Privacy Rule
Use & disclosure of PHI
HIPAA · 45 CFR Part 160 + 164
PHI safeguards operationalized for covered entities & business associates.
Privacy, Security, and Breach Rules in one workspace. Administrative, physical, and technical safeguards mapped to controls. BAA lifecycle managed end to end.
Three rules · one platform
Privacy. Security. Breach.
The three pillars of HIPAA — implemented through controls, not policy PDFs.
Security Rule
ePHI safeguards (A · P · T)
Breach Rule
Notification timelines & content
Security Rule · safeguards
Three categories. Required and addressable specifications.
Administrative
- Security management process
- Workforce training
- Access management
- Incident procedures
- Contingency plan
- BA contracts
Physical
- Facility access controls
- Workstation use policy
- Workstation security
- Device & media controls
Technical
- Access control · unique IDs
- Audit controls & logging
- Integrity controls
- Transmission security · encryption
Business Associates
Every PHI-touching vendor under a tracked BAA
Procurement workflow gates PHI access. Annual reattestation re-runs the security questionnaire — automatically.
- 1Identify
All vendors handling PHI flagged via procurement workflow
- 2Assess
Tier 1 vendors complete the BA security questionnaire
- 3Sign
BAA executed prior to PHI access — gated by procurement
- 4Monitor
Annual re-attestation, posture monitoring, breach drill
OCR civil monetary penalties
Four tiers. Documented intent matters.
Penalties scale with culpability. Demonstrating good-faith compliance reduces exposure.
OCR-ready, not OCR-vulnerable
Run safeguards, BAAs, and breach decisions in one platform built for healthcare data.