Controls & Evidence
HIPAA Security Rule readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Comprehensive risk analysis of ePHI, risk mitigation measures, sanction policies, and regular audit log review.
Requirements
- (R) Conduct accurate and thorough risk analysis of ePHI
- (R) Implement security measures to reduce risks to a reasonable and appropriate level
- (R) Sanction policy for workforce members who violate security policies
- (R) Regular review of information system activity including audit logs and access reports
Evidence Examples
| Artifact | Owner | Frequency |
| Risk analysis report covering all ePHI systems and data flows | Security Officer | Annually |
| Risk register with risk ratings, mitigation plans, and residual risk acceptance | Security Officer | Quarterly |
| Sanction policy document with acknowledgment signatures | HR / Compliance | Annually reviewed |
| Audit log review records with findings and follow-up actions | IT Security | Monthly |
Authorization and supervision procedures, workforce clearance, termination controls, and security awareness training.
Requirements
- (A) Authorization and supervision procedures for workforce members accessing ePHI
- (A) Workforce clearance procedures to determine appropriate ePHI access
- (A) Termination procedures to revoke access upon separation or role change
- (R) Security awareness and training program for all workforce members
- (A) Security reminders and updates
- (A) Protection from malicious software training
- (A) Log-in monitoring awareness
- (A) Password management training
Evidence Examples
| Artifact | Owner | Frequency |
| Training completion records with dates and attestations for all workforce members | HR / Training Coordinator | Annually |
| Workforce clearance documentation and background check records | HR | Event-driven (onboarding) |
| Termination checklist with access revocation timestamps | HR + IT | Event-driven (offboarding) |
| Security awareness training materials and curriculum | Security Officer | Annually reviewed |
Unique user identification, emergency access procedures, automatic logoff, and encryption of ePHI at rest.
Requirements
- (R) Unique user identification — assign a unique name or number to each user
- (R) Emergency access procedure for obtaining ePHI during an emergency
- (A) Automatic logoff after a predetermined period of inactivity
- (A) Encryption and decryption of ePHI at rest
Evidence Examples
| Artifact | Owner | Frequency |
| User ID policy prohibiting shared or generic accounts | IT Security | Annually reviewed |
| Emergency access procedures with break-glass account documentation | IT Security | Annually tested |
| Session timeout configuration evidence across ePHI systems | IT Operations | Quarterly verified |
| Encryption status report for ePHI storage systems | IT Security | Quarterly |
Hardware, software, and procedural mechanisms to record and examine activity in ePHI systems.
Requirements
- (R) Implement hardware, software, and procedural mechanisms to record and examine activity in information systems containing ePHI
- (R) Procedures for monitoring log-in attempts and reporting discrepancies
- (R) Retention of audit logs for a period consistent with documentation retention requirements
- (R) Regular review of audit logs and activity reports
Evidence Examples
| Artifact | Owner | Frequency |
| Audit log configuration documentation for all ePHI systems | IT Security | Annually reviewed |
| Log review records with reviewer sign-off and findings | IT Security | Monthly |
| SIEM dashboard or centralized log aggregation configuration | IT Security | Quarterly verified |
| Log retention policy aligned with HIPAA six-year documentation requirement | Compliance Officer | Annually reviewed |
Mechanisms to authenticate ePHI, verify it has not been altered, and authenticate persons or entities.
Requirements
- (A) Mechanism to authenticate ePHI and verify its integrity
- (A) Mechanism to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
- (R) Person or entity authentication — verify the identity of persons or entities seeking access to ePHI
Evidence Examples
| Artifact | Owner | Frequency |
| Integrity verification reports (checksums, hash validations) for ePHI databases | IT Operations | Monthly |
| Authentication system configuration and multi-factor authentication enrollment records | IT Security | Quarterly reviewed |
| Hash verification records for ePHI backups and archives | IT Operations | Per backup cycle |
Integrity controls and encryption for ePHI transmitted over electronic communications networks.
Requirements
- (A) Integrity controls to ensure ePHI is not improperly modified during transmission
- (A) Encryption of ePHI transmitted over electronic communications networks
Evidence Examples
| Artifact | Owner | Frequency |
| TLS configuration records showing minimum version and cipher suite settings | IT Security | Quarterly reviewed |
| VPN configuration documentation for remote ePHI access | IT Operations | Annually reviewed |
| Encrypted email policy and gateway configuration | IT Security | Annually reviewed |
| Network architecture diagram showing encryption points for ePHI data flows | IT Security | Annually updated |
Facility access controls, workstation use and security, and device and media handling procedures.
Requirements
- (A) Contingency operations — procedures for facility access during emergency operations
- (A) Facility security plan documenting physical safeguards
- (R) Access control and validation procedures for facilities containing ePHI
- (A) Maintenance records for physical security modifications
- (R) Workstation use policies specifying proper functions and physical environment
- (R) Workstation security — physical safeguards restricting access to authorized users
- (R) Device and media disposal procedures for ePHI-containing hardware
- (A) Media re-use procedures ensuring ePHI removal before re-use
- (R) Accountability — maintain records of hardware and media movements
- (A) Data backup and storage before moving equipment containing ePHI
Evidence Examples
| Artifact | Owner | Frequency |
| Facility access logs and badge reader reports | Facilities / Physical Security | Monthly reviewed |
| Workstation use and security policy documents | IT Security | Annually reviewed |
| Media disposal and sanitization certificates | IT Operations | Event-driven |
| Hardware and media movement tracking log | IT Asset Management | Event-driven |
Data backup, disaster recovery, emergency mode operations, and testing and revision of contingency procedures.
Requirements
- (R) Data backup plan — establish and implement procedures to create and maintain exact copies of ePHI
- (R) Disaster recovery plan — establish procedures to restore ePHI data lost during an emergency
- (R) Emergency mode operation plan — procedures to enable continuation of critical business processes during an emergency
- (A) Testing and revision procedures for contingency plans
- (A) Applications and data criticality analysis
Evidence Examples
| Artifact | Owner | Frequency |
| Backup verification records with restoration test results | IT Operations | Monthly |
| Disaster recovery plan document with defined RTOs and RPOs | IT Security / Business Continuity | Annually reviewed |
| Emergency mode operation procedures and activation criteria | Security Officer | Annually reviewed |
| Contingency plan test results and lessons learned | IT Security | Annually |
Written agreements ensuring business associates safeguard ePHI, report incidents, and flow down requirements to subcontractors.
Requirements
- (R) Written business associate agreement (BAA) with satisfactory assurances that the BA will appropriately safeguard ePHI
- (R) BAA must specify permitted and required uses and disclosures of ePHI
- (R) BA obligation to report security incidents to the covered entity
- (R) BA must ensure subcontractors agree to the same restrictions and conditions
Evidence Examples
| Artifact | Owner | Frequency |
| BAA register listing all business associates with agreement status and renewal dates | Compliance Officer | Quarterly reviewed |
| Executed BAA agreements with current signatures | Legal / Compliance | Event-driven (new relationships) |
| BA risk assessment and due diligence documentation | Security Officer | Annually |
| BA subcontractor agreement tracking log | Compliance Officer | Annually reviewed |
Identification, response, mitigation, and documentation of security incidents, including breach notification requirements.
Requirements
- (R) Identify and respond to suspected or known security incidents
- (R) Mitigate harmful effects of security incidents to the extent practicable
- (R) Document security incidents and their outcomes
- (R) Breach notification to HHS within 60 days for breaches affecting 500 or more individuals
- (R) Notification to affected individuals without unreasonable delay
Evidence Examples
| Artifact | Owner | Frequency |
| Incident response plan with roles, escalation paths, and contact information | Security Officer | Annually reviewed |
| Security incident log with classification, timeline, and resolution details | IT Security | Per incident |
| Breach notification records including HHS submissions and individual notices | Compliance Officer / Privacy Officer | Per incident |
| Post-incident review and corrective action documentation | Security Officer | Per incident |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.