HIPAA Security Rule
Aligned with the HIPAA Security Rule.
The HIPAA Security Rule sets administrative, physical, and technical safeguards for electronic protected health information. AxioRank gives you a live control for the technical safeguards, a Business Associate Agreement, and evidence an auditor can verify offline.
A signed BAA is required before ePHI is processed. HIPAA has no certification regime; this is evidence of safeguards, not a certification.
- Administrative safeguards (164.308)
- Physical safeguards (164.310)
- Technical safeguards (164.312)
- Organizational requirements (164.314)
- Documentation requirements (164.316)
The mapping
Every safeguard, tied to a control that is actually running.
Below, the Security Rule safeguards are paired with the AxioRank capability that addresses each, and we are honest about where we only help in part. This table is generated from the same catalog that computes your live posture and your evidence pack.
Administrative safeguards
Activity review, access management, and incident procedures for ePHI.
- 164.308(a)(1)(ii)(D)Information system activity reviewFully addressed
What the rule asks: Procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
How AxioRank addresses it: Every governed action is written to a retained, tamper-evident log with allow/deny/hold decision counts over the period, giving reviewers a durable activity record.
- 164.308(a)(4)Information access managementPartially addressed
What the rule asks: Policies and procedures for authorizing access to electronic protected health information, and for granting and modifying that access.
How AxioRank addresses it: Four-level RBAC, scoped and expiring API keys, and deny-by-default row-level isolation govern access; the exported access review lists members, roles, and MFA/SSO.
- 164.308(a)(5)Security awareness and trainingOut of scope
What the rule asks: A security awareness and training program for all members of the workforce, including periodic security reminders.
How AxioRank addresses it: A workforce control. AxioRank does not train your staff; your organization owns the security awareness program.
- 164.308(a)(6)Security incident proceduresPartially addressed
What the rule asks: Policies and procedures to address security incidents, including identifying and responding to suspected or known incidents and mitigating their effects.
How AxioRank addresses it: Incidents correlate automatically from governed-call signals, and response rules quarantine agents or revoke keys to mitigate an event as it happens.
Physical safeguards
Facility controls for the systems that store and process ePHI.
- 164.310(a)(1)Facility access controlsOut of scope
What the rule asks: Policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed.
How AxioRank addresses it: A physical facility control satisfied by the SOC 2 Type II audited cloud providers AxioRank runs on; the covered entity relies on their attestations.
Technical safeguards
Access control, audit controls, integrity, authentication, and transmission security.
- 164.312(a)(1)Access controlPartially addressed
What the rule asks: Technical policies and procedures to allow access to ePHI only to persons or software programs that have been granted access rights, including unique user identification.
How AxioRank addresses it: Each human and each agent carries a unique identity; RBAC and scoped, short-lived credentials grant least-privilege access, and every access decision is logged.
- 164.312(b)Audit controlsFully addressed
What the rule asks: Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
How AxioRank addresses it: The gateway records every governed call before returning a decision into an append-only, signed Merkle ledger that an auditor can examine and verify offline.
- 164.312(c)(1)IntegrityFully addressed
What the rule asks: Policies, procedures, and mechanisms to protect ePHI from improper alteration or destruction.
How AxioRank addresses it: Hash-chaining and hourly signed tree heads make any alteration, deletion, reordering, or insertion of a record detectable, protecting the integrity of the trail.
- 164.312(d)Person or entity authenticationPartially addressed
What the rule asks: Procedures to verify that a person or entity seeking access to ePHI is the one claimed.
How AxioRank addresses it: SAML SSO and enforced MFA authenticate people; agents authenticate with short-lived, scoped credentials instead of shared static secrets.
- 164.312(e)(1)Transmission securityPartially addressed
What the rule asks: Technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network.
How AxioRank addresses it: Data is encrypted in transit; information-flow control and egress allowlists stop ePHI from flowing to untrusted sinks or off-list destinations, with redaction in the log.
Organizational requirements
The Business Associate Agreement that must be in place for ePHI.
- 164.314(a)Business associate contractsOut of scope
What the rule asks: A covered entity must obtain satisfactory assurances, through a written Business Associate Agreement, that a business associate will appropriately safeguard ePHI.
How AxioRank addresses it: A contractual control: a signed BAA with AxioRank is required before ePHI is processed. The BAA itself is executed between the parties, not produced by the platform.
Documentation requirements
Written policies and records, retained for six years.
- 164.316(b)(1)Documentation and retentionPartially addressed
What the rule asks: Maintain the policies, procedures, and required records in written form and retain them for six years from creation or last effective date.
How AxioRank addresses it: Governance configuration is exported as code and the signed integrity proof is designed to outlive purged data; retention is configurable to meet the six-year requirement.
A BAA is required, and HIPAA has no certification
Provable, not just stated
Compute your live posture and download the evidence.
Inside the console, the Compliance view projects your live AxioRank configuration onto the Security Rule safeguards and scores your coverage. Export a point-in-time evidence pack with the control mapping, your governance config, decision counts, and the signed, tamper-evident log, so a reviewer can verify it without trusting our word.
Evidence, not assertions
Sources
Straight from the regulator.
The Security Rule and its codification, in the publisher's own words.
Keep exploring
Continue across the control plane.
Meet the HIPAA Security Rule with controls you can prove.
Execute a BAA, map your live AxioRank configuration onto the safeguards, then hand your reviewer an evidence pack they can verify offline.