Appearance
HIPAA Safeguards Mapping
Evidence register for HIPAA Security Rule safeguards (45 CFR §164.308, §164.310, §164.312). Appended to every session that implements a relevant safeguard; never rewritten retroactively.
Scope today: staging-side technical safeguards. Prod rollout of the same controls is tracked separately and will land its own evidence rows once Issue #56's production exit criterion is satisfied.
Not yet applicable: physical safeguards (§164.310) — we don't run on self-managed hardware. The cloud provider (AWS) and Atlas BAAs cover the relevant physical controls.
§164.308 — Administrative safeguards
| Standard | Implementation | Evidence | Last updated |
|---|---|---|---|
| §164.308(a)(1)(ii)(A) — risk analysis | Annual risk register at risk-assessment.md; first version 2026-05-11 with 16 identified risks (Likelihood × Impact × mitigation × owner × follow-up). Next mandatory review 2027-05-11. | Risk Assessment. | 2026-05-11 |
| §164.308(a)(1)(ii)(B) — risk management | Mitigations per risk row tracked to closure; quarterly access review confirms in-flight mitigations are progressing; new risks identified mid-cycle trigger out-of-cycle review per risk-assessment.md. | Risk Assessment review section; Access reviews. | 2026-05-11 |
| §164.308(a)(1)(ii)(D) — information system activity review | Audit log review cadence: nightly automated drift check (staging-cluster-drift); quarterly access review of agent_audit_log patterns + Atlas database audit + CloudTrail anomalies. | Access Control Policy; Atlas user provisioning runbook Step H; CloudTrail org-trail. | 2026-05-11 |
| §164.308(a)(3) — workforce security (authorization + supervision) | Onboard runbook enforces identity-domain provisioning + MFA enrollment before access; quarterly access review verifies continued appropriateness; offboard runbook enforces same-day revocation; future workforce members get a Workforce Confidentiality Agreement before any PHI access. | Onboard runbook; Offboard runbook; Access Control Policy. | 2026-05-11 |
| §164.308(a)(4) — information access management (least privilege) | Five custom Mongo roles, each scoped to the minimum collection set for its purpose. Six users, each assigned exactly one role. AWS SSO permission sets (admin, power_user, billing_ro, security_audit) scope AWS access. | ADR 0003, Atlas role JSON; Access Control Policy. | 2026-04-17 |
| §164.308(a)(5) — security awareness + training | Onboard runbook includes BAA Workforce Awareness brief (HIPAA = PHI handling rules; no PHI in chat/Claude/Slack/iMessage; secret-handling per CLAUDE.md Security rules). Quarterly access review verifies acknowledgment. Annual refresh required for all workforce members with PHI access. | Onboard runbook — Day 1-7; CLAUDE.md Security rules. | 2026-05-11 |
| §164.308(a)(6) — security incident procedures | Formal Incident Response Plan with roles (IC + Compliance Liaison + Comms Lead), severity classification (SEV-0/1/2/3), 5-step lifecycle, regulatory notification timelines (60-day HIPAA Breach Notification clock from discovery), and operational playbook in security-incident-response runbook. 5 worked-example incidents from 2026 documented. | Incident Response Plan; Security Incident Response runbook. | 2026-05-11 |
| §164.308(a)(7) — contingency plan (data backup, disaster recovery, emergency mode) | Atlas continuous snapshots (7-day point-in-time + daily snapshots for 30 days on M10 tier); S3 versioning + lifecycle on stateful buckets; CloudTrail org-trail to log-archive with 7-year retention; Terraform-managed infrastructure (IaC) enables rebuild from source. Break-glass procedure documented for emergency mode. Full DR playbook to be appended as Phase 5 data load increases. | Atlas backup config; Break-glass runbook; Encryption Policy backup encryption section. | 2026-05-11 |
| §164.308(a)(8) — evaluation (periodic technical + non-technical assessment) | Annual external pen test targeted Q4 2026 (RFQ July 2026); SOC 2 Type II audit at end of Year-1 evidence window (Q3 2027); quarterly access review serves as ongoing self-evaluation between formal audits. | Penetration test reports README; Compliance Automation Vendor Evaluation; Access reviews. | 2026-05-11 |
| §164.308(b) — business associate contracts (BAAs) | Vendor register catalogs all subprocessors with BAA / DPA status; 5 of 11 BAAs signed today (AWS Orgs BAA 2026-04-18, Google Workspace 2026-05-01); Mongo Atlas BAA in flight; new vendor adoption gated on BAA-signed-before-data-flows. | Vendor / Subprocessor Register; evidence files in docs/infrastructure/evidence/; #57. | 2026-05-11 |
§164.310 — Physical safeguards
Cloud-only infrastructure; physical safeguards inherited from cloud providers under their respective BAAs.
| Standard | Implementation | Evidence | Last updated |
|---|---|---|---|
| §164.310(a)(1) — facility access controls | AWS data centers (FedRAMP Moderate); Atlas data centers (HIPAA tier). Inherited under AWS Organizations BAA and Atlas BAA. | AWS BAA evidence; Atlas BAA pending PDF per #57. | 2026-05-11 |
| §164.310(b) — workstation use | Founder + ops laptops are the only workstations. CLAUDE.md Security rules govern workstation use (no PHI in chat / Claude / iMessage; secret-handling rules; HubSpot test-data conventions). Endpoint encryption (FileVault) required per Encryption Policy. | CLAUDE.md Security rules; Encryption Policy. | 2026-05-11 |
| §164.310(c) — workstation security | FileVault 2 enabled on all macOS workstations (verified at quarterly access review); MFA required to unlock; no workstation has standing access to production beyond what SSO grants in-session. | Encryption Policy endpoint section; quarterly access review verification. | 2026-05-11 |
| §164.310(d) — device + media controls (disposal + reuse) | Cloud provider handles AWS + Atlas hardware disposal (NIST SP 800-88 in scope of FedRAMP Moderate ATO under AWS BAA). Workforce device disposal handled per Offboard runbook (wipe + return). No removable media in production use. | Encryption Policy decommissioning section; Offboard runbook. | 2026-05-11 |
§164.312 — Technical safeguards
| Standard | Implementation | Evidence | Last updated |
|---|---|---|---|
| §164.312(a)(1) — access control, unique user identification | Each service has a dedicated MongoDB user account (app_writer_survey, app_writer_plans, app_writer_agents, app_admin_agents, audit_reader, app_read_staging). No shared credentials across services. AWS SSO scopes human access; GitHub Actions OIDC scopes CI access. | ADR 0003, Atlas user list; Access Control Policy. | 2026-04-17 |
| §164.312(a)(2)(i) — emergency access procedure | Documented break-glass procedure for emergency-mode AWS access via account root credentials with hardware MFA; every break-glass session writes an audit log row and triggers a post-event review at the next quarterly access review. | Break-Glass Root Login runbook. | 2026-05-11 |
| §164.312(a)(2)(iv) — encryption + decryption (technical safeguard) | All data at rest encrypted: Atlas AES-256 (HIPAA tier on prod cluster); S3 SSE-KMS with project CMKs; Secrets Manager SSE-KMS. Field-level CSFLE-with-AWS-KMS planned before PHI collections created (Phase 5). | Encryption Policy; Risk R-007 — Florence AI encryption posture. | 2026-05-11 |
| §164.312(b) — audit controls | agent_audit_log collection enforced append-only at the database permission layer. role_writer_agents and role_admin_agents have FIND+INSERT only — no UPDATE, no REMOVE. Readonly access via role_audit_reader. CloudTrail org-trail records every AWS API event with 7-year retention in log-archive S3. Atlas database audit logs at DB layer. | ADR 0002, role JSON, verification probes passed; CloudTrail org-trail; Atlas audit. | 2026-04-17 |
| §164.312(c) — integrity (mechanism to authenticate data has not been altered) | Append-only audit log makes log tampering observable. S3 versioning on stateful buckets makes object tampering reversible. Git history on the docs + code repo provides tamper-evident provenance. Atlas write-concern + replica-set consensus protects database integrity. | ADR 0002; S3 versioning configuration. | 2026-05-11 |
| §164.312(d) — person or entity authentication | AWS SSO with MFA (TOTP today; hardware MFA planned per #67); Atlas org-level MFA enforcement; Google Workspace MFA; GitHub MFA; HubSpot MFA. Phase 5 agent portal will add NIST 800-63B AAL2 (magic link + TOTP per agent platform compliance). | Access Control Policy; #67. | 2026-05-11 |
| §164.312(e)(1) — transmission security | TLS 1.2+ floor enforced at every channel: public → CloudFront, CloudFront → ALB, ALB → ECS, ECS → Atlas (Atlas-enforced floor); SES + Secrets Manager + CloudTrail use AWS-internal endpoints with TLS. Cross-cluster Atlas reference reads use AWS PrivateLink (TLS at app layer + AWS-backbone-only at network layer — doubly protected). | Encryption Policy transmission section; ADR 0004 cross-cluster PrivateLink. | 2026-05-11 |
§164.314 — Organizational requirements
| Standard | Implementation | Evidence | Last updated |
|---|---|---|---|
| §164.314(a) — business associate contracts | Comprehensive vendor / subprocessor register catalogs every subprocessor with BAA / DPA / FedRAMP status; 5 of 11 vendor BAAs signed (AWS Orgs BAA 2026-04-18; Google Workspace 2026-05-01); Mongo Atlas BAA effective at M10 HIPAA tier (signed-PDF collection in flight per #57); new vendor adoption gated on BAA before any production data flows; quarterly review for status drift. | Vendor / Subprocessor Register; evidence in docs/infrastructure/evidence/; #57. | 2026-05-11 |
§164.316 — Documentation requirements
| Standard | Implementation | Evidence | Last updated |
|---|---|---|---|
| §164.316(a) — policy + procedure documentation | Comprehensive operating-control documentation in docs/security-compliance/ (this directory). Each policy is dated, owned, and reviewed annually. Each control mapping (this file + SOC 2 + EDE) is append-only with timestamped evidence rows. | This directory tree; git history. | 2026-05-11 |
| §164.316(b)(1)(ii) — retention of documentation (6-year minimum) | Compliance documentation lives in version control (git); never deleted. Superseded versions retained as git history. Quarterly access-review documents stamped + archived in-tree. | Git history of this directory; Data Retention Policy. | 2026-05-11 |
| §164.316(b)(2) — availability of documentation to those responsible | Docs are in the team's primary docs site (VitePress build); accessible to all workforce members at any time. New members tour the docs at onboarding per the Onboard runbook. | Docs site URL (docs/.vitepress/config.ts configures the site); onboarding runbook. | 2026-05-11 |
How to add a row
Each session that lands a HIPAA-relevant change MUST append a row here, including a link to the ADR / runbook / session log. Rows are additive and timestamped. If a safeguard is superseded, add a new row rather than editing the old one.
