45 CFR § 164.302–318

HIPAA Security Rule
technical safeguard evidence.

If you handle Protected Health Information (PHI) in any US healthcare workflow, the HIPAA Security Rule applies — covered entities AND business associates. AuditCore automates the technical safeguards (§ 164.312) and produces evidence for the risk analysis required by § 164.308.

TL;DR

HIPAA Security Rule has three families of safeguards: Administrative (§ 164.308 — risk analysis, training, sanctions), Physical (§ 164.310 — facility access, workstation), and Technical (§ 164.312 — access controls, audit logs, integrity, transmission). AuditCore directly addresses Technical and produces evidence for the Administrative risk-analysis requirement.

OCR (Office for Civil Rights) audits + post-breach investigations focus on whether you can demonstrate ongoing risk analysis and that you've remediated identified deficiencies. A scheduled scan with documented findings + remediation tracking IS that evidence.

Requirement → AuditCore scanner coverage

Each requirement of the standard mapped to the AuditCore scanners that contribute evidence. Full = automated end-to-end; partial = covers part, manual review for rest; manual= AuditCore doesn't automate (process / paperwork / org-only).

ID	Requirement	Coverage	Scanners
§ 164.308(a)(1)(ii)(A)	Risk analysis (required) Accurate, thorough assessment of risks to ePHI confidentiality, integrity, availability. AuditCore provides recurring technical risk data. We provide the technical-risk inputs. Organizational risk analysis (workforce, vendors) is process work.	partial	AiContextScannerZapScannerNucleiScanner
§ 164.308(a)(1)(ii)(B)	Risk management (required) Implement security measures sufficient to reduce risks to a reasonable level. AuditCore findings → remediation tracking = the audit trail OCR asks for.	full	ZapScannerNucleiScannerSemgrepScannerTrivyScanner
§ 164.308(a)(5)(ii)(B)	Protection from malicious software (addressable) Detection of known malware signatures + outdated dependencies that are common malware entry points.	partial	TrivyScannerNucleiScanner
§ 164.308(a)(8)	Evaluation (required) Periodic technical and non-technical evaluation. Scheduled scans = the technical half of this evaluation, on a documented cadence.	full	ZapScannerNucleiScanner
§ 164.312(a)(1)	Access control — Unique user identification (required) Detect shared / default credentials, exposed admin paths, anonymous-access endpoints to PHI-handling APIs.	full	AuthReplayJwtAnalyzerSessionTesterSensitiveFilesScannerBusinessLogicScanner
§ 164.312(a)(2)(iv)	Encryption and decryption (addressable) TLS configuration for data in transit; hardcoded keys / exposed crypto material detection. At-rest encryption verification needs infrastructure access we don't have.	partial	SSLyzeScannerGitleaksScannerHeaderAnalyzer
§ 164.312(b)	Audit controls (required) Detection of endpoints with no rate limiting, missing security headers, exposed admin actions without logging — proxies for audit gaps.	partial	HeaderAnalyzerBusinessLogicScanner
§ 164.312(c)(1)	Integrity (required) Detection of file upload without integrity checks, missing CSRF tokens, weak content-type validation.	partial	XxeScannerCmdiScannerPathTraversalScanner
§ 164.312(d)	Person or entity authentication (required) BOLA/BFLA testing, JWT analysis, session security, OAuth flow review — direct authentication-integrity coverage.	full	AuthReplayJwtAnalyzerSessionTesterOAuthTester
§ 164.312(e)(1)	Transmission security (required) TLS configuration (Heartbleed, deprecated protocols, weak ciphers), HSTS enforcement, cleartext URLs.	full	SSLyzeScannerHeaderAnalyzer
§ 164.312(e)(2)(i)	Integrity controls — transmission (addressable) Detection of MITM-vulnerable configurations, response-splitting risks.	partial	CrlfScannerSmugglingScannerSSLyzeScanner

Sample findings AuditCore surfaces for this standard

Real findings types our scanners produce. Each maps to one or more of the requirements above.

criticalPatient record API returns full chart without per-patient auth check (§ 164.312(a)(1), § 164.312(d))

Classic BOLA on PHI = breach. Triggers § 164.404 notification. OCR fines have hit $4-16M for analogous incidents.

criticalTLS 1.0/1.1 still accepted on portal endpoint (§ 164.312(e)(1))

Direct transmission security failure. NIST SP 800-52 Rev 2 (HHS-cited) deprecates these. Any OCR audit flags it.

highJWT token uses alg:none — auth bypass possible (§ 164.312(d))

Authentication failure on PHI-handling app. A single positive finding undermines the whole risk-analysis posture.

highOutdated EHR-adjacent dependency with public CVE (§ 164.308(a)(5)(ii)(B), § 164.312(c)(1))

Malicious software protection + integrity failure. The actual entry point for most healthcare ransomware incidents.

mediumMissing audit headers + no rate limit on PHI search (§ 164.312(b))

Audit-control gap. Hard to prove who accessed which records without logging — OCR will ask.

Recommended tier

Business ($499)

Healthcare workflows handling PHI need credentialed scans (Business tier) to test portals from a logged-in clinician/patient perspective, custom scan profiles to avoid hitting production patient data unintentionally, and white-label PDFs for handing to your Privacy/Security Officer.

What AuditCore doesn't cover

Honest scope — these items are part of the standard but require process, paperwork, or org-level controls outside what a web scanner can verify. Use a manual auditor / compliance consultant for these.

•Workforce security training (§ 164.308(a)(5))
•Workstation use / workstation security (§ 164.310(b), (c)) — physical
•Facility access controls (§ 164.310(a)) — physical
•Business Associate Agreements (§ 164.308(b), § 164.504(e)) — contractual
•Risk analysis methodology + documentation (§ 164.308(a)(1)(ii)(A) — process)
•Sanction policy + termination procedures (§ 164.308(a)(1)(ii)(C))
•Disaster recovery plan + emergency mode operations (§ 164.308(a)(7))
•Breach notification workflow itself (§ 164.404, § 164.406, § 164.408)
•PHI at-rest encryption verification (requires DB access)

FAQ

Does AuditCore make us HIPAA compliant?+

No tool makes you HIPAA compliant. HIPAA compliance is the totality of administrative + physical + technical safeguards plus a documented compliance program (risk analysis, training, BAAs, breach response). AuditCore handles the technical-safeguards layer well + produces evidence for the risk-analysis requirement. For administrative + physical safeguards, you need a compliance officer, training program, and physical access controls.

Are we a Covered Entity or Business Associate?+

Covered Entities (CEs) directly provide healthcare: providers, health plans, clearinghouses. Business Associates (BAs) handle PHI on behalf of a CE — most SaaS serving healthcare are BAs. Both face the same Security Rule requirements (45 CFR § 164.302-318). If you're unsure, you're probably a BA — and you need a BAA with each CE you serve.

Do you sign a Business Associate Agreement (BAA)?+

AuditCore scans the SURFACE of your application — we don't store ePHI in the conventional sense. Scan findings reference URLs and request shapes; if your URL paths or response samples happen to contain PHI, those snippets are stored as evidence. For most SaaS pentest scenarios that's de minimis and our standard ToS handles it. If you specifically need a BAA (e.g. you're scanning a clinical portal where PHI appears in query params), contact us — we can issue one on Business tier.

What does an OCR HIPAA audit actually ask for?+

Three things: (1) your risk analysis — when was it done, who did it, what did it find; (2) your risk management plan — what did you do about the findings; (3) evidence the technical safeguards work — vulnerability scans, pen tests, log reviews. AuditCore directly produces (3) and supports (1) + (2) via the PDF report + scheduled scan history. Pair with a HIPAA-savvy security officer for the policy/training docs.

How does HIPAA Security Rule relate to HITRUST?+

HIPAA Security Rule is the LAW. HITRUST CSF is a CERTIFICATION FRAMEWORK that maps HIPAA + ISO 27001 + NIST + PCI into one assessable framework. Many large healthcare buyers (insurers, hospital systems) require HITRUST from their vendors. AuditCore findings map to HITRUST technical controls in the same way they map to HIPAA — same scanners produce the evidence.

Can AuditCore detect a HIPAA breach in progress?+

Not directly — we're a vulnerability scanner, not a SIEM/IDS. What we DO detect: the conditions that enable breaches (exposed PHI endpoints without auth, leaked credentials in JS, exploitable injection points). Webhooks notify your security team when a scan finds new high/critical issues; pair with a SIEM (Splunk, Datadog, Wazuh) for runtime breach detection.

Start the audit in 60 seconds

Free 1-page audit, no credit card. Upgrade to Business ($499) when you need the full standard coverage.

HIPAA Security Ruletechnical safeguard evidence.