7453,7456],{},[59,7454,7455],{},"Comply with the Security Rule"," — business associates are directly subject to HIPAA Security Rule requirements",[74,7458,7459,7462],{},[59,7460,7461],{},"Limit PHI use"," — use and disclose PHI only as permitted by the BAA or as required by law",[74,7464,7465,7468],{},[59,7466,7467],{},"Manage subcontractors"," — ensure that any subcontractors with access to PHI also sign BAAs and comply with HIPAA requirements",[51,7470,7472],{"id":7471},"what-is-a-subcontractor-business-associate","What is a subcontractor business associate?",[16,7474,7475],{},"A business associate that engages its own subcontractors who will handle PHI must enter into BAAs with those subcontractors. This creates a chain of accountability:",[137,7477,7478,7481,7484],{},[74,7479,7480],{},"The covered entity signs a BAA with the business associate",[74,7482,7483],{},"The business associate signs a BAA with its subcontractor",[74,7485,7486],{},"The subcontractor has the same obligations as the business associate regarding PHI protection",[16,7488,7489],{},"This chain ensures that PHI is protected at every level, regardless of how many vendors are involved.",[51,7491,7493],{"id":7492},"what-are-the-penalties-for-noncompliance","What are the penalties for noncompliance?",[16,7495,7496],{},"Business associates face the same penalties as covered entities for HIPAA violations:",[137,7498,7499,7502,7505,7508],{},[74,7500,7501],{},"Civil penalties ranging from $100 to $50,000 per violation",[74,7503,7504],{},"Annual caps of $1.5 million per violation category",[74,7506,7507],{},"Criminal penalties for knowing violations, including fines up to $250,000 and imprisonment",[74,7509,7510],{},"OCR enforcement actions, corrective action plans, and resolution agreements",[16,7512,7513],{},"Several high-profile enforcement actions have targeted business associates directly, demonstrating that HHS holds business associates accountable independent of the covered entities they serve.",[51,7515,7517],{"id":7516},"how-do-you-determine-if-you-are-a-business-associate","How do you determine if you are a business associate?",[16,7519,7520],{},"Ask these questions:",[71,7522,7523,7526,7529],{},[74,7524,7525],{},"Does your organization handle PHI on behalf of a covered entity or another business associate?",[74,7527,7528],{},"Do your services involve creating, receiving, maintaining, or transmitting PHI?",[74,7530,7531],{},"Do you have access to systems or data that contain PHI?",[16,7533,7534],{},"If any answer is yes, your organization is likely a business associate and must comply with HIPAA requirements and maintain appropriate BAAs.",[51,7536,7538],{"id":7537},"how-does-episki-help-with-business-associates","How does episki help with business associates?",[16,7540,7541,7542,42],{},"episki helps business associates build and maintain their HIPAA compliance programs by providing pre-built control frameworks, evidence collection workflows, and BAA management. The platform demonstrates compliance to covered entity customers and streamlines security questionnaire responses. Learn more on our ",[23,7543,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":7545},[7546],{"id":7375,"depth":258,"text":7376,"children":7547},[7548,7549,7550,7551,7552,7553],{"id":7382,"depth":264,"text":7383},{"id":7433,"depth":264,"text":7434},{"id":7471,"depth":264,"text":7472},{"id":7492,"depth":264,"text":7493},{"id":7516,"depth":264,"text":7517},{"id":7537,"depth":264,"text":7538},{},[293],[293,1450,2106,1451,7362,550],{"title":7558,"description":7559},"What is a Business Associate? Definition & Compliance Guide","A HIPAA business associate is any vendor or partner that creates, receives, or transmits PHI on behalf of a covered entity. Learn your obligations.","8.glossary\u002Fbusiness-associate","qRN1k9TCSPPGonMPFkOgg08MBVnoxS-aJhCoHp0FnUA",{"id":7563,"title":7564,"body":7565,"description":257,"extension":278,"lastUpdated":294,"meta":7733,"navigation":296,"path":4265,"relatedFrameworks":7734,"relatedTerms":7735,"seo":7736,"slug":1451,"stem":7739,"term":7570,"__hash__":7740},"glossary\u002F8.glossary\u002Fcovered-entity.md","Covered Entity",{"type":8,"value":7566,"toc":7724},[7567,7571,7574,7578,7583,7606,7609,7614,7634,7639,7643,7646,7675,7679,7682,7694,7697,7701,7704,7712,7715,7719],[11,7568,7570],{"id":7569},"what-is-a-covered-entity","What is a Covered Entity?",[16,7572,7573],{},"A covered entity is an organization that is directly subject to HIPAA regulations. HIPAA defines three categories of covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Understanding whether your organization qualifies as a covered entity is the first step in determining your HIPAA compliance obligations.",[51,7575,7577],{"id":7576},"what-are-the-three-types-of-covered-entities","What are the three types of covered entities?",[16,7579,7580,7582],{},[59,7581,4280],{}," — any provider of medical or health services who transmits health information in electronic form in connection with a HIPAA-covered transaction. This includes:",[137,7584,7585,7588,7591,7594,7597,7600,7603],{},[74,7586,7587],{},"Hospitals and health systems",[74,7589,7590],{},"Physicians and medical practices",[74,7592,7593],{},"Dentists, chiropractors, and other licensed practitioners",[74,7595,7596],{},"Pharmacies",[74,7598,7599],{},"Clinics and urgent care centers",[74,7601,7602],{},"Nursing facilities",[74,7604,7605],{},"Home health agencies",[16,7607,7608],{},"The key qualifier is electronic transmission. A healthcare provider that conducts all transactions on paper and never transmits health information electronically may not be a covered entity. However, in practice, nearly all providers today transmit information electronically.",[16,7610,7611,7613],{},[59,7612,4274],{}," — organizations that provide or pay for the cost of healthcare. This includes:",[137,7615,7616,7619,7622,7625,7628,7631],{},[74,7617,7618],{},"Health insurance companies",[74,7620,7621],{},"HMOs (Health Maintenance Organizations)",[74,7623,7624],{},"Employer-sponsored group health plans",[74,7626,7627],{},"Government programs such as Medicare, Medicaid, and TRICARE",[74,7629,7630],{},"Long-term care insurance providers",[74,7632,7633],{},"Employee assistance programs that provide health benefits",[16,7635,7636,7638],{},[59,7637,4286],{}," — entities that process health information received from another entity into a standard format (or vice versa). Clearinghouses typically sit between providers and health plans, translating data into standardized transaction formats.",[51,7640,7642],{"id":7641},"what-are-covered-entity-responsibilities","What are covered entity responsibilities?",[16,7644,7645],{},"As a covered entity, an organization must comply with all HIPAA rules:",[137,7647,7648,7653,7658,7663,7669],{},[74,7649,7650,7652],{},[59,7651,344],{}," — governs the use and disclosure of PHI, grants individuals rights over their health information, and requires privacy notices",[74,7654,7655,7657],{},[59,7656,228],{}," — requires administrative, physical, and technical safeguards to protect ePHI",[74,7659,7660,7662],{},[59,7661,411],{}," — mandates notification of affected individuals, HHS, and potentially media following a breach of unsecured PHI",[74,7664,7665,7668],{},[59,7666,7667],{},"Enforcement Rule"," — establishes penalties for noncompliance",[74,7670,7671,7674],{},[59,7672,7673],{},"Omnibus Rule"," — extends certain requirements to business associates and strengthens breach notification provisions",[51,7676,7678],{"id":7677},"what-is-the-difference-between-a-covered-entity-and-a-business-associate","What is the difference between a covered entity and a business associate?",[16,7680,7681],{},"The distinction between covered entities and business associates is critical:",[137,7683,7684,7689],{},[74,7685,4262,7686,7688],{},[59,7687,4266],{}," is directly regulated under HIPAA and bears primary responsibility for PHI protection",[74,7690,4262,7691,7693],{},[59,7692,4300],{}," is a vendor or partner that handles PHI on behalf of a covered entity and is regulated through BAAs and certain direct HIPAA obligations",[16,7695,7696],{},"A technology company that builds software for a hospital is typically a business associate, not a covered entity. The hospital is the covered entity. However, both have compliance obligations — the covered entity through direct regulation and the business associate through its BAA and HITECH Act provisions.",[51,7698,7700],{"id":7699},"how-do-you-determine-if-you-are-a-covered-entity","How do you determine if you are a covered entity?",[16,7702,7703],{},"To determine whether your organization is a covered entity:",[71,7705,7706,7709],{},[74,7707,7708],{},"Does your organization provide healthcare services, operate a health plan, or function as a clearinghouse?",[74,7710,7711],{},"Does your organization transmit health information electronically in connection with covered transactions (such as claims, eligibility inquiries, or referral authorizations)?",[16,7713,7714],{},"If both answers are yes, your organization is likely a covered entity. If you are unsure, the HHS website provides a covered entity decision tool.",[51,7716,7718],{"id":7717},"how-does-episki-help-with-covered-entities","How does episki help with covered entities?",[16,7720,7721,7722,42],{},"episki helps covered entities manage their HIPAA compliance obligations by tracking required safeguards, documenting policies and procedures, managing business associate agreements, and maintaining breach notification workflows. Learn more on our ",[23,7723,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":7725},[7726],{"id":7569,"depth":258,"text":7570,"children":7727},[7728,7729,7730,7731,7732],{"id":7576,"depth":264,"text":7577},{"id":7641,"depth":264,"text":7642},{"id":7677,"depth":264,"text":7678},{"id":7699,"depth":264,"text":7700},{"id":7717,"depth":264,"text":7718},{},[293],[293,1450,2106,1452,550],{"title":7737,"description":7738},"What is a Covered Entity? Definition & Compliance Guide","A covered entity under HIPAA is a health plan, healthcare provider, or healthcare clearinghouse that transmits health information electronically.","8.glossary\u002Fcovered-entity","65vmoU7rf4rWSBUE_tgrgq6iiAwhbZUZb-vnD69V3v8",{"id":7742,"title":215,"body":7743,"description":257,"extension":278,"lastUpdated":294,"meta":7930,"navigation":296,"path":5199,"relatedFrameworks":7931,"relatedTerms":7932,"seo":7936,"slug":5200,"stem":7939,"term":7748,"__hash__":7940},"glossary\u002F8.glossary\u002Fencryption.md",{"type":8,"value":7744,"toc":7919},[7745,7749,7752,7756,7762,7768,7774,7778,7781,7784,7798,7802,7805,7807,7824,7828,7831,7863,7867,7889,7893,7910,7914],[11,7746,7748],{"id":7747},"what-is-encryption","What is Encryption?",[16,7750,7751],{},"Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only authorized parties with the correct decryption key can convert the ciphertext back to plaintext. Encryption is one of the most important technical controls for protecting the confidentiality of sensitive data and is required by virtually every compliance framework.",[51,7753,7755],{"id":7754},"what-are-the-types-of-encryption","What are the types of encryption?",[16,7757,7758,7761],{},[59,7759,7760],{},"Symmetric encryption"," — uses the same key for both encryption and decryption. It is fast and efficient for large volumes of data. Common algorithms include AES-256 (the current standard) and AES-128.",[16,7763,7764,7767],{},[59,7765,7766],{},"Asymmetric encryption"," — uses a pair of keys: a public key for encryption and a private key for decryption. It is used for key exchange, digital signatures, and scenarios where parties cannot share a secret key in advance. Common algorithms include RSA and elliptic curve cryptography (ECC).",[16,7769,7770,7773],{},[59,7771,7772],{},"Hashing"," — technically not encryption (it is one-way and cannot be reversed), but often discussed alongside encryption. Hashing produces a fixed-length output from any input, used for password storage and data integrity verification. Common algorithms include SHA-256 and bcrypt.",[51,7775,7777],{"id":7776},"what-is-encryption-at-rest","What is encryption at rest?",[16,7779,7780],{},"Encryption at rest protects data stored in databases, file systems, backups, and storage media. If a storage device is stolen or improperly decommissioned, encryption prevents unauthorized access to the data.",[16,7782,7783],{},"Common implementations include:",[137,7785,7786,7789,7792,7795],{},[74,7787,7788],{},"Full disk encryption (BitLocker, FileVault, LUKS)",[74,7790,7791],{},"Database encryption (Transparent Data Encryption)",[74,7793,7794],{},"File-level encryption",[74,7796,7797],{},"Cloud storage encryption (most cloud providers offer encryption at rest by default)",[51,7799,7801],{"id":7800},"what-is-encryption-in-transit","What is encryption in transit?",[16,7803,7804],{},"Encryption in transit protects data as it moves between systems over networks. It prevents eavesdropping, man-in-the-middle attacks, and data interception.",[16,7806,7783],{},[137,7808,7809,7812,7815,7818,7821],{},[74,7810,7811],{},"TLS 1.2 or 1.3 for web traffic (HTTPS)",[74,7813,7814],{},"TLS for email (SMTP with STARTTLS)",[74,7816,7817],{},"VPN tunnels for site-to-site or remote access connections",[74,7819,7820],{},"SSH for administrative access",[74,7822,7823],{},"IPsec for network-level encryption",[51,7825,7827],{"id":7826},"how-does-key-management-support-encryption","How does key management support encryption?",[16,7829,7830],{},"Encryption is only as strong as its key management. Poor key management undermines the protection encryption provides. Key management best practices include:",[137,7832,7833,7839,7845,7851,7857],{},[74,7834,7835,7838],{},[59,7836,7837],{},"Key generation"," — use cryptographically secure random number generators",[74,7840,7841,7844],{},[59,7842,7843],{},"Key storage"," — store keys separately from the data they protect, using hardware security modules (HSMs) or key management services",[74,7846,7847,7850],{},[59,7848,7849],{},"Key rotation"," — rotate keys periodically to limit exposure if a key is compromised",[74,7852,7853,7856],{},[59,7854,7855],{},"Key access control"," — restrict key access to authorized personnel and systems",[74,7858,7859,7862],{},[59,7860,7861],{},"Key destruction"," — securely destroy keys when no longer needed",[51,7864,7866],{"id":7865},"what-are-the-encryption-requirements","What are the encryption requirements?",[137,7868,7869,7874,7879,7884],{},[74,7870,7871,7873],{},[59,7872,4536],{}," — CC6.1 and CC6.7 address protection of data through encryption and other mechanisms",[74,7875,7876,7878],{},[59,7877,4866],{}," — control A.8.24 addresses use of cryptography",[74,7880,7881,7883],{},[59,7882,4510],{}," — encryption is an addressable implementation specification for ePHI at rest (45 CFR 164.312(a)(2)(iv)) and a requirement for ePHI in transit (45 CFR 164.312(e)(1))",[74,7885,7886,7888],{},[59,7887,4890],{}," — Requirement 3 requires encryption of stored PAN, and Requirement 4 requires encryption of PAN in transit over open networks",[51,7890,7892],{"id":7891},"what-are-common-mistakes-with-encryption","What are common mistakes with encryption?",[137,7894,7895,7898,7901,7904,7907],{},[74,7896,7897],{},"Using outdated algorithms (DES, 3DES, RC4, SSL, TLS 1.0\u002F1.1)",[74,7899,7900],{},"Storing encryption keys alongside encrypted data",[74,7902,7903],{},"Failing to encrypt backups",[74,7905,7906],{},"Not encrypting data in transit within internal networks",[74,7908,7909],{},"Hardcoding keys in application source code",[51,7911,7913],{"id":7912},"how-does-episki-help-with-encryption","How does episki help with encryption?",[16,7915,7916,7917,42],{},"episki tracks your encryption implementations across systems, monitors certificate expirations, and documents encryption policies and key management practices for audit evidence. Learn more on our ",[23,7918,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":7920},[7921],{"id":7747,"depth":258,"text":7748,"children":7922},[7923,7924,7925,7926,7927,7928,7929],{"id":7754,"depth":264,"text":7755},{"id":7776,"depth":264,"text":7777},{"id":7800,"depth":264,"text":7801},{"id":7826,"depth":264,"text":7827},{"id":7865,"depth":264,"text":7866},{"id":7891,"depth":264,"text":7892},{"id":7912,"depth":264,"text":7913},{},[5251,5252,5253,293,5254],[7933,1450,7934,5263,7935],"pan","tokenization","data-classification",{"title":7937,"description":7938},"What is Encryption? Definition & Compliance Guide","Encryption transforms data into unreadable ciphertext to protect confidentiality. Learn about encryption at rest, in transit, and compliance requirements.","8.glossary\u002Fencryption","8HTAhzLPBjGJKnlguz6mBT1ob6J8h2KVZGzAJtWJEHM",{"id":7942,"title":7943,"body":7944,"description":257,"extension":278,"lastUpdated":294,"meta":8144,"navigation":296,"path":8145,"relatedFrameworks":8146,"relatedTerms":8147,"seo":8150,"slug":5490,"stem":8153,"term":7949,"__hash__":8154},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":8,"value":7945,"toc":8134},[7946,7950,7953,7957,7960,7974,7978,7981,8031,8035,8038,8044,8050,8056,8060,8104,8108,8125,8129],[11,7947,7949],{"id":7948},"what-is-evidence-collection","What is Evidence Collection?",[16,7951,7952],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[51,7954,7956],{"id":7955},"why-does-evidence-collection-matter","Why does evidence collection matter?",[16,7958,7959],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[137,7961,7962,7965,7968,7971],{},[74,7963,7964],{},"Audits take longer and cost more due to scrambling for documentation",[74,7966,7967],{},"Control gaps go undetected until audit time",[74,7969,7970],{},"Audit opinions may be qualified due to insufficient evidence",[74,7972,7973],{},"Customer trust erodes when security claims cannot be substantiated",[51,7975,7977],{"id":7976},"what-are-the-types-of-evidence-in-compliance-audits","What are the types of evidence in compliance audits?",[16,7979,7980],{},"Evidence takes many forms depending on the control being demonstrated:",[137,7982,7983,7989,7995,8001,8007,8013,8019,8025],{},[74,7984,7985,7988],{},[59,7986,7987],{},"Screenshots"," — system configurations, access control settings, dashboard views",[74,7990,7991,7994],{},[59,7992,7993],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[74,7996,7997,8000],{},[59,7998,7999],{},"Documents"," — policies, procedures, meeting minutes, training records",[74,8002,8003,8006],{},[59,8004,8005],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[74,8008,8009,8012],{},[59,8010,8011],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[74,8014,8015,8018],{},[59,8016,8017],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[74,8020,8021,8024],{},[59,8022,8023],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[74,8026,8027,8030],{},[59,8028,8029],{},"Interviews"," — auditor interviews with control owners (for live audits)",[51,8032,8034],{"id":8033},"what-are-common-evidence-collection-approaches","What are common evidence collection approaches?",[16,8036,8037],{},"Organizations typically use one of three approaches:",[16,8039,8040,8043],{},[59,8041,8042],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[16,8045,8046,8049],{},[59,8047,8048],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[16,8051,8052,8055],{},[59,8053,8054],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[51,8057,8059],{"id":8058},"what-are-best-practices-for-evidence-collection","What are best practices for evidence collection?",[137,8061,8062,8068,8074,8080,8086,8092,8098],{},[74,8063,8064,8067],{},[59,8065,8066],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[74,8069,8070,8073],{},[59,8071,8072],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[74,8075,8076,8079],{},[59,8077,8078],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[74,8081,8082,8085],{},[59,8083,8084],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[74,8087,8088,8091],{},[59,8089,8090],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[74,8093,8094,8097],{},[59,8095,8096],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[74,8099,8100,8103],{},[59,8101,8102],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[51,8105,8107],{"id":8106},"what-are-common-challenges-with-evidence-collection","What are common challenges with evidence collection?",[137,8109,8110,8113,8116,8119,8122],{},[74,8111,8112],{},"Evidence collection is distributed across many teams and systems",[74,8114,8115],{},"Control owners forget to collect on schedule",[74,8117,8118],{},"Evidence quality varies — screenshots may be unclear or incomplete",[74,8120,8121],{},"Evidence becomes stale if not collected at the right frequency",[74,8123,8124],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[51,8126,8128],{"id":8127},"how-does-episki-help-with-evidence-collection","How does episki help with evidence collection?",[16,8130,8131,8132,42],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[23,8133,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":8135},[8136],{"id":7948,"depth":258,"text":7949,"children":8137},[8138,8139,8140,8141,8142,8143],{"id":7955,"depth":264,"text":7956},{"id":7976,"depth":264,"text":7977},{"id":8033,"depth":264,"text":8034},{"id":8058,"depth":264,"text":8059},{"id":8106,"depth":264,"text":8107},{"id":8127,"depth":264,"text":8128},{},"\u002Fglossary\u002Fevidence-collection",[5252,5253,293,5254],[5258,8148,5491,8149],"soc2-type-2","control-objectives",{"title":8151,"description":8152},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","-4Die8_TxT3p7plrS5QfBm3mjx6_FZQa79Sl58zqSnw",{"id":8156,"title":8157,"body":8158,"description":257,"extension":278,"lastUpdated":294,"meta":8262,"navigation":296,"path":8263,"relatedFrameworks":8264,"relatedTerms":8265,"seo":8268,"slug":8271,"stem":8272,"term":8163,"__hash__":8273},"glossary\u002F8.glossary\u002Fframework.md","Framework",{"type":8,"value":8159,"toc":8254},[8160,8164,8167,8171,8198,8202,8205,8224,8228,8231,8245,8249],[11,8161,8163],{"id":8162},"what-is-a-framework","What is a Framework?",[16,8165,8166],{},"A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.",[51,8168,8170],{"id":8169},"what-are-common-compliance-frameworks","What are common compliance frameworks?",[137,8172,8173,8178,8183,8188,8193],{},[74,8174,8175,8177],{},[59,8176,4866],{}," — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.",[74,8179,8180,8182],{},[59,8181,4536],{}," — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.",[74,8184,8185,8187],{},[59,8186,4510],{}," — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.",[74,8189,8190,8192],{},[59,8191,4890],{}," — a set of security standards for organizations that handle payment card data.",[74,8194,8195,8197],{},[59,8196,4899],{}," — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.",[51,8199,8201],{"id":8200},"what-is-the-difference-between-a-framework-a-standard-and-a-regulation","What is the difference between a framework, a standard, and a regulation?",[16,8203,8204],{},"These terms are often used interchangeably but have important distinctions:",[137,8206,8207,8212,8218],{},[74,8208,8209,8211],{},[59,8210,8157],{}," — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).",[74,8213,8214,8217],{},[59,8215,8216],{},"Standard"," — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).",[74,8219,8220,8223],{},[59,8221,8222],{},"Regulation"," — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).",[51,8225,8227],{"id":8226},"how-do-you-choose-a-framework","How do you choose a framework?",[16,8229,8230],{},"When selecting a framework, consider:",[137,8232,8233,8236,8239,8242],{},[74,8234,8235],{},"Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001",[74,8237,8238],{},"Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS",[74,8240,8241],{},"Geographic scope — GDPR for organizations handling EU data",[74,8243,8244],{},"Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs",[51,8246,8248],{"id":8247},"how-does-episki-help-with-compliance-frameworks","How does episki help with compliance frameworks?",[16,8250,8251,8252,42],{},"episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our ",[23,8253,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":8255},[8256],{"id":8162,"depth":258,"text":8163,"children":8257},[8258,8259,8260,8261],{"id":8169,"depth":264,"text":8170},{"id":8200,"depth":264,"text":8201},{"id":8226,"depth":264,"text":8227},{"id":8247,"depth":264,"text":8248},{},"\u002Fglossary\u002Fframework",[5252,5253,293,5254,5255],[8266,8149,8267],"control-framework","grc",{"title":8269,"description":8270},"What is a Framework? Definition & Compliance Guide","A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.","framework","8.glossary\u002Fframework","CdMCpQrbry3zSa1fdtsyViYMvkP88wOS8pALWkyZ5Mo",{"id":8275,"title":8276,"body":8277,"description":257,"extension":278,"lastUpdated":294,"meta":8384,"navigation":296,"path":8385,"relatedFrameworks":8386,"relatedTerms":8387,"seo":8389,"slug":8267,"stem":8392,"term":8282,"__hash__":8393},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":8,"value":8278,"toc":8375},[8279,8283,8290,8294,8297,8311,8315,8318,8332,8336,8347,8351,8354,8368,8372],[11,8280,8282],{"id":8281},"what-is-grc","What is GRC?",[16,8284,8285,8286,8289],{},"GRC stands for ",[59,8287,8288],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[51,8291,8293],{"id":8292},"what-is-governance-in-grc","What is governance in GRC?",[16,8295,8296],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[137,8298,8299,8302,8305,8308],{},[74,8300,8301],{},"Establishing security policies and standards",[74,8303,8304],{},"Assigning ownership for controls and programs",[74,8306,8307],{},"Setting risk appetite and tolerance levels",[74,8309,8310],{},"Board-level oversight of security posture",[51,8312,8314],{"id":8313},"what-is-risk-management-in-grc","What is risk management in GRC?",[16,8316,8317],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[137,8319,8320,8323,8326,8329],{},[74,8321,8322],{},"Maintaining a risk register with likelihood and impact scores",[74,8324,8325],{},"Prioritizing remediation based on business impact",[74,8327,8328],{},"Tracking treatment plans with owners and deadlines",[74,8330,8331],{},"Reviewing risk posture on a recurring schedule",[51,8333,8335],{"id":8334},"what-is-compliance-in-grc","What is compliance in GRC?",[16,8337,8338,8339,573,8341,573,8343,578,8345,42],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[23,8340,4536],{"href":4535},[23,8342,4866],{"href":4865},[23,8344,4510],{"href":35},[23,8346,4890],{"href":4889},[51,8348,8350],{"id":8349},"why-does-grc-matter","Why does GRC matter?",[16,8352,8353],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[137,8355,8356,8359,8362,8365],{},[74,8357,8358],{},"Controls are mapped once and reused across frameworks",[74,8360,8361],{},"Risk decisions inform which controls get priority",[74,8363,8364],{},"Evidence is collected continuously rather than scrambled before audits",[74,8366,8367],{},"Leadership has visibility into security posture and compliance status",[51,8369,8371],{"id":8370},"what-is-grc-software","What is GRC software?",[16,8373,8374],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":257,"searchDepth":258,"depth":258,"links":8376},[8377],{"id":8281,"depth":258,"text":8282,"children":8378},[8379,8380,8381,8382,8383],{"id":8292,"depth":264,"text":8293},{"id":8313,"depth":264,"text":8314},{"id":8334,"depth":264,"text":8335},{"id":8349,"depth":264,"text":8350},{"id":8370,"depth":264,"text":8371},{},"\u002Fglossary\u002Fgrc",[5252,5253,293,5254,5255],[8388,8266,5258,5490],"risk-register",{"title":8390,"description":8391},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","8.glossary\u002Fgrc","6r8Pzm3RtrpbRSlELLbyQ2mEbI0Rv-73CiQlZaZiv9g",{"id":8395,"title":4142,"body":8396,"description":257,"extension":278,"lastUpdated":294,"meta":8499,"navigation":296,"path":40,"relatedFrameworks":8500,"relatedTerms":8501,"seo":8502,"slug":293,"stem":8505,"term":4170,"__hash__":8506},"glossary\u002F8.glossary\u002Fhipaa.md",{"type":8,"value":8397,"toc":8489},[8398,8400,8403,8407,8429,8433,8436,8447,8449,8452,8466,8470,8473,8477,8480,8484],[11,8399,4170],{"id":4169},[16,8401,8402],{},"HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.",[51,8404,8406],{"id":8405},"what-are-the-key-hipaa-rules","What are the key HIPAA rules?",[137,8408,8409,8414,8419,8424],{},[74,8410,8411,8413],{},[59,8412,344],{}," — governs the use and disclosure of protected health information (PHI)",[74,8415,8416,8418],{},[59,8417,228],{}," — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)",[74,8420,8421,8423],{},[59,8422,411],{}," — mandates notification of affected individuals and HHS after a data breach",[74,8425,8426,8428],{},[59,8427,7667],{}," — establishes investigation and penalty procedures",[51,8430,8432],{"id":8431},"what-is-protected-health-information-phi","What is Protected Health Information (PHI)?",[16,8434,8435],{},"PHI includes any individually identifiable health information, such as:",[137,8437,8438,8441,8444],{},[74,8439,8440],{},"Medical records and diagnoses",[74,8442,8443],{},"Treatment and payment information",[74,8445,8446],{},"Names, addresses, dates of birth, and Social Security numbers when linked to health data",[51,8448,4645],{"id":7007},[16,8450,8451],{},"Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:",[137,8453,8454,8457,8460,8463],{},[74,8455,8456],{},"Defines how the vendor can use and disclose PHI",[74,8458,8459],{},"Requires the vendor to implement appropriate safeguards",[74,8461,8462],{},"Establishes breach notification obligations",[74,8464,8465],{},"Makes the vendor directly liable for HIPAA violations",[51,8467,8469],{"id":8468},"what-are-hipaa-penalties","What are HIPAA penalties?",[16,8471,8472],{},"Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.",[51,8474,8476],{"id":8475},"how-does-hipaa-apply-to-saas-companies","How does HIPAA apply to SaaS companies?",[16,8478,8479],{},"SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.",[51,8481,8483],{"id":8482},"how-does-episki-help-with-hipaa","How does episki help with HIPAA?",[16,8485,8486,8487,42],{},"episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our ",[23,8488,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":8490},[8491],{"id":4169,"depth":258,"text":4170,"children":8492},[8493,8494,8495,8496,8497,8498],{"id":8405,"depth":264,"text":8406},{"id":8431,"depth":264,"text":8432},{"id":7007,"depth":264,"text":4645},{"id":8468,"depth":264,"text":8469},{"id":8475,"depth":264,"text":8476},{"id":8482,"depth":264,"text":8483},{},[293],[1450,2106,1451,550],{"title":8503,"description":8504},"What is HIPAA? Healthcare Compliance Requirements Explained","HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.","8.glossary\u002Fhipaa","JPFQoMGf21YW7HHj69Pg6GuGjOetXJglTxRpWdM7D-U",{"id":8508,"title":8509,"body":8510,"description":257,"extension":278,"lastUpdated":294,"meta":8656,"navigation":296,"path":8657,"relatedFrameworks":8658,"relatedTerms":8659,"seo":8660,"slug":7362,"stem":8663,"term":2092,"__hash__":8664},"glossary\u002F8.glossary\u002Fhitech.md","Hitech",{"type":8,"value":8511,"toc":8647},[8512,8515,8518,8522,8525,8530,8536,8542,8559,8564,8570,8573,8576,8593,8597,8600,8614,8617,8621,8624,8638,8642],[11,8513,2092],{"id":8514},"what-is-the-hitech-act",[16,8516,8517],{},"The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. It significantly strengthened HIPAA by extending compliance requirements to business associates, establishing mandatory breach notification rules, increasing penalties for violations, and promoting the adoption of electronic health records (EHRs).",[51,8519,8521],{"id":8520},"what-are-the-key-provisions-of-hitech","What are the key provisions of HITECH?",[16,8523,8524],{},"The HITECH Act introduced several major changes to the HIPAA regulatory landscape:",[16,8526,8527,8529],{},[59,8528,1787],{}," — before HITECH, business associates were only bound by their contractual obligations under BAAs. HITECH made business associates directly subject to HIPAA Security Rule requirements and certain Privacy Rule provisions, with the same penalties that apply to covered entities.",[16,8531,8532,8535],{},[59,8533,8534],{},"Mandatory breach notification"," — HITECH established the Breach Notification Rule, requiring covered entities and business associates to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. This was a major shift from the pre-HITECH environment where breach notification was not consistently required.",[16,8537,8538,8541],{},[59,8539,8540],{},"Increased penalties"," — HITECH introduced a tiered penalty structure with significantly higher fines:",[137,8543,8544,8547,8550,8553,8556],{},[74,8545,8546],{},"Tier 1: Lack of knowledge — $100 to $50,000 per violation",[74,8548,8549],{},"Tier 2: Reasonable cause — $1,000 to $50,000 per violation",[74,8551,8552],{},"Tier 3: Willful neglect (corrected) — $10,000 to $50,000 per violation",[74,8554,8555],{},"Tier 4: Willful neglect (not corrected) — $50,000 per violation",[74,8557,8558],{},"Annual maximum of $1.5 million per violation category",[16,8560,8561,8563],{},[59,8562,1961],{}," — HITECH granted state attorneys general the authority to bring civil actions against entities that violate HIPAA, adding another layer of enforcement beyond the federal OCR.",[16,8565,8566,8569],{},[59,8567,8568],{},"EHR adoption incentives"," — HITECH provided financial incentives for healthcare providers to adopt certified electronic health record systems through the Medicare and Medicaid EHR Incentive Programs (later renamed the Promoting Interoperability Programs).",[51,8571,2095],{"id":8572},"what-is-the-hipaa-omnibus-rule",[16,8574,8575],{},"In 2013, HHS issued the HIPAA Omnibus Rule to implement many of HITECH's provisions. The Omnibus Rule:",[137,8577,8578,8581,8584,8587,8590],{},[74,8579,8580],{},"Finalized the breach notification requirements",[74,8582,8583],{},"Modified the Privacy Rule to strengthen individual rights",[74,8585,8586],{},"Updated the enforcement provisions with the tiered penalty structure",[74,8588,8589],{},"Extended Security Rule requirements directly to business associates",[74,8591,8592],{},"Required updates to BAAs to reflect the new requirements",[51,8594,8596],{"id":8595},"how-did-hitech-impact-business-associates","How did HITECH impact business associates?",[16,8598,8599],{},"The HITECH Act fundamentally changed the compliance landscape for business associates. Before HITECH, a business associate's HIPAA obligations were primarily contractual. After HITECH, business associates face direct regulatory liability, including:",[137,8601,8602,8605,8608,8611],{},[74,8603,8604],{},"OCR audits and enforcement actions",[74,8606,8607],{},"Civil and criminal penalties",[74,8609,8610],{},"Breach notification obligations",[74,8612,8613],{},"Full compliance with the HIPAA Security Rule",[16,8615,8616],{},"This shift motivated many technology companies and service providers to invest in formal HIPAA compliance programs for the first time.",[51,8618,8620],{"id":8619},"how-did-hitech-change-breach-response","How did HITECH change breach response?",[16,8622,8623],{},"The mandatory breach notification requirements changed how organizations respond to security incidents involving PHI:",[137,8625,8626,8629,8632,8635],{},[74,8627,8628],{},"Individual notification must occur within 60 days of breach discovery",[74,8630,8631],{},"HHS notification is required for all breaches (immediately for breaches affecting 500+ individuals, annually for smaller breaches)",[74,8633,8634],{},"Media notification is required for breaches affecting 500+ individuals in a single state or jurisdiction",[74,8636,8637],{},"Business associates must notify the covered entity of breaches, which then triggers the covered entity's notification obligations",[51,8639,8641],{"id":8640},"how-does-episki-help-with-hitech","How does episki help with HITECH?",[16,8643,8644,8645,42],{},"episki incorporates HITECH requirements into its HIPAA compliance framework, including breach notification workflows, business associate tracking, and the enhanced security controls required under the act. The platform helps both covered entities and business associates maintain compliance with the full scope of HIPAA and HITECH obligations. Learn more on our ",[23,8646,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":8648},[8649],{"id":8514,"depth":258,"text":2092,"children":8650},[8651,8652,8653,8654,8655],{"id":8520,"depth":264,"text":8521},{"id":8572,"depth":264,"text":2095},{"id":8595,"depth":264,"text":8596},{"id":8619,"depth":264,"text":8620},{"id":8640,"depth":264,"text":8641},{},"\u002Fglossary\u002Fhitech",[293],[293,1450,1452,1451,550,2106],{"title":8661,"description":8662},"What is the HITECH Act? Definition & Compliance Guide","The HITECH Act strengthened HIPAA by extending requirements to business associates, increasing penalties, and mandating breach notification. Learn the key provisions.","8.glossary\u002Fhitech","ow2eaKtLUQ3UD-N-SepMmXJUhTy2Djfw83cfPmt0cmE",{"id":8666,"title":8667,"body":8668,"description":257,"extension":278,"lastUpdated":294,"meta":8893,"navigation":296,"path":8894,"relatedFrameworks":8895,"relatedTerms":8896,"seo":8900,"slug":5492,"stem":8903,"term":8673,"__hash__":8904},"glossary\u002F8.glossary\u002Fincident-response.md","Incident Response",{"type":8,"value":8669,"toc":8883},[8670,8674,8677,8681,8684,8689,8709,8714,8731,8736,8753,8758,8775,8779,8782,8820,8824,8846,8850,8853,8857,8874,8878],[11,8671,8673],{"id":8672},"what-is-incident-response","What is Incident Response?",[16,8675,8676],{},"Incident response (IR) is the organized approach to detecting, managing, and recovering from security incidents such as data breaches, malware infections, unauthorized access, and denial-of-service attacks. An effective incident response program minimizes damage, reduces recovery time, and preserves evidence for investigation and compliance purposes.",[51,8678,8680],{"id":8679},"what-is-the-incident-response-lifecycle","What is the incident response lifecycle?",[16,8682,8683],{},"Most incident response programs follow the NIST SP 800-61 framework, which defines four phases:",[16,8685,8686],{},[59,8687,8688],{},"1. Preparation",[137,8690,8691,8694,8697,8700,8703,8706],{},[74,8692,8693],{},"Develop and document the incident response plan",[74,8695,8696],{},"Establish the incident response team and define roles",[74,8698,8699],{},"Deploy detection and monitoring tools",[74,8701,8702],{},"Conduct training and tabletop exercises",[74,8704,8705],{},"Establish communication channels and escalation procedures",[74,8707,8708],{},"Prepare forensic tools and evidence collection procedures",[16,8710,8711],{},[59,8712,8713],{},"2. Detection and analysis",[137,8715,8716,8719,8722,8725,8728],{},[74,8717,8718],{},"Monitor systems for indicators of compromise (IOCs)",[74,8720,8721],{},"Triage alerts to distinguish real incidents from false positives",[74,8723,8724],{},"Determine the scope, severity, and impact of the incident",[74,8726,8727],{},"Classify the incident (data breach, malware, unauthorized access, etc.)",[74,8729,8730],{},"Document findings and initial assessment",[16,8732,8733],{},[59,8734,8735],{},"3. Containment, eradication, and recovery",[137,8737,8738,8741,8744,8747,8750],{},[74,8739,8740],{},"Contain the incident to prevent further damage (short-term and long-term containment)",[74,8742,8743],{},"Eradicate the root cause (remove malware, close vulnerabilities, revoke compromised credentials)",[74,8745,8746],{},"Recover affected systems to normal operations",[74,8748,8749],{},"Verify that systems are clean and functioning properly",[74,8751,8752],{},"Monitor for signs of recurring activity",[16,8754,8755],{},[59,8756,8757],{},"4. Post-incident activity",[137,8759,8760,8763,8766,8769,8772],{},[74,8761,8762],{},"Conduct a lessons-learned review",[74,8764,8765],{},"Document the incident timeline, actions taken, and outcomes",[74,8767,8768],{},"Identify improvements to prevent similar incidents",[74,8770,8771],{},"Update the incident response plan based on lessons learned",[74,8773,8774],{},"Fulfill any regulatory notification requirements",[51,8776,8778],{"id":8777},"who-should-be-on-the-incident-response-team","Who should be on the incident response team?",[16,8780,8781],{},"An incident response team typically includes:",[137,8783,8784,8790,8796,8802,8808,8814],{},[74,8785,8786,8789],{},[59,8787,8788],{},"Incident commander"," — leads the response effort and makes key decisions",[74,8791,8792,8795],{},[59,8793,8794],{},"Security analysts"," — perform technical investigation and containment",[74,8797,8798,8801],{},[59,8799,8800],{},"IT operations"," — support system recovery and infrastructure changes",[74,8803,8804,8807],{},[59,8805,8806],{},"Legal counsel"," — advise on regulatory obligations and liability",[74,8809,8810,8813],{},[59,8811,8812],{},"Communications"," — manage internal and external communications",[74,8815,8816,8819],{},[59,8817,8818],{},"Executive sponsor"," — provides management authority and resources",[51,8821,8823],{"id":8822},"how-do-compliance-frameworks-address-incident-response","How do compliance frameworks address incident response?",[137,8825,8826,8831,8836,8841],{},[74,8827,8828,8830],{},[59,8829,4536],{}," — CC7.3 and CC7.4 require procedures for responding to identified security events and recovering from incidents",[74,8832,8833,8835],{},[59,8834,4866],{}," — controls A.5.24 through A.5.28 address incident management planning, assessment, response, and learning",[74,8837,8838,8840],{},[59,8839,4510],{}," — the Security Rule requires security incident procedures (45 CFR 164.308(a)(6)), and the Breach Notification Rule mandates notification following PHI breaches",[74,8842,8843,8845],{},[59,8844,4899],{}," — the Respond function (RS) addresses response planning, communications, analysis, mitigation, and improvements",[51,8847,8849],{"id":8848},"what-is-an-incident-response-tabletop-exercise","What is an incident response tabletop exercise?",[16,8851,8852],{},"Regular tabletop exercises test the incident response plan in a low-pressure setting. The team walks through a hypothetical scenario, discussing decisions and actions at each stage. Tabletop exercises help identify gaps in the plan, clarify roles, and build team readiness without the stress of a real incident.",[51,8854,8856],{"id":8855},"what-are-common-pitfalls-with-incident-response","What are common pitfalls with incident response?",[137,8858,8859,8862,8865,8868,8871],{},[74,8860,8861],{},"No documented incident response plan",[74,8863,8864],{},"Team members unsure of their roles during an incident",[74,8866,8867],{},"Failure to preserve evidence for investigation",[74,8869,8870],{},"Delayed or incomplete regulatory notification",[74,8872,8873],{},"Not conducting post-incident reviews",[51,8875,8877],{"id":8876},"how-does-episki-help-with-incident-response","How does episki help with incident response?",[16,8879,8880,8881,42],{},"episki provides incident response plan templates, tracks tabletop exercises, and maintains documentation for compliance evidence. The platform includes breach notification workflows with timeline tracking to ensure regulatory deadlines are met. Learn more on our ",[23,8882,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":8884},[8885],{"id":8672,"depth":258,"text":8673,"children":8886},[8887,8888,8889,8890,8891,8892],{"id":8679,"depth":264,"text":8680},{"id":8777,"depth":264,"text":8778},{"id":8822,"depth":264,"text":8823},{"id":8848,"depth":264,"text":8849},{"id":8855,"depth":264,"text":8856},{"id":8876,"depth":264,"text":8877},{},"\u002Fglossary\u002Fincident-response",[5251,5252,5253,293,5255],[550,5258,8897,8898,8899],"remediation","business-continuity","disaster-recovery",{"title":8901,"description":8902},"What is Incident Response? Definition & Compliance Guide","Incident response is the organized process of detecting, containing, and recovering from security incidents. Learn the phases, team roles, and compliance needs.","8.glossary\u002Fincident-response","3d1Zo1hC_y8Yl5qVJHyBrOH6lbXC5sqShRom8maKwxc",{"id":8906,"title":8907,"body":8908,"description":257,"extension":278,"lastUpdated":294,"meta":9439,"navigation":296,"path":9440,"relatedFrameworks":9441,"relatedTerms":9442,"seo":9443,"slug":9446,"stem":9447,"term":8913,"__hash__":9448},"glossary\u002F8.glossary\u002Fkey-management.md","Key Management",{"type":8,"value":8909,"toc":9427},[8910,8914,8917,8921,8958,8962,8965,8968,8994,8997,9001,9004,9009,9012,9038,9047,9050,9054,9057,9083,9086,9105,9108,9112,9115,9129,9132,9143,9149,9160,9164,9167,9262,9267,9294,9298,9301,9351,9355,9397,9401,9418,9422],[11,8911,8913],{"id":8912},"what-is-key-management","What is Key Management?",[16,8915,8916],{},"Key management is the process of creating, storing, distributing, rotating, and retiring cryptographic keys used to protect encrypted data. Effective key management ensures that encryption actually delivers the confidentiality and integrity it promises — poorly managed keys can render even strong encryption useless.",[51,8918,8920],{"id":8919},"what-are-the-stages-of-the-key-lifecycle","What are the stages of the key lifecycle?",[137,8922,8923,8929,8935,8941,8947,8953],{},[74,8924,8925,8928],{},[59,8926,8927],{},"Generation"," — creating keys using cryptographically secure methods with appropriate key lengths",[74,8930,8931,8934],{},[59,8932,8933],{},"Distribution"," — securely delivering keys to authorized systems or users",[74,8936,8937,8940],{},[59,8938,8939],{},"Storage"," — protecting keys at rest using hardware security modules (HSMs), key vaults, or other secure storage",[74,8942,8943,8946],{},[59,8944,8945],{},"Rotation"," — periodically replacing keys to limit the impact of a potential compromise",[74,8948,8949,8952],{},[59,8950,8951],{},"Revocation"," — disabling keys that are no longer trusted or have been compromised",[74,8954,8955,8957],{},[59,8956,221],{}," — securely deleting keys that are no longer needed, ensuring they cannot be recovered",[51,8959,8961],{"id":8960},"why-does-key-management-matter-for-security","Why does key management matter for security?",[16,8963,8964],{},"Encryption is only as strong as the key management behind it. A 256-bit AES key offers no protection if it's stored in the same database as the data it encrypts — an attacker who compromises the database gets both the ciphertext and the key to decrypt it. This is not a theoretical concern; it's one of the most common encryption failures found in penetration tests and compliance assessments.",[16,8966,8967],{},"Key management failures create several categories of risk:",[137,8969,8970,8976,8982,8988],{},[74,8971,8972,8975],{},[59,8973,8974],{},"Exposure of historical data"," — Without regular key rotation, a single key compromise exposes every record encrypted with that key, potentially spanning years of sensitive data. Rotating keys limits the blast radius of any individual compromise.",[74,8977,8978,8981],{},[59,8979,8980],{},"Insider threats"," — If one administrator holds all key material with no split knowledge or dual control, that person can access every encrypted record in the organization. Proper key management distributes trust across multiple individuals.",[74,8983,8984,8987],{},[59,8985,8986],{},"Compliance failures"," — Auditors don't just check that encryption is enabled. They verify that keys are managed according to documented procedures, rotated on schedule, and protected with controls proportional to the sensitivity of the data they protect.",[74,8989,8990,8993],{},[59,8991,8992],{},"Incident response gaps"," — Organizations that lack documented key management procedures often cannot determine which data was exposed during a breach, which keys need emergency rotation, or how to restore encrypted backups after a key custodian leaves the company.",[16,8995,8996],{},"The bottom line: encryption without proper key management is security theater. It checks a box on a checklist without actually reducing risk. Organizations that invest in strong encryption algorithms but neglect key management are protecting data with a lock and then leaving the key under the doormat.",[51,8998,9000],{"id":8999},"what-are-common-key-management-architectures","What are common key management architectures?",[16,9002,9003],{},"There are three primary approaches to key management, each suited to different risk profiles, compliance requirements, and operational maturity levels. The right choice depends on what data you're protecting, which frameworks you're subject to, and how much operational complexity you can absorb.",[9005,9006,9008],"h4",{"id":9007},"cloud-kms","Cloud KMS",[16,9010,9011],{},"Cloud key management services — including AWS KMS, Azure Key Vault, and GCP Cloud KMS — are the most common starting point for organizations running workloads in the cloud. These services provide:",[137,9013,9014,9020,9026,9032],{},[74,9015,9016,9019],{},[59,9017,9018],{},"Envelope encryption"," — Data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) managed by the cloud provider. This limits the number of calls to the KMS while keeping the master key material protected.",[74,9021,9022,9025],{},[59,9023,9024],{},"Customer-managed keys (CMK)"," — You control key rotation schedules, access policies, and deletion. The cloud provider manages the underlying infrastructure but cannot use the key without your authorization.",[74,9027,9028,9031],{},[59,9029,9030],{},"Provider-managed keys"," — The cloud provider handles all key management automatically. Simpler to operate, but offers less control and may not satisfy compliance requirements that mandate customer-controlled keys.",[74,9033,9034,9037],{},[59,9035,9036],{},"Bring Your Own Key (BYOK)"," — You generate keys in your own environment (often an on-premises HSM) and import them into the cloud KMS. This satisfies requirements for key generation in a controlled environment while still leveraging cloud-native encryption integration.",[16,9039,9040,9041,9043,9044,9046],{},"Cloud KMS is appropriate for most SaaS applications, internal systems, and workloads where the cloud provider is already part of the trust boundary. For organizations subject to ",[23,9042,4890],{"href":4889}," or ",[23,9045,4536],{"href":4535},", cloud KMS with customer-managed keys typically satisfies key management requirements when combined with proper access policies and rotation schedules.",[16,9048,9049],{},"Most cloud KMS services also provide detailed audit logs of every key operation, which simplifies compliance evidence collection during assessments.",[9005,9051,9053],{"id":9052},"hardware-security-modules-hsms","Hardware Security Modules (HSMs)",[16,9055,9056],{},"HSMs are dedicated hardware devices designed to generate, store, and manage cryptographic keys in a tamper-resistant environment. They are validated against FIPS 140-2 or FIPS 140-3 standards at various levels:",[137,9058,9059,9065,9071,9077],{},[74,9060,9061,9064],{},[59,9062,9063],{},"Level 1"," — Basic security requirements, no physical tamper resistance",[74,9066,9067,9070],{},[59,9068,9069],{},"Level 2"," — Tamper-evident coatings or seals, role-based authentication",[74,9072,9073,9076],{},[59,9074,9075],{},"Level 3"," — Tamper-resistant with active response mechanisms (e.g., zeroization of keys upon detection of physical intrusion)",[74,9078,9079,9082],{},[59,9080,9081],{},"Level 4"," — Full physical security envelope with environmental failure protection",[16,9084,9085],{},"HSMs are required or strongly recommended in several contexts:",[137,9087,9088,9093,9099],{},[74,9089,9090,9092],{},[59,9091,4890],{}," — Strongly recommended for protecting cardholder data encryption keys, and effectively required for PIN-based transaction processing",[74,9094,9095,9098],{},[59,9096,9097],{},"Government and defense"," — CMMC, FedRAMP, and similar frameworks often require FIPS 140-2 Level 3 or higher for cryptographic key storage",[74,9100,9101,9104],{},[59,9102,9103],{},"Certificate authorities"," — Root and intermediate CA private keys must be stored in HSMs per industry standards",[16,9106,9107],{},"Cloud-based HSM options (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM) provide FIPS 140-2 Level 3 validated hardware in cloud data centers, bridging the gap between on-premises HSM security and cloud operational convenience.",[9005,9109,9111],{"id":9110},"software-based-key-stores","Software-based key stores",[16,9113,9114],{},"Software-based solutions like HashiCorp Vault, CyberArk Conjur, or application-level key management provide flexibility without dedicated hardware. These tools offer:",[137,9116,9117,9120,9123,9126],{},[74,9118,9119],{},"Centralized secret and key management across multiple applications and environments",[74,9121,9122],{},"Dynamic secrets that are generated on demand and automatically revoked after use",[74,9124,9125],{},"Audit logging of all key access and operations",[74,9127,9128],{},"Integration with identity providers for policy-based access control",[16,9130,9131],{},"Software key stores are appropriate when:",[137,9133,9134,9137,9140],{},[74,9135,9136],{},"Compliance requirements do not mandate HSMs",[74,9138,9139],{},"You need to manage secrets and keys across hybrid or multi-cloud environments",[74,9141,9142],{},"Your threat model does not include sophisticated physical or hardware-level attacks",[16,9144,9145,9146,9148],{},"They are ",[59,9147,2452],{}," appropriate when:",[137,9150,9151,9154,9157],{},[74,9152,9153],{},"Regulations explicitly require hardware-based key protection (e.g., PCI PIN security, certain government classifications)",[74,9155,9156],{},"Your risk assessment identifies nation-state or advanced persistent threats targeting cryptographic material",[74,9158,9159],{},"You need to provide cryptographic proof that keys have never been exposed to software",[51,9161,9163],{"id":9162},"what-are-the-key-management-requirements","What are the key management requirements?",[16,9165,9166],{},"Different compliance frameworks impose different key management requirements. Understanding these differences is critical when an organization is subject to multiple frameworks simultaneously — which is increasingly common. The following table provides a practical comparison across five major frameworks:",[1893,9168,9169,9186],{},[1896,9170,9171],{},[1899,9172,9173,9175,9177,9179,9181,9183],{},[1902,9174,5023],{},[1902,9176,4890],{},[1902,9178,4866],{},[1902,9180,4510],{},[1902,9182,4536],{},[1902,9184,9185],{},"CMMC",[1912,9187,9188,9206,9225,9244],{},[1899,9189,9190,9193,9196,9199,9201,9203],{},[1917,9191,9192],{},"Documented key management procedures",[1917,9194,9195],{},"Req 3.6",[1917,9197,9198],{},"A.8.24",[1917,9200,5068],{},[1917,9202,5043],{},[1917,9204,9205],{},"SC.L2-3.13.10",[1899,9207,9208,9211,9214,9217,9220,9222],{},[1917,9209,9210],{},"Key rotation schedule",[1917,9212,9213],{},"Annual minimum",[1917,9215,9216],{},"Risk-based",[1917,9218,9219],{},"Not specified",[1917,9221,9216],{},[1917,9223,9224],{},"Per NIST 800-171",[1899,9226,9227,9230,9233,9236,9238,9241],{},[1917,9228,9229],{},"Split knowledge \u002F dual control",[1917,9231,9232],{},"Required for manual keys",[1917,9234,9235],{},"Recommended",[1917,9237,9219],{},[1917,9239,9240],{},"Expected",[1917,9242,9243],{},"Required",[1899,9245,9246,9249,9252,9254,9257,9259],{},[1917,9247,9248],{},"HSM or equivalent",[1917,9250,9251],{},"Strongly recommended",[1917,9253,9216],{},[1917,9255,9256],{},"Not required",[1917,9258,9216],{},[1917,9260,9261],{},"Varies by level",[16,9263,9264],{},[59,9265,9266],{},"Reading this table:",[137,9268,9269,9274,9279,9284,9289],{},[74,9270,9271,9273],{},[59,9272,4890],{}," is the most prescriptive. Requirement 3.6 specifies exactly what key management procedures must include, from key generation through destruction. Annual key rotation is a minimum baseline, and split knowledge\u002Fdual control is mandatory whenever keys are managed manually.",[74,9275,9276,9278],{},[59,9277,4866],{}," takes a risk-based approach. Annex A control A.8.24 requires a policy on the use of cryptographic controls including key management, but the specific controls depend on your risk assessment and Statement of Applicability.",[74,9280,9281,9283],{},[59,9282,4510],{}," is the least prescriptive on key management specifically. Encryption of ePHI is an \"addressable\" implementation specification, meaning organizations must implement it or document why an equivalent alternative is appropriate. Key management requirements follow from the encryption decision.",[74,9285,9286,9288],{},[59,9287,4536],{}," addresses key management through the Common Criteria, particularly CC6.1 (logical access) and CC6.7 (data transmission). The specific expectations depend on the trust services criteria in scope and the auditor's interpretation.",[74,9290,9291,9293],{},[59,9292,9185],{}," references NIST SP 800-171 for key management requirements. At Level 2, control SC.L2-3.13.10 requires establishing and managing cryptographic keys when cryptography is employed. Higher levels add additional requirements.",[51,9295,9297],{"id":9296},"what-are-common-key-management-mistakes","What are common key management mistakes?",[16,9299,9300],{},"Even organizations with mature security programs make key management errors. These mistakes are found repeatedly in audit findings, penetration test reports, and breach post-mortems. The most frequent include:",[137,9302,9303,9309,9315,9321,9327,9333,9339,9345],{},[74,9304,9305,9308],{},[59,9306,9307],{},"Storing keys alongside encrypted data"," — Placing encryption keys in the same database, file system, or backup as the data they protect. If an attacker gains access to the data store, they get the keys too. Keys must be stored in a separate system with independent access controls.",[74,9310,9311,9314],{},[59,9312,9313],{},"Hardcoding keys in source code"," — Embedding encryption keys, API keys, or other secrets directly in application code. These keys end up in version control history, CI\u002FCD logs, and developer laptops. Use a secrets manager or environment variable injection instead.",[74,9316,9317,9320],{},[59,9318,9319],{},"No key rotation policy"," — Using the same encryption keys indefinitely. Without rotation, a single compromise exposes all data ever encrypted with that key. Define rotation schedules based on data sensitivity and framework requirements.",[74,9322,9323,9326],{},[59,9324,9325],{},"Single person with all key access"," — Concentrating key custody in one individual with no split knowledge or dual control. This creates both a security risk (insider threat) and an operational risk (key unavailability if that person is unreachable).",[74,9328,9329,9332],{},[59,9330,9331],{},"No documented recovery procedures"," — Failing to plan for key loss, corruption, or custodian departure. Organizations discover this gap during an incident, when they cannot decrypt backups or rotate compromised keys because the procedure was never written down or tested.",[74,9334,9335,9338],{},[59,9336,9337],{},"Using weak or predictable key generation"," — Generating keys with insufficient entropy, predictable seeds, or non-cryptographic random number generators. Always use cryptographically secure random number generators (CSPRNGs) and key lengths appropriate for the algorithm and data sensitivity.",[74,9340,9341,9344],{},[59,9342,9343],{},"Ignoring key state tracking"," — Not maintaining an inventory of which keys are active, retired, or compromised. Without a key inventory, organizations cannot answer basic questions during an audit or incident: how many keys exist, who has access, and when they were last rotated.",[74,9346,9347,9350],{},[59,9348,9349],{},"Failing to test key recovery"," — Having a documented recovery procedure that has never been exercised. Recovery procedures degrade over time as infrastructure changes, personnel rotate, and backup systems are modified. Regular testing is the only way to ensure recovery will work when it matters.",[51,9352,9354],{"id":9353},"how-do-compliance-frameworks-address-key-management","How do compliance frameworks address key management?",[137,9356,9357,9368,9377,9387],{},[74,9358,9359,9363,9364],{},[59,9360,9361],{},[23,9362,4890],{"href":4889}," — Requirement 3.5 and 3.6 detail specific key management procedures for protecting ",[23,9365,9367],{"href":9366},"\u002Fglossary\u002Fpan","cardholder data (PAN)",[74,9369,9370,4867,9374,9376],{},[59,9371,9372],{},[23,9373,4866],{"href":4865},[23,9375,4871],{"href":4870}," control A.8.24 covers the use of cryptography including key management policies",[74,9378,9379,9383,9384,9386],{},[59,9380,9381],{},[23,9382,4510],{"href":35}," — the Security Rule requires ",[23,9385,5200],{"href":5199}," of ePHI, which implies proper key management",[74,9388,9389,9393,9394],{},[59,9390,9391],{},[23,9392,4536],{"href":4535}," — CC6.1 and CC6.7 address encryption and key management as part of logical ",[23,9395,9396],{"href":5249},"access controls",[51,9398,9400],{"id":9399},"what-are-best-practices-for-key-management","What are best practices for key management?",[137,9402,9403,9406,9409,9412,9415],{},[74,9404,9405],{},"Use hardware security modules (HSMs) or cloud key management services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than storing keys in application code or configuration files",[74,9407,9408],{},"Enforce separation of duties so that key custodians cannot access the data those keys protect",[74,9410,9411],{},"Document key rotation schedules and automate rotation where possible",[74,9413,9414],{},"Maintain an inventory of all cryptographic keys, their owners, and their expiration dates",[74,9416,9417],{},"Test key recovery procedures regularly",[51,9419,9421],{"id":9420},"how-does-episki-help-with-key-management","How does episki help with key management?",[16,9423,9424,9425,42],{},"episki tracks key management policies, links them to encryption controls, and monitors rotation schedules to ensure cryptographic practices stay compliant. Learn more on our ",[23,9426,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":9428},[9429],{"id":8912,"depth":258,"text":8913,"children":9430},[9431,9432,9433,9434,9435,9436,9437,9438],{"id":8919,"depth":264,"text":8920},{"id":8960,"depth":264,"text":8961},{"id":8999,"depth":264,"text":9000},{"id":9162,"depth":264,"text":9163},{"id":9296,"depth":264,"text":9297},{"id":9353,"depth":264,"text":9354},{"id":9399,"depth":264,"text":9400},{"id":9420,"depth":264,"text":9421},{},"\u002Fglossary\u002Fkey-management",[5251,5252,5253,5254,293],[5200,7935,5263],{"title":9444,"description":9445},"Key Management: What It Is & Why Compliance Requires It","Key management covers creating, storing, rotating, and retiring cryptographic keys. Learn requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","key-management","8.glossary\u002Fkey-management","1dvRJIXp6Ctc7SOVhg5O-XyVT22CTyhIb0o8RWTqqng",{"id":9450,"title":9451,"body":9452,"description":257,"extension":278,"lastUpdated":294,"meta":9566,"navigation":296,"path":9567,"relatedFrameworks":9568,"relatedTerms":9569,"seo":9571,"slug":9574,"stem":9575,"term":9457,"__hash__":9576},"glossary\u002F8.glossary\u002Fleast-privilege.md","Least Privilege",{"type":8,"value":9453,"toc":9558},[9454,9458,9461,9465,9468,9482,9486,9518,9522,9549,9553],[11,9455,9457],{"id":9456},"what-is-least-privilege","What is Least Privilege?",[16,9459,9460],{},"Least privilege is a security principle that limits user, application, and system access to only the resources and permissions necessary to perform a specific function — nothing more. By minimizing the access footprint, organizations reduce the potential damage from compromised accounts, insider threats, and accidental misuse.",[51,9462,9464],{"id":9463},"why-does-least-privilege-matter","Why does least privilege matter?",[16,9466,9467],{},"Excessive permissions are one of the most common security weaknesses. When users have more access than they need:",[137,9469,9470,9473,9476,9479],{},[74,9471,9472],{},"A compromised account gives attackers a wider attack surface",[74,9474,9475],{},"Accidental changes to sensitive systems become more likely",[74,9477,9478],{},"Insider threats are harder to detect and contain",[74,9480,9481],{},"Audit findings for excessive access are common compliance gaps",[51,9483,9485],{"id":9484},"how-do-you-implement-least-privilege","How do you implement least privilege?",[137,9487,9488,9494,9500,9506,9512],{},[74,9489,9490,9493],{},[59,9491,9492],{},"Start with zero access"," — new accounts should have no permissions by default, with access granted based on documented role requirements",[74,9495,9496,9499],{},[59,9497,9498],{},"Use role-based access control (RBAC)"," — define roles with specific permission sets rather than assigning permissions individually",[74,9501,9502,9505],{},[59,9503,9504],{},"Conduct regular access reviews"," — quarterly reviews of user permissions help identify and remove access that is no longer needed",[74,9507,9508,9511],{},[59,9509,9510],{},"Remove access promptly"," — revoke permissions immediately when employees change roles or leave the organization",[74,9513,9514,9517],{},[59,9515,9516],{},"Apply to systems and applications too"," — service accounts, APIs, and automated processes should also follow least privilege",[51,9519,9521],{"id":9520},"how-do-compliance-frameworks-address-least-privilege","How do compliance frameworks address least privilege?",[137,9523,9524,9529,9534,9539,9544],{},[74,9525,9526,9528],{},[59,9527,4536],{}," — CC6.1 through CC6.3 require logical access controls based on least privilege",[74,9530,9531,9533],{},[59,9532,4866],{}," — A.5.15 (access control) and A.8.2 (privileged access rights) explicitly reference least privilege",[74,9535,9536,9538],{},[59,9537,4510],{}," — the minimum necessary standard (45 CFR 164.502(b)) is the healthcare equivalent of least privilege",[74,9540,9541,9543],{},[59,9542,4890],{}," — Requirement 7 restricts access to cardholder data on a need-to-know basis",[74,9545,9546,9548],{},[59,9547,4899],{}," — PR.AC-4 addresses access permissions based on least privilege",[51,9550,9552],{"id":9551},"how-does-episki-help-with-least-privilege","How does episki help with least privilege?",[16,9554,9555,9556,42],{},"episki tracks access control policies, schedules periodic access reviews, and documents evidence of least privilege enforcement for auditors. Learn more on our ",[23,9557,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":9559},[9560],{"id":9456,"depth":258,"text":9457,"children":9561},[9562,9563,9564,9565],{"id":9463,"depth":264,"text":9464},{"id":9484,"depth":264,"text":9485},{"id":9520,"depth":264,"text":9521},{"id":9551,"depth":264,"text":9552},{},"\u002Fglossary\u002Fleast-privilege",[5251,5252,5253,293,5254,5255],[5263,9570,5259],"job-separation",{"title":9572,"description":9573},"What is Least Privilege? Definition & Compliance Guide","Least privilege is a security principle that limits user access to only what they need to perform their job — nothing more.","least-privilege","8.glossary\u002Fleast-privilege","BuEghGm4HKbs1Es9DQ4mpHlellA4mL_s5KedD9Qs9_s",{"id":9578,"title":9579,"body":9580,"description":257,"extension":278,"lastUpdated":294,"meta":10092,"navigation":296,"path":10093,"relatedFrameworks":10094,"relatedTerms":10095,"seo":10096,"slug":10099,"stem":10100,"term":9585,"__hash__":10101},"glossary\u002F8.glossary\u002Flog-management.md","Log Management",{"type":8,"value":9581,"toc":10080},[9582,9586,9589,9593,9596,9632,9636,9639,9643,9646,9684,9688,9691,9723,9727,9730,9756,9760,9763,9789,9793,9796,9861,9864,9868,9871,9875,9889,9893,9907,9911,9925,9929,9943,9947,9969,9973,9976,10020,10024,10050,10054,10071,10075],[11,9583,9585],{"id":9584},"what-is-log-management","What is Log Management?",[16,9587,9588],{},"Log management is the process of collecting, storing, analyzing, and retaining system activity records to detect security incidents, troubleshoot issues, and support compliance audits. Logs provide a chronological record of events across servers, applications, network devices, and security tools.",[51,9590,9592],{"id":9591},"what-gets-logged-in-a-log-management-program","What gets logged in a log management program?",[16,9594,9595],{},"Effective log management covers:",[137,9597,9598,9604,9610,9615,9621,9627],{},[74,9599,9600,9603],{},[59,9601,9602],{},"Authentication events"," — successful and failed login attempts, password changes, MFA challenges",[74,9605,9606,9609],{},[59,9607,9608],{},"Authorization events"," — access grants, denials, privilege escalations",[74,9611,9612,9614],{},[59,9613,5297],{}," — configuration changes, service starts and stops, errors",[74,9616,9617,9620],{},[59,9618,9619],{},"Network events"," — firewall decisions, DNS queries, connection attempts",[74,9622,9623,9626],{},[59,9624,9625],{},"Application events"," — user actions, API calls, data access patterns",[74,9628,9629,9631],{},[59,9630,5321],{}," — malware detections, vulnerability scan results, intrusion alerts",[51,9633,9635],{"id":9634},"what-is-log-management-architecture","What is log management architecture?",[16,9637,9638],{},"A mature log management program combines multiple components into a pipeline that moves raw event data from source to searchable, retained storage.",[9005,9640,9642],{"id":9641},"log-sources","Log sources",[16,9644,9645],{},"Logs originate from every layer of the technology stack:",[137,9647,9648,9654,9660,9666,9672,9678],{},[74,9649,9650,9653],{},[59,9651,9652],{},"Servers and operating systems"," — Linux auth logs, Windows Event Log, macOS Unified Log",[74,9655,9656,9659],{},[59,9657,9658],{},"Cloud platforms"," — AWS CloudTrail, Azure Activity Log, GCP Admin Activity audit logs",[74,9661,9662,9665],{},[59,9663,9664],{},"SaaS applications"," — Microsoft 365 Unified Audit Log, Google Workspace audit logs, Salesforce event monitoring",[74,9667,9668,9671],{},[59,9669,9670],{},"Endpoints"," — EDR telemetry, local application logs, mobile device management events",[74,9673,9674,9677],{},[59,9675,9676],{},"Network devices"," — firewalls, routers, switches, load balancers, VPN concentrators",[74,9679,9680,9683],{},[59,9681,9682],{},"Security tools"," — IDS\u002FIPS alerts, vulnerability scanners, DLP engines, email gateways",[9005,9685,9687],{"id":9686},"collection-methods","Collection methods",[16,9689,9690],{},"Getting logs from source to a central platform requires reliable collection mechanisms:",[137,9692,9693,9699,9705,9711,9717],{},[74,9694,9695,9698],{},[59,9696,9697],{},"Agents"," — lightweight forwarders installed on hosts (Fluentd, Filebeat, NXLog, Splunk Universal Forwarder) that ship logs in near real time",[74,9700,9701,9704],{},[59,9702,9703],{},"Syslog"," — the legacy standard (RFC 5424) still widely used by network devices; syslog-ng and rsyslog add filtering and reliable delivery",[74,9706,9707,9710],{},[59,9708,9709],{},"API polling"," — scheduled calls to SaaS and cloud provider APIs to pull audit logs (e.g., Microsoft Graph API, AWS CloudTrail Lake queries)",[74,9712,9713,9716],{},[59,9714,9715],{},"Cloud-native streams"," — managed pipelines like AWS Kinesis Data Firehose, Azure Event Hubs, or GCP Pub\u002FSub that deliver logs without managing agents",[74,9718,9719,9722],{},[59,9720,9721],{},"Webhooks"," — event-driven push from SaaS applications that support real-time notification (Slack audit API, GitHub audit log streaming)",[9005,9724,9726],{"id":9725},"centralization","Centralization",[16,9728,9729],{},"Logs are only useful when they are searchable in one place:",[137,9731,9732,9738,9744,9750],{},[74,9733,9734,9737],{},[59,9735,9736],{},"Commercial SIEM"," — Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar provide correlation, detection rules, and case management",[74,9739,9740,9743],{},[59,9741,9742],{},"Cloud-native logging"," — AWS CloudWatch Logs, Azure Monitor, Google Cloud Logging offer tight integration with their respective platforms",[74,9745,9746,9749],{},[59,9747,9748],{},"Open-source stacks"," — the Elastic Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, and OpenSearch provide cost-effective alternatives with community-driven detection content",[74,9751,9752,9755],{},[59,9753,9754],{},"Security data lakes"," — Snowflake, Amazon Security Lake, and similar platforms store massive volumes at low cost using the Open Cybersecurity Schema Framework (OCSF) for normalization",[9005,9757,9759],{"id":9758},"storage-tiers","Storage tiers",[16,9761,9762],{},"Log storage strategies balance search speed against cost and compliance retention:",[137,9764,9765,9771,9777,9783],{},[74,9766,9767,9770],{},[59,9768,9769],{},"Hot storage"," — fully indexed, real-time searchable data for active investigations and alerting (typically 30–90 days)",[74,9772,9773,9776],{},[59,9774,9775],{},"Warm storage"," — recent history available for on-demand search with slightly slower query times (typically 90 days to 12 months)",[74,9778,9779,9782],{},[59,9780,9781],{},"Cold storage"," — compressed, archived logs in object storage (S3, Azure Blob, GCS) retained for compliance and forensic purposes (1–7 years depending on framework requirements)",[74,9784,9785,9788],{},[59,9786,9787],{},"Immutable storage"," — write-once, read-many storage that prevents tampering, critical for audit trail integrity and legal hold requirements",[51,9790,9792],{"id":9791},"what-are-the-log-retention-requirements","What are the log retention requirements?",[16,9794,9795],{},"Different compliance frameworks set varying expectations for how long logs must be kept. The table below summarizes key requirements:",[1893,9797,9798,9810],{},[1896,9799,9800],{},[1899,9801,9802,9804,9807],{},[1902,9803,8157],{},[1902,9805,9806],{},"Minimum retention",[1902,9808,9809],{},"Key requirements",[1912,9811,9812,9822,9832,9841,9851],{},[1899,9813,9814,9816,9819],{},[1917,9815,4890],{},[1917,9817,9818],{},"12 months (3 months immediately available)",[1917,9820,9821],{},"Req 10.7 — retain audit trail history",[1899,9823,9824,9826,9829],{},[1917,9825,4536],{},[1917,9827,9828],{},"Based on risk assessment",[1917,9830,9831],{},"CC7.2 — monitor system components",[1899,9833,9834,9836,9838],{},[1917,9835,4866],{},[1917,9837,9828],{},[1917,9839,9840],{},"A.8.15 — log retention policy required",[1899,9842,9843,9845,9848],{},[1917,9844,4510],{},[1917,9846,9847],{},"6 years for policies; log retention not specified but implied",[1917,9849,9850],{},"Audit controls for ePHI access",[1899,9852,9853,9855,9858],{},[1917,9854,4899],{},[1917,9856,9857],{},"Based on organizational needs",[1917,9859,9860],{},"DE.CM — continuous monitoring",[16,9862,9863],{},"Organizations subject to multiple frameworks should align retention to the most stringent requirement. For most companies handling payment card data alongside health information, a 12-month hot\u002Fwarm retention period with 6-year cold archival provides adequate coverage.",[51,9865,9867],{"id":9866},"what-should-you-alert-on-in-log-management","What should you alert on in log management?",[16,9869,9870],{},"Collecting logs without monitoring them defeats the purpose. Effective alerting focuses on high-fidelity signals across several categories:",[9005,9872,9874],{"id":9873},"authentication-anomalies","Authentication anomalies",[137,9876,9877,9880,9883,9886],{},[74,9878,9879],{},"Brute-force attempts — multiple failed logins against the same account within a short window",[74,9881,9882],{},"Impossible travel — successful logins from geographically distant locations within an implausible time frame",[74,9884,9885],{},"New device or location — first-time access from an unrecognized device, IP range, or country",[74,9887,9888],{},"Credential stuffing patterns — failed logins across many accounts from a small set of source IPs",[9005,9890,9892],{"id":9891},"privilege-escalation","Privilege escalation",[137,9894,9895,9898,9901,9904],{},[74,9896,9897],{},"Sudo or run-as usage outside of expected maintenance windows",[74,9899,9900],{},"Admin role assignments or membership changes in identity providers (Azure AD, Okta, Google Workspace)",[74,9902,9903],{},"Permission changes on sensitive resources — S3 bucket policies, database grants, file share ACLs",[74,9905,9906],{},"Service account creation or key generation",[9005,9908,9910],{"id":9909},"data-exfiltration-signals","Data exfiltration signals",[137,9912,9913,9916,9919,9922],{},[74,9914,9915],{},"Unusual download volumes — user downloading significantly more data than their baseline",[74,9917,9918],{},"Access outside business hours — especially to sensitive repositories, databases, or file shares",[74,9920,9921],{},"Mass file access — sequential reads across large numbers of records in short succession",[74,9923,9924],{},"Outbound data transfers to uncommon destinations — cloud storage services, personal email, file-sharing sites",[9005,9926,9928],{"id":9927},"configuration-changes","Configuration changes",[137,9930,9931,9934,9937,9940],{},[74,9932,9933],{},"Firewall rule modifications — new allow rules, disabled security groups, removed deny entries",[74,9935,9936],{},"Security group changes in cloud environments — opening ports, widening IP ranges",[74,9938,9939],{},"IAM policy changes — new inline policies, permission boundary modifications, role trust policy updates",[74,9941,9942],{},"DNS changes — new records, zone transfers, nameserver modifications",[9005,9944,9946],{"id":9945},"compliance-specific-events","Compliance-specific events",[137,9948,9949,9957,9963,9966],{},[74,9950,9951,9952,9956],{},"Access to ",[23,9953,9955],{"href":9954},"\u002Fglossary\u002Fpci-dss","cardholder data"," environments — any read, write, or copy operation",[74,9958,9959,9960,9962],{},"PHI access in ",[23,9961,4510],{"href":40},"-regulated systems — views, exports, or modifications of protected health information",[74,9964,9965],{},"Encryption key operations — key creation, rotation, deletion, or export",[74,9967,9968],{},"Audit log access or modification attempts — anyone trying to read, delete, or alter the logs themselves",[51,9970,9972],{"id":9971},"what-are-common-log-management-mistakes","What are common log management mistakes?",[16,9974,9975],{},"Even organizations that invest in logging often fall into patterns that undermine the value of their program:",[71,9977,9978,9984,9990,9996,10002,10008,10014],{},[74,9979,9980,9983],{},[59,9981,9982],{},"Logging too much"," — capturing every debug-level event creates massive storage costs and drowns analysts in noise. Focus on security-relevant events and tune verbosity by source.",[74,9985,9986,9989],{},[59,9987,9988],{},"Logging too little"," — the opposite problem is equally dangerous. Missing authentication events, not capturing cloud control plane activity, or skipping DNS logs leaves blind spots that attackers exploit.",[74,9991,9992,9995],{},[59,9993,9994],{},"Not protecting log integrity"," — if an attacker can delete or modify logs, they can cover their tracks. Logs should be forwarded to a separate system with immutable storage, and access to log management platforms should be tightly controlled.",[74,9997,9998,10001],{},[59,9999,10000],{},"No correlation across sources"," — reviewing logs from individual systems in isolation misses the bigger picture. A failed VPN login followed by a successful cloud console login from the same IP tells a story that neither log tells alone.",[74,10003,10004,10007],{},[59,10005,10006],{},"Alert fatigue from untuned rules"," — deploying default SIEM detection rules without tuning them to the environment generates hundreds of false positives per day. Analysts stop investigating, and real incidents get buried.",[74,10009,10010,10013],{},[59,10011,10012],{},"Not testing log pipeline reliability"," — log collection silently fails more often than most teams realize. Agents crash, API tokens expire, syslog forwarding breaks after a network change. Regularly validate that expected log sources are still delivering data.",[74,10015,10016,10019],{},[59,10017,10018],{},"Ignoring time synchronization"," — logs from systems with drifting clocks are nearly impossible to correlate during incident response. Enforce NTP across all log sources and normalize timestamps to UTC.",[51,10021,10023],{"id":10022},"how-do-compliance-frameworks-address-log-management","How do compliance frameworks address log management?",[137,10025,10026,10031,10036,10041,10045],{},[74,10027,10028,10030],{},[59,10029,4536],{}," — CC7.1 through CC7.4 require monitoring, detection, and response capabilities that depend on logging",[74,10032,10033,10035],{},[59,10034,4866],{}," — A.8.15 (logging) and A.8.16 (monitoring activities) address log collection and analysis",[74,10037,10038,10040],{},[59,10039,4510],{}," — the Security Rule requires audit controls to record and examine activity in systems containing ePHI",[74,10042,10043,5374],{},[59,10044,4890],{},[74,10046,10047,10049],{},[59,10048,4899],{}," — DE.CM (continuous monitoring) and DE.AE (anomaly detection) rely on log data",[51,10051,10053],{"id":10052},"what-are-best-practices-for-log-management","What are best practices for log management?",[137,10055,10056,10059,10062,10065,10068],{},[74,10057,10058],{},"Centralize logs in a SIEM or log aggregation platform for correlation and analysis",[74,10060,10061],{},"Set retention periods that meet both compliance requirements and operational needs (typically 90 days to one year)",[74,10063,10064],{},"Protect log integrity with immutable storage or tamper-evident mechanisms",[74,10066,10067],{},"Establish alerting rules for high-risk events like failed authentication spikes or unauthorized access attempts",[74,10069,10070],{},"Regularly review and tune logging to ensure coverage without excessive noise",[51,10072,10074],{"id":10073},"how-does-episki-help-with-log-management","How does episki help with log management?",[16,10076,10077,10078,42],{},"episki documents log management policies, tracks retention schedules, and links logging controls to evidence for audit readiness. Learn more on our ",[23,10079,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":10081},[10082],{"id":9584,"depth":258,"text":9585,"children":10083},[10084,10085,10086,10087,10088,10089,10090,10091],{"id":9591,"depth":264,"text":9592},{"id":9634,"depth":264,"text":9635},{"id":9791,"depth":264,"text":9792},{"id":9866,"depth":264,"text":9867},{"id":9971,"depth":264,"text":9972},{"id":10022,"depth":264,"text":10023},{"id":10052,"depth":264,"text":10053},{"id":10073,"depth":264,"text":10074},{},"\u002Fglossary\u002Flog-management",[5251,5252,5253,293,5254,5255],[5258,5491,5492],{"title":10097,"description":10098},"What is Log Management? Definition & Compliance Guide","Log management is the process of collecting, storing, and analyzing system activity records to detect security incidents and support compliance audits.","log-management","8.glossary\u002Flog-management","B9IH1ixHXCqDKqAdQBwGDpwLFnfLwuxW5KyltQCbFmk",{"id":10103,"title":10104,"body":10105,"description":257,"extension":278,"lastUpdated":294,"meta":10303,"navigation":296,"path":10304,"relatedFrameworks":10305,"relatedTerms":10306,"seo":10307,"slug":5257,"stem":10310,"term":10110,"__hash__":10311},"glossary\u002F8.glossary\u002Fminimum-necessary-rule.md","Minimum Necessary Rule",{"type":8,"value":10106,"toc":10293},[10107,10111,10114,10118,10121,10141,10145,10148,10180,10183,10187,10190,10196,10202,10216,10222,10236,10242,10248,10252,10263,10267,10270,10284,10288],[11,10108,10110],{"id":10109},"what-is-the-minimum-necessary-rule","What is the Minimum Necessary Rule?",[16,10112,10113],{},"The Minimum Necessary Rule is a core principle of the HIPAA Privacy Rule that requires covered entities and business associates to limit the use, disclosure, and request of Protected Health Information (PHI) to the minimum amount necessary to accomplish the intended purpose. It embodies the principle of least privilege applied specifically to health information.",[51,10115,10117],{"id":10116},"how-does-the-minimum-necessary-rule-work","How does the minimum necessary rule work?",[16,10119,10120],{},"The Minimum Necessary Rule applies to most uses and disclosures of PHI. When an organization uses, discloses, or requests PHI, it must make reasonable efforts to limit the information to what is needed for the specific task. This applies to:",[137,10122,10123,10129,10135],{},[74,10124,10125,10128],{},[59,10126,10127],{},"Internal use"," — employees should only have access to the PHI they need to perform their job functions",[74,10130,10131,10134],{},[59,10132,10133],{},"Disclosures to others"," — when sharing PHI with other organizations, limit the information to what is relevant",[74,10136,10137,10140],{},[59,10138,10139],{},"Requests for PHI"," — when requesting PHI from another entity, ask only for what is necessary",[51,10142,10144],{"id":10143},"what-are-the-exceptions-to-the-minimum-necessary-rule","What are the exceptions to the minimum necessary rule?",[16,10146,10147],{},"The Minimum Necessary Rule does not apply in certain situations:",[137,10149,10150,10156,10162,10168,10174],{},[74,10151,10152,10155],{},[59,10153,10154],{},"Treatment purposes"," — healthcare providers sharing PHI for treatment are exempt, as limiting information could compromise patient care",[74,10157,10158,10161],{},[59,10159,10160],{},"Individual access"," — when an individual requests access to their own PHI",[74,10163,10164,10167],{},[59,10165,10166],{},"Individual authorization"," — when the individual has signed a valid authorization for the disclosure",[74,10169,10170,10173],{},[59,10171,10172],{},"HHS compliance investigations"," — disclosures required by HHS for enforcement purposes",[74,10175,10176,10179],{},[59,10177,10178],{},"Required by law"," — disclosures that are required by other laws",[16,10181,10182],{},"These exceptions recognize that there are situations where limiting PHI access would be impractical or harmful.",[51,10184,10186],{"id":10185},"what-are-the-implementation-requirements-for-the-minimum-necessary-rule","What are the implementation requirements for the minimum necessary rule?",[16,10188,10189],{},"To comply with the Minimum Necessary Rule, organizations must:",[16,10191,10192,10195],{},[59,10193,10194],{},"Identify roles and access needs"," — determine which workforce members need access to PHI and what specific categories of PHI they require. A billing specialist needs different information than a nurse or a compliance officer.",[16,10197,10198,10201],{},[59,10199,10200],{},"Implement role-based access controls"," — configure systems to restrict PHI access based on job function. This includes:",[137,10203,10204,10207,10210,10213],{},[74,10205,10206],{},"Role-based access in electronic health record systems",[74,10208,10209],{},"Physical access restrictions to areas where PHI is stored",[74,10211,10212],{},"Need-to-know policies for paper records",[74,10214,10215],{},"Segmented access levels within applications",[16,10217,10218,10221],{},[59,10219,10220],{},"Develop policies and procedures"," — create written policies that define:",[137,10223,10224,10227,10230,10233],{},[74,10225,10226],{},"Who may access PHI and under what circumstances",[74,10228,10229],{},"Criteria for determining what constitutes the minimum necessary",[74,10231,10232],{},"Procedures for routine and non-routine disclosures",[74,10234,10235],{},"Review and approval processes for non-routine requests",[16,10237,10238,10241],{},[59,10239,10240],{},"Establish standard protocols for routine disclosures"," — for disclosures that occur regularly (such as sharing information with insurers for payment), define standard protocols that specify exactly what information is shared.",[16,10243,10244,10247],{},[59,10245,10246],{},"Review non-routine requests individually"," — for unusual or one-time requests, develop criteria for case-by-case evaluation.",[51,10249,10251],{"id":10250},"what-are-practical-examples-of-the-minimum-necessary-rule","What are practical examples of the minimum necessary rule?",[137,10253,10254,10257,10260],{},[74,10255,10256],{},"A hospital IT administrator troubleshooting a system issue should not browse patient medical records unrelated to the technical problem",[74,10258,10259],{},"A billing department requesting records for a claim should receive only the information needed for that specific claim, not the patient's entire medical history",[74,10261,10262],{},"A research team should receive de-identified data when possible, or the minimum identified data necessary for the study",[51,10264,10266],{"id":10265},"what-are-common-compliance-challenges","What are common compliance challenges?",[16,10268,10269],{},"Organizations often struggle with the Minimum Necessary Rule because:",[137,10271,10272,10275,10278,10281],{},[74,10273,10274],{},"Legacy systems may not support granular access controls",[74,10276,10277],{},"Staff may resist access restrictions that slow their workflow",[74,10279,10280],{},"Defining \"minimum necessary\" requires judgment and varies by situation",[74,10282,10283],{},"Monitoring compliance requires audit trails and regular access reviews",[51,10285,10287],{"id":10286},"how-does-episki-help-with-the-minimum-necessary-rule","How does episki help with the minimum necessary rule?",[16,10289,10290,10291,42],{},"episki supports Minimum Necessary Rule compliance by helping organizations define role-based access policies, track access control implementations, and document the rationale for PHI access decisions. The platform facilitates regular access reviews and maintains audit trails. Learn more on our ",[23,10292,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":10294},[10295],{"id":10109,"depth":258,"text":10110,"children":10296},[10297,10298,10299,10300,10301,10302],{"id":10116,"depth":264,"text":10117},{"id":10143,"depth":264,"text":10144},{"id":10185,"depth":264,"text":10186},{"id":10250,"depth":264,"text":10251},{"id":10265,"depth":264,"text":10266},{"id":10286,"depth":264,"text":10287},{},"\u002Fglossary\u002Fminimum-necessary-rule",[293],[293,1450,1451,1452,5263],{"title":10308,"description":10309},"What is the Minimum Necessary Rule? Definition & Compliance Guide","The Minimum Necessary Rule requires that access to PHI be limited to the minimum amount needed for a specific purpose. Learn how to implement it under HIPAA.","8.glossary\u002Fminimum-necessary-rule","qBz6RacRE9Latn4wwwCyYHbFbXGxs0xkb0pg5ag5v4I",{"id":10313,"title":10314,"body":10315,"description":257,"extension":278,"lastUpdated":294,"meta":10423,"navigation":296,"path":10424,"relatedFrameworks":10425,"relatedTerms":10426,"seo":10427,"slug":10430,"stem":10431,"term":10320,"__hash__":10432},"glossary\u002F8.glossary\u002Fmulti-factor-authentication.md","Multi Factor Authentication",{"type":8,"value":10316,"toc":10415},[10317,10321,10324,10328,10331,10351,10355,10358,10385,10389,10406,10410],[11,10318,10320],{"id":10319},"what-is-multi-factor-authentication","What is Multi-Factor Authentication?",[16,10322,10323],{},"Multi-Factor Authentication (MFA) is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system or application. By combining multiple factors, MFA significantly reduces the risk of unauthorized access even if one factor (such as a password) is compromised.",[51,10325,10327],{"id":10326},"what-are-the-authentication-factors-used-in-mfa","What are the authentication factors used in MFA?",[16,10329,10330],{},"MFA combines factors from different categories:",[137,10332,10333,10339,10345],{},[74,10334,10335,10338],{},[59,10336,10337],{},"Something you know"," — passwords, PINs, security questions",[74,10340,10341,10344],{},[59,10342,10343],{},"Something you have"," — mobile phones (SMS or authenticator apps), hardware tokens, smart cards",[74,10346,10347,10350],{},[59,10348,10349],{},"Something you are"," — biometrics such as fingerprints, facial recognition, or iris scans",[51,10352,10354],{"id":10353},"how-do-compliance-frameworks-address-mfa","How do compliance frameworks address MFA?",[16,10356,10357],{},"MFA is required or strongly recommended across all major frameworks:",[137,10359,10360,10365,10370,10375,10380],{},[74,10361,10362,10364],{},[59,10363,4536],{}," — CC6.1 requires multi-factor authentication for access to sensitive systems",[74,10366,10367,10369],{},[59,10368,4866],{}," — A.8.5 addresses secure authentication including multi-factor methods",[74,10371,10372,10374],{},[59,10373,4510],{}," — while not explicitly mandating MFA, the Security Rule requires access controls that effectively necessitate it for ePHI systems",[74,10376,10377,10379],{},[59,10378,4890],{}," — Requirement 8.3 mandates MFA for all remote access to the cardholder data environment",[74,10381,10382,10384],{},[59,10383,4899],{}," — PR.AC-7 recommends multi-factor authentication as part of identity management",[51,10386,10388],{"id":10387},"what-are-implementation-best-practices","What are implementation best practices?",[137,10390,10391,10394,10397,10400,10403],{},[74,10392,10393],{},"Require MFA for all user accounts, not just administrators",[74,10395,10396],{},"Prefer authenticator apps or hardware tokens over SMS-based codes (which are vulnerable to SIM swapping)",[74,10398,10399],{},"Implement MFA on VPN, cloud console, email, and any system containing sensitive data",[74,10401,10402],{},"Provide backup recovery methods (recovery codes, backup devices) to prevent lockouts",[74,10404,10405],{},"Monitor and alert on MFA bypass attempts or disabled MFA",[51,10407,10409],{"id":10408},"how-does-episki-help-with-mfa","How does episki help with MFA?",[16,10411,10412,10413,42],{},"episki tracks MFA policies, monitors enforcement across systems, and documents MFA evidence for compliance audits. Learn more on our ",[23,10414,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":10416},[10417],{"id":10319,"depth":258,"text":10320,"children":10418},[10419,10420,10421,10422],{"id":10326,"depth":264,"text":10327},{"id":10353,"depth":264,"text":10354},{"id":10387,"depth":264,"text":10388},{"id":10408,"depth":264,"text":10409},{},"\u002Fglossary\u002Fmulti-factor-authentication",[5251,5252,5253,293,5254,5255],[5263,9574,5200],{"title":10428,"description":10429},"What is Multi-Factor Authentication (MFA)? Definition & Compliance Guide","Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.","multi-factor-authentication","8.glossary\u002Fmulti-factor-authentication","UJQZ8l9dqE7trtvjUWb1iVTulmNQa1j2-kVTUOaUB34",{"id":10434,"title":10435,"body":10436,"description":257,"extension":278,"lastUpdated":294,"meta":10570,"navigation":296,"path":10571,"relatedFrameworks":10572,"relatedTerms":10573,"seo":10574,"slug":10577,"stem":10578,"term":10441,"__hash__":10579},"glossary\u002F8.glossary\u002Foffboarding.md","Offboarding",{"type":8,"value":10437,"toc":10561},[10438,10442,10445,10449,10452,10466,10470,10508,10512,10534,10538,10552,10556],[11,10439,10441],{"id":10440},"what-is-offboarding","What is Offboarding?",[16,10443,10444],{},"Offboarding is the formal process of revoking an employee's or contractor's access to systems, applications, and data when they leave an organization or change roles. A well-executed offboarding process is critical for preventing unauthorized access after separation and is a key control auditors review during compliance assessments.",[51,10446,10448],{"id":10447},"why-does-offboarding-matter","Why does offboarding matter?",[16,10450,10451],{},"Delayed or incomplete offboarding creates significant security risks:",[137,10453,10454,10457,10460,10463],{},[74,10455,10456],{},"Former employees retaining access to sensitive systems and data",[74,10458,10459],{},"Orphaned accounts that attackers can discover and exploit",[74,10461,10462],{},"Shared credentials that remain active after a team member departs",[74,10464,10465],{},"Compliance findings for inadequate access termination procedures",[51,10467,10469],{"id":10468},"what-are-the-key-offboarding-activities","What are the key offboarding activities?",[137,10471,10472,10478,10484,10490,10496,10502],{},[74,10473,10474,10477],{},[59,10475,10476],{},"Disable user accounts"," — immediately deactivate accounts in identity providers (SSO, Active Directory) to cascade access revocation",[74,10479,10480,10483],{},[59,10481,10482],{},"Revoke application access"," — remove access to SaaS applications, cloud consoles, code repositories, and internal tools",[74,10485,10486,10489],{},[59,10487,10488],{},"Recover assets"," — collect laptops, mobile devices, badges, hardware tokens, and other company property",[74,10491,10492,10495],{},[59,10493,10494],{},"Transfer ownership"," — reassign shared resources, documents, and project ownership",[74,10497,10498,10501],{},[59,10499,10500],{},"Remove from communication channels"," — remove from email distribution lists, Slack channels, and shared drives",[74,10503,10504,10507],{},[59,10505,10506],{},"Review privileged access"," — ensure any administrative or elevated access is fully revoked",[51,10509,10511],{"id":10510},"how-do-compliance-frameworks-address-offboarding","How do compliance frameworks address offboarding?",[137,10513,10514,10519,10524,10529],{},[74,10515,10516,10518],{},[59,10517,4536],{}," — CC6.2 requires timely revocation of access when personnel leave",[74,10520,10521,10523],{},[59,10522,4866],{}," — A.6.5 covers responsibilities after termination or change of employment",[74,10525,10526,10528],{},[59,10527,4510],{}," — the Security Rule requires procedures for terminating access to ePHI when employment ends",[74,10530,10531,10533],{},[59,10532,4890],{}," — Requirement 8.1.3 mandates immediate revocation of access for terminated users",[51,10535,10537],{"id":10536},"what-are-best-practices-for-offboarding","What are best practices for offboarding?",[137,10539,10540,10543,10546,10549],{},[74,10541,10542],{},"Automate offboarding checklists triggered by HR termination events",[74,10544,10545],{},"Set a target of same-day access revocation for all departures",[74,10547,10548],{},"Conduct post-offboarding audits to verify no residual access remains",[74,10550,10551],{},"Document the offboarding process and retain evidence for audit review",[51,10553,10555],{"id":10554},"how-does-episki-help-with-offboarding","How does episki help with offboarding?",[16,10557,10558,10559,42],{},"episki tracks offboarding policies, links them to access control evidence, and provides checklists to ensure complete access revocation. Learn more on our ",[23,10560,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":10562},[10563],{"id":10440,"depth":258,"text":10441,"children":10564},[10565,10566,10567,10568,10569],{"id":10447,"depth":264,"text":10448},{"id":10468,"depth":264,"text":10469},{"id":10510,"depth":264,"text":10511},{"id":10536,"depth":264,"text":10537},{"id":10554,"depth":264,"text":10555},{},"\u002Fglossary\u002Foffboarding",[5252,5253,293,5254],[5263,9574,9570],{"title":10575,"description":10576},"What is Offboarding? Definition & Compliance Guide","Offboarding is the formal process of revoking an employee's or contractor's access to systems and data when they leave an organization.","offboarding","8.glossary\u002Foffboarding","Rz5QFRP5_SeeZAbasnNVFWLvYnrzwxu8rDWO1Kpf4lI",{"id":10581,"title":10582,"body":10583,"description":257,"extension":278,"lastUpdated":294,"meta":10776,"navigation":296,"path":4179,"relatedFrameworks":10777,"relatedTerms":10778,"seo":10779,"slug":1450,"stem":10782,"term":8432,"__hash__":10783},"glossary\u002F8.glossary\u002Fphi.md","Phi",{"type":8,"value":10584,"toc":10765},[10585,10587,10590,10594,10597,10611,10615,10618,10674,10677,10681,10684,10687,10691,10694,10708,10711,10715,10718,10735,10738,10742,10745,10756,10760],[11,10586,8432],{"id":8431},[16,10588,10589],{},"Protected Health Information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a HIPAA covered entity or its business associates. PHI is the central concept in HIPAA regulations — the entire framework exists to protect this category of information.",[51,10591,10593],{"id":10592},"what-qualifies-as-phi","What qualifies as PHI?",[16,10595,10596],{},"For information to be classified as PHI, it must meet two criteria:",[71,10598,10599,10605],{},[74,10600,10601,10604],{},[59,10602,10603],{},"It relates to health"," — the information concerns an individual's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare",[74,10606,10607,10610],{},[59,10608,10609],{},"It is individually identifiable"," — the information can be linked to a specific individual through one or more of 18 identifiers defined by HIPAA",[51,10612,10614],{"id":10613},"what-are-the-18-hipaa-identifiers","What are the 18 HIPAA identifiers?",[16,10616,10617],{},"HIPAA defines 18 types of identifiers that, when combined with health information, create PHI:",[137,10619,10620,10623,10626,10629,10632,10635,10638,10641,10644,10647,10650,10653,10656,10659,10662,10665,10668,10671],{},[74,10621,10622],{},"Names",[74,10624,10625],{},"Geographic data smaller than a state",[74,10627,10628],{},"Dates (except year) related to an individual",[74,10630,10631],{},"Phone numbers",[74,10633,10634],{},"Fax numbers",[74,10636,10637],{},"Email addresses",[74,10639,10640],{},"Social Security numbers",[74,10642,10643],{},"Medical record numbers",[74,10645,10646],{},"Health plan beneficiary numbers",[74,10648,10649],{},"Account numbers",[74,10651,10652],{},"Certificate\u002Flicense numbers",[74,10654,10655],{},"Vehicle identifiers and serial numbers",[74,10657,10658],{},"Device identifiers and serial numbers",[74,10660,10661],{},"Web URLs",[74,10663,10664],{},"IP addresses",[74,10666,10667],{},"Biometric identifiers",[74,10669,10670],{},"Full-face photographs",[74,10672,10673],{},"Any other unique identifying number or code",[16,10675,10676],{},"If health information is stripped of all 18 identifiers following the HIPAA Safe Harbor method, it becomes de-identified data and is no longer subject to HIPAA protections.",[51,10678,10680],{"id":10679},"what-is-electronic-phi-ephi","What is electronic PHI (ePHI)?",[16,10682,10683],{},"Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically addresses safeguards for ePHI, requiring administrative, physical, and technical controls to protect its confidentiality, integrity, and availability.",[16,10685,10686],{},"ePHI includes data in electronic health records, emails containing patient information, digital images, and any other electronic format.",[51,10688,10690],{"id":10689},"what-is-the-difference-between-phi-and-pii","What is the difference between PHI and PII?",[16,10692,10693],{},"PHI and personally identifiable information (PII) overlap but are not identical:",[137,10695,10696,10702],{},[74,10697,10698,10701],{},[59,10699,10700],{},"PII"," is any information that can identify an individual, regulated by various federal and state laws",[74,10703,10704,10707],{},[59,10705,10706],{},"PHI"," is specifically health-related PII regulated under HIPAA",[16,10709,10710],{},"A person's name alone is PII but not PHI. A person's name combined with a diagnosis or treatment record is PHI.",[51,10712,10714],{"id":10713},"how-do-you-protect-phi","How do you protect PHI?",[16,10716,10717],{},"HIPAA requires covered entities and business associates to implement safeguards to protect PHI:",[137,10719,10720,10725,10730],{},[74,10721,10722,10724],{},[59,10723,3305],{}," — risk assessments, workforce training, access management policies, incident response procedures",[74,10726,10727,10729],{},[59,10728,3362],{}," — facility access controls, workstation security, device and media controls",[74,10731,10732,10734],{},[59,10733,3398],{}," — access controls, audit controls, integrity controls, transmission security (encryption)",[16,10736,10737],{},"The Minimum Necessary Rule further requires that access to PHI be limited to the minimum amount needed for a specific purpose.",[51,10739,10741],{"id":10740},"what-are-the-penalties-for-phi-violations","What are the penalties for PHI violations?",[16,10743,10744],{},"HIPAA violations involving PHI can result in significant penalties:",[137,10746,10747,10750,10753],{},[74,10748,10749],{},"Fines ranging from $100 to $50,000 per violation, up to $1.5 million per year per violation category",[74,10751,10752],{},"Criminal penalties including imprisonment for knowing violations",[74,10754,10755],{},"Mandatory breach notification to affected individuals, HHS, and potentially media outlets",[51,10757,10759],{"id":10758},"how-does-episki-help-with-phi","How does episki help with PHI?",[16,10761,10762,10763,42],{},"episki helps organizations identify where PHI exists in their systems, implement required safeguards, and maintain documentation demonstrating HIPAA compliance. The platform tracks access controls, risk assessments, and business associate agreements to ensure comprehensive PHI protection. Learn more on our ",[23,10764,7169],{"href":35},{"title":257,"searchDepth":258,"depth":258,"links":10766},[10767],{"id":8431,"depth":258,"text":8432,"children":10768},[10769,10770,10771,10772,10773,10774,10775],{"id":10592,"depth":264,"text":10593},{"id":10613,"depth":264,"text":10614},{"id":10679,"depth":264,"text":10680},{"id":10689,"depth":264,"text":10690},{"id":10713,"depth":264,"text":10714},{"id":10740,"depth":264,"text":10741},{"id":10758,"depth":264,"text":10759},{},[293],[293,2106,1451,1452,550,5257,5200],{"title":10780,"description":10781},"What is Protected Health Information (PHI)? Definition & Compliance Guide","Protected Health Information (PHI) is any individually identifiable health data covered by HIPAA. Learn what qualifies as PHI and how to protect it.","8.glossary\u002Fphi","S359PhBIZednkFETpVh7HeInrjEkO1Dd9FRUTXZCB2Y",{"id":10785,"title":10786,"body":10787,"description":257,"extension":278,"lastUpdated":294,"meta":11010,"navigation":296,"path":11011,"relatedFrameworks":11012,"relatedTerms":11013,"seo":11014,"slug":11017,"stem":11018,"term":10792,"__hash__":11019},"glossary\u002F8.glossary\u002Fsecurity-awareness-training.md","Security Awareness Training",{"type":8,"value":10788,"toc":10999},[10789,10793,10796,10800,10803,10820,10824,10827,10877,10881,10903,10907,10910,10942,10946,10949,10966,10970,10973,10990,10994],[11,10790,10792],{"id":10791},"what-is-security-awareness-training","What is Security Awareness Training?",[16,10794,10795],{},"Security awareness training is an educational program designed to teach employees about cybersecurity threats, security best practices, and their responsibilities for protecting organizational data and systems. Human error remains one of the leading causes of security incidents, making awareness training a critical control for reducing risk. Every major compliance framework requires or strongly recommends security awareness training.",[51,10797,10799],{"id":10798},"why-does-security-awareness-training-matter","Why does security awareness training matter?",[16,10801,10802],{},"Technology controls alone cannot prevent all security incidents. Employees interact with sensitive data, click links, open attachments, and make decisions that affect security every day. Effective training:",[137,10804,10805,10808,10811,10814,10817],{},[74,10806,10807],{},"Reduces the likelihood of successful phishing and social engineering attacks",[74,10809,10810],{},"Helps employees recognize and report suspicious activity",[74,10812,10813],{},"Builds a security-conscious culture throughout the organization",[74,10815,10816],{},"Meets compliance requirements across multiple frameworks",[74,10818,10819],{},"Reduces the frequency and impact of human-caused security incidents",[51,10821,10823],{"id":10822},"what-are-the-core-security-awareness-training-topics","What are the core security awareness training topics?",[16,10825,10826],{},"A comprehensive security awareness program typically covers:",[137,10828,10829,10835,10841,10847,10853,10859,10865,10871],{},[74,10830,10831,10834],{},[59,10832,10833],{},"Phishing and social engineering"," — how to identify and respond to phishing emails, phone-based pretexting, and other manipulation techniques",[74,10836,10837,10840],{},[59,10838,10839],{},"Password security"," — creating strong passwords, using password managers, and understanding multi-factor authentication",[74,10842,10843,10846],{},[59,10844,10845],{},"Data handling"," — proper classification, storage, transmission, and disposal of sensitive data",[74,10848,10849,10852],{},[59,10850,10851],{},"Physical security"," — securing workstations, preventing tailgating, and protecting physical access badges",[74,10854,10855,10858],{},[59,10856,10857],{},"Remote work security"," — securing home networks, using VPNs, and protecting devices outside the office",[74,10860,10861,10864],{},[59,10862,10863],{},"Incident reporting"," — how and when to report suspected security incidents",[74,10866,10867,10870],{},[59,10868,10869],{},"Acceptable use"," — organizational policies on technology use, internet access, and personal devices",[74,10872,10873,10876],{},[59,10874,10875],{},"Regulatory requirements"," — specific requirements based on the organization's compliance obligations (HIPAA for healthcare, PCI DSS for payment card handling)",[51,10878,10880],{"id":10879},"what-training-requirements-apply-by-framework","What training requirements apply by framework?",[137,10882,10883,10888,10893,10898],{},[74,10884,10885,10887],{},[59,10886,4536],{}," — CC1.4 requires that the organization demonstrates a commitment to attract, develop, and retain competent individuals, including security training",[74,10889,10890,10892],{},[59,10891,4866],{}," — control A.6.3 requires information security awareness, education, and training",[74,10894,10895,10897],{},[59,10896,4510],{}," — the Security Rule requires security awareness and training for all workforce members (45 CFR 164.308(a)(5))",[74,10899,10900,10902],{},[59,10901,4890],{}," — Requirement 12.6 requires security awareness training for all personnel upon hire and at least annually",[51,10904,10906],{"id":10905},"how-often-should-training-be-delivered-and-how","How often should training be delivered, and how?",[16,10908,10909],{},"Best practices for training delivery include:",[137,10911,10912,10918,10924,10930,10936],{},[74,10913,10914,10917],{},[59,10915,10916],{},"Upon hire"," — all new employees should complete security awareness training during onboarding",[74,10919,10920,10923],{},[59,10921,10922],{},"Annual refresher"," — all employees should complete refresher training at least annually",[74,10925,10926,10929],{},[59,10927,10928],{},"Role-specific training"," — employees in high-risk roles (developers, administrators, finance) should receive additional targeted training",[74,10931,10932,10935],{},[59,10933,10934],{},"Continuous reinforcement"," — supplement formal training with simulated phishing campaigns, security tips, and brief micro-learning modules throughout the year",[74,10937,10938,10941],{},[59,10939,10940],{},"Triggered training"," — require additional training when an employee fails a phishing simulation or is involved in a security incident",[51,10943,10945],{"id":10944},"how-do-you-measure-training-effectiveness","How do you measure training effectiveness?",[16,10947,10948],{},"Training effectiveness should be measured through:",[137,10950,10951,10954,10957,10960,10963],{},[74,10952,10953],{},"Phishing simulation click rates (tracked over time to show improvement)",[74,10955,10956],{},"Training completion rates",[74,10958,10959],{},"Security incident trends related to human factors",[74,10961,10962],{},"Employee knowledge assessments (quizzes or surveys)",[74,10964,10965],{},"Time to report suspicious activity",[51,10967,10969],{"id":10968},"what-training-evidence-do-auditors-look-for","What training evidence do auditors look for?",[16,10971,10972],{},"Auditors expect to see:",[137,10974,10975,10978,10981,10984,10987],{},[74,10976,10977],{},"Training policy documenting requirements and frequency",[74,10979,10980],{},"Records of training completion for all employees",[74,10982,10983],{},"Training content covering relevant topics",[74,10985,10986],{},"Phishing simulation results and trends",[74,10988,10989],{},"Evidence of new hire training",[51,10991,10993],{"id":10992},"how-does-episki-help-with-security-awareness-training","How does episki help with security awareness training?",[16,10995,10996,10997,42],{},"episki tracks security awareness training completion, sends reminders to employees and managers, and maintains training records as compliance evidence. The platform integrates with popular training providers and maps training requirements to framework controls. Learn more on our ",[23,10998,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":11000},[11001],{"id":10791,"depth":258,"text":10792,"children":11002},[11003,11004,11005,11006,11007,11008,11009],{"id":10798,"depth":264,"text":10799},{"id":10822,"depth":264,"text":10823},{"id":10879,"depth":264,"text":10880},{"id":10905,"depth":264,"text":10906},{"id":10944,"depth":264,"text":10945},{"id":10968,"depth":264,"text":10969},{"id":10992,"depth":264,"text":10993},{},"\u002Fglossary\u002Fsecurity-awareness-training",[5251,5252,5253,293,5254],[5263,5492,5490,1450],{"title":11015,"description":11016},"What is Security Awareness Training? Definition & Compliance Guide","Security awareness training educates employees about cybersecurity threats and best practices. Learn what to include and how it satisfies compliance requirements.","security-awareness-training","8.glossary\u002Fsecurity-awareness-training","xgD6bzRoOy6RZm_k9NAZRMfP5cKo0j-xLN3LeofSjwI",{"id":11021,"title":11022,"body":11023,"description":257,"extension":278,"lastUpdated":294,"meta":11134,"navigation":296,"path":11135,"relatedFrameworks":11136,"relatedTerms":11137,"seo":11138,"slug":11141,"stem":11142,"term":11028,"__hash__":11143},"glossary\u002F8.glossary\u002Fworkforce-security.md","Workforce Security",{"type":8,"value":11024,"toc":11126},[11025,11029,11032,11036,11068,11072,11089,11093,11117,11121],[11,11026,11028],{"id":11027},"what-is-workforce-security","What is Workforce Security?",[16,11030,11031],{},"Workforce security refers to the policies, procedures, and controls that ensure employees, contractors, and other workforce members handle sensitive information responsibly and securely. It encompasses the full employment lifecycle — from hiring and onboarding through ongoing access management to termination and offboarding.",[51,11033,11035],{"id":11034},"what-are-the-key-components-of-workforce-security","What are the key components of workforce security?",[137,11037,11038,11044,11050,11056,11062],{},[74,11039,11040,11043],{},[59,11041,11042],{},"Background checks"," — verifying the identity, qualifications, and history of new hires before granting access to sensitive systems",[74,11045,11046,11049],{},[59,11047,11048],{},"Security awareness training"," — educating the workforce on security policies, threats, and their responsibilities",[74,11051,11052,11055],{},[59,11053,11054],{},"Access management"," — assigning appropriate access based on role and revoking it when no longer needed",[74,11057,11058,11061],{},[59,11059,11060],{},"Acceptable use policies"," — defining what constitutes proper use of organizational systems and data",[74,11063,11064,11067],{},[59,11065,11066],{},"Termination procedures"," — ensuring timely and complete access revocation when workforce members depart",[51,11069,11071],{"id":11070},"how-do-compliance-frameworks-address-workforce-security","How do compliance frameworks address workforce security?",[137,11073,11074,11079,11084],{},[74,11075,11076,11078],{},[59,11077,4510],{}," — the Security Rule (45 CFR 164.308(a)(3)) explicitly requires workforce security controls including authorization and supervision, clearance procedures, and termination procedures",[74,11080,11081,11083],{},[59,11082,4536],{}," — CC1.4 and CC6.2 address human resource security including hiring, training, and termination",[74,11085,11086,11088],{},[59,11087,4866],{}," — A.6.1 through A.6.5 cover screening, terms of employment, awareness training, disciplinary processes, and post-employment responsibilities",[51,11090,11092],{"id":11091},"what-are-best-practices-for-workforce-security","What are best practices for workforce security?",[137,11094,11095,11098,11101,11108,11114],{},[74,11096,11097],{},"Conduct background checks proportional to the sensitivity of the role",[74,11099,11100],{},"Require security awareness training at hire and annually thereafter",[74,11102,11103,11104,11107],{},"Implement role-based access that follows the ",[23,11105,11106],{"href":9567},"least privilege"," principle",[74,11109,11110,11111,11113],{},"Document and enforce termination and ",[23,11112,10577],{"href":10571}," checklists",[74,11115,11116],{},"Review workforce security policies annually and after significant organizational changes",[51,11118,11120],{"id":11119},"how-does-episki-help-with-workforce-security","How does episki help with workforce security?",[16,11122,11123,11124,42],{},"episki tracks workforce security controls, manages training completion records, and documents evidence of hiring and termination procedures for compliance audits. Learn more on our ",[23,11125,5233],{"href":5232},{"title":257,"searchDepth":258,"depth":258,"links":11127},[11128],{"id":11027,"depth":258,"text":11028,"children":11129},[11130,11131,11132,11133],{"id":11034,"depth":264,"text":11035},{"id":11070,"depth":264,"text":11071},{"id":11091,"depth":264,"text":11092},{"id":11119,"depth":264,"text":11120},{},"\u002Fglossary\u002Fworkforce-security",[293,5252,5253],[5263,11017,10577],{"title":11139,"description":11140},"What is Workforce Security? Definition & Compliance Guide","Workforce security refers to the policies and controls that ensure employees and contractors handle sensitive information responsibly and securely.","workforce-security","8.glossary\u002Fworkforce-security","na2bHZsChgoatdZZY7JsQpjSx5s4F6y3rTrEiRhd0js",{"id":11145,"title":11146,"api":546,"authors":11147,"body":11153,"category":11289,"date":11290,"description":11291,"extension":278,"features":546,"fixes":546,"highlight":546,"image":11292,"improvements":546,"meta":11294,"navigation":296,"path":11295,"seo":11296,"stem":11297,"__hash__":11298},"posts\u002F3.now\u002Ftips.md","Tips for Building a Strong Security Culture",[11148],{"name":11149,"to":11150,"avatar":11151},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":11152},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":11154,"toc":11281},[11155,11158,11161,11164,11167,11171,11174,11177,11180,11184,11187,11199,11202,11206,11209,11212,11215,11219,11222,11225,11228,11232,11235,11238,11241,11245,11248,11251,11254,11259,11269,11276],[16,11156,11157],{},"You can have the best firewall on the market, a mature vulnerability management program, and a SOC running 24\u002F7 — and still be one phishing email away from a serious incident.",[16,11159,11160],{},"Not because your tools failed. Because your people weren't part of the security equation.",[16,11162,11163],{},"Security culture is the difference between an organization where employees see security as someone else's job and one where they actively contribute to it. Building that culture is one of the hardest things a security leader can do — and one of the most valuable.",[16,11165,11166],{},"Here's what actually works.",[11,11168,11170],{"id":11169},"start-with-leadership-not-policy","Start With Leadership, Not Policy",[16,11172,11173],{},"Security culture doesn't start with a training video or an acceptable use policy. It starts at the top.",[16,11175,11176],{},"When executives treat security as a business priority — when they ask about risk posture in board meetings, when they model good security behavior, when they make it clear that security matters — that signal travels through the organization. When they treat it as an IT problem that lives in a different department, that signal travels too.",[16,11178,11179],{},"CISOs who want to build strong security cultures spend time educating and engaging their executive peers, not just their own teams. They make security visible at the leadership level — not as a compliance obligation, but as a business value. That top-down commitment creates the permission structure that everything else depends on.",[11,11181,11183],{"id":11182},"make-security-relevant-to-each-teams-work","Make Security Relevant to Each Team's Work",[16,11185,11186],{},"One of the most common mistakes in security awareness programs is treating every employee the same. A developer, a finance analyst, and a customer service rep face completely different security risks in their day-to-day work — and generic training that doesn't acknowledge those differences gets tuned out quickly.",[16,11188,11189,11190,11194,11195,11198],{},"Effective security culture programs meet people where they are. They connect security concepts to the specific tasks, tools, and risks each team encounters. They explain not just ",[11191,11192,11193],"em",{},"what"," the policy says, but ",[11191,11196,11197],{},"why"," it matters in the context of that person's actual job. When a finance employee understands why wire transfer verification procedures exist — because of the real attacks that target exactly their role — the procedure stops feeling like bureaucracy and starts feeling like protection.",[16,11200,11201],{},"Relevance drives retention. Generic awareness drives compliance theater.",[11,11203,11205],{"id":11204},"reward-the-right-behaviors","Reward the Right Behaviors",[16,11207,11208],{},"Most security programs are designed to catch and punish failures — the employee who clicked the phishing link, the team that bypassed the approval process, the contractor who shared credentials. Consequence is a necessary part of any security program, but it's a poor foundation for culture.",[16,11210,11211],{},"Organizations with strong security cultures also celebrate the behaviors they want to see more of. They recognize employees who report suspicious emails, who raise security concerns in project planning, who push back on shortcuts that introduce risk. They create safe channels for people to admit mistakes without fear of blame, because transparency about near-misses is infinitely more valuable than silence about them.",[16,11213,11214],{},"Psychological safety is a security control. When people are afraid to report problems, problems don't get reported — they get discovered later, when they're much more expensive.",[11,11216,11218],{"id":11217},"integrate-security-into-existing-workflows","Integrate Security Into Existing Workflows",[16,11220,11221],{},"Security culture erodes when security is experienced as friction — a separate process, an additional approval, a tool that slows things down. It strengthens when security is built into how work already gets done.",[16,11223,11224],{},"This means embedding security checkpoints into product development cycles, not bolting them on at the end. It means making secure defaults the easy defaults, so the path of least resistance is also the more secure path. It means involving security early in new business initiatives, not bringing them in after decisions are already made.",[16,11226,11227],{},"The goal isn't to make security invisible — it's to make it natural. When a developer automatically considers threat modeling as part of design, or when a procurement team reflexively asks about vendor security as part of due diligence, culture is working.",[11,11229,11231],{"id":11230},"measure-what-matters-and-be-honest-about-it","Measure What Matters — and Be Honest About It",[16,11233,11234],{},"Security culture is notoriously hard to measure, which leads many organizations to measure the wrong things — training completion rates, phishing simulation click rates, policy acknowledgment counts. These metrics are easy to collect and tell you almost nothing about actual cultural change.",[16,11236,11237],{},"More meaningful signals include: How quickly do employees report suspicious activity? Are security concerns being raised earlier in project lifecycles? Is the volume of policy exception requests going up or down — and why? Are teams coming to security proactively, or only when required?",[16,11239,11240],{},"These measures require more effort to collect, but they reflect something real. And being honest about what the data shows — including the parts that reveal cultural gaps — is what allows leaders to make targeted interventions rather than repeat the same awareness programs and hope for different results.",[11,11242,11244],{"id":11243},"build-for-the-long-game","Build for the Long Game",[16,11246,11247],{},"Security culture isn't built in a quarter. It's built over years of consistent messaging, visible leadership commitment, relevant education, and reinforcement of the right behaviors. It erodes just as slowly — through apathy, through leadership turnover, through programs that go stale, through a security team that becomes adversarial rather than collaborative.",[16,11249,11250],{},"The organizations with the strongest security cultures treat it as an ongoing investment, not a one-time initiative. They revisit and refresh their programs regularly. They measure progress honestly. And they understand that every interaction between the security team and the rest of the business is an opportunity to either build or undermine the culture they're trying to create.",[16,11252,11253],{},"Technology protects systems. Culture protects organizations.",[16,11255,11256],{},[59,11257,11258],{},"Ready to build a security culture that actually sticks?",[16,11260,11261,11262,11268],{},"At ",[23,11263,11267],{"href":11264,"rel":11265},"https:\u002F\u002Fepiski.com",[11266],"nofollow","Episki",", we help security leaders go beyond policies and awareness programs to build the organizational habits and leadership alignment that make security a shared value. If you're ready to make culture a core part of your security strategy, we'd love to talk.",[16,11270,11271],{},[23,11272,11275],{"href":11273,"rel":11274},"https:\u002F\u002Fepiski.com\u002Fcontact",[11266],"Let's talk →",[16,11277,11278],{},[11191,11279,11280],{},"Tools protect systems. Culture protects organizations.",{"title":257,"searchDepth":258,"depth":258,"links":11282},[11283,11284,11285,11286,11287,11288],{"id":11169,"depth":258,"text":11170},{"id":11182,"depth":258,"text":11183},{"id":11204,"depth":258,"text":11205},{"id":11217,"depth":258,"text":11218},{"id":11230,"depth":258,"text":11231},{"id":11243,"depth":258,"text":11244},"craft","2026-05-11","Security tools and policies only go so far. The organizations that are truly resilient are the ones where security is part of how everyone thinks — not just what the security team does.",{"src":11293},"\u002Fimages\u002Fblog\u002FTips.jpg",{},"\u002Fnow\u002Ftips",{"title":11146,"description":11291},"3.now\u002Ftips","LtzuWX4I6GxP-GCS8QRdhlQQW0iHXTak5_7evvpUeK8",1778494704870]