HIPAA Security Rule

Technical Safeguards scanning across AWS, Azure, and GCP

Important

  • Covers: Technical Safeguards (164.312) and parts of Administrative Safeguards (164.308)
  • Does not cover: Physical Safeguards (164.310), BAAs, or organizational policies
  • Use AuditKit as part of a broader HIPAA compliance program, not as a sole assessment

Coverage Summary

AuditKit maps cloud infrastructure checks to HIPAA Security Rule requirements across three providers:

Cloud Provider HIPAA Mappings Key Services Checked
AWS 106 IAM, S3, EC2, RDS, CloudTrail, KMS, VPC, Lambda, SageMaker, Redshift
Azure 63 Entra ID, Storage, SQL, Key Vault, NSGs, Defender, Activity Logs
GCP 46 IAM, Cloud Storage, Cloud SQL, KMS, Logging, Compute, VPC
Total 215

CFR Sections Covered

Technical Safeguards (45 CFR 164.312)

Section Requirement What AuditKit Checks
164.312(a)(1) Access Control IAM policies, security groups, public access restrictions
164.312(a)(2)(i) Unique User Identification MFA enforcement, root account security, individual accounts
164.312(a)(2)(iv) Encryption Encryption at rest (S3, EBS, RDS, KMS) and in transit (TLS)
164.312(b) Audit Controls CloudTrail, VPC flow logs, activity logging, metric filters
164.312(c)(1) Integrity Controls Versioning, backup policies, log validation, PITR
164.312(d) Authentication Password policies, credential rotation, MFA
164.312(e)(1) Transmission Security TLS enforcement, network security, VPC configuration

Administrative Safeguards (45 CFR 164.308)

Section Requirement What AuditKit Checks
164.308(a)(1)(ii)(D) Security Assessment Security services enabled (GuardDuty, Defender, SCC)
164.308(a)(3)(i) Workforce Access IAM user management, unused credentials, access keys
164.308(a)(4)(ii) Credential Management Key rotation, unused credential detection
164.308(a)(5)(ii)(B) Security Updates Auto-patching, managed instance compliance
164.308(a)(5)(ii)(D) Password Management Password policies, minimum length, reuse prevention, expiry
164.308(a)(6)(ii) Security Incidents GuardDuty/Defender/SCC alerting configuration
164.308(a)(7)(ii)(A) Contingency Plan Backup configurations, multi-AZ, disaster recovery

What AuditKit Does NOT Cover

HIPAA compliance requires more than technical infrastructure checks. You still need:

  • Physical Safeguards (164.310) — facility access, workstation security, device controls
  • Business Associate Agreements — contracts with vendors handling PHI
  • Risk Assessment Documentation — formal written risk analysis
  • Workforce Training — security awareness training records
  • Incident Response Plan — breach notification procedures
  • Policies & Procedures — written, dated, signed organizational policies

Running a HIPAA Scan

# AWS HIPAA scan
auditkit scan -provider aws -framework hipaa

# Azure HIPAA scan
auditkit scan -provider azure -framework hipaa

# GCP HIPAA scan
auditkit scan -provider gcp -framework hipaa

# PDF report for compliance team
auditkit scan -provider aws -framework hipaa -format pdf -output hipaa-report.pdf

Recommended Approach

  1. Run AuditKit — identify Technical Safeguard gaps across your cloud infrastructure
  2. Fix critical issues — use the remediation commands AuditKit provides
  3. Address Administrative Safeguards — policies, training, risk assessment (manual)
  4. Address Physical Safeguards — facility controls, device management (manual)
  5. Engage a HIPAA consultant — for formal risk assessment and gap analysis