HIPAA Controls¶
We are not lawyers, this is not legal advise.
It is your responsibility to discover what law applies to you and how to best comply with it. In case of doubt, consult your Data Protection Officer (DPO) or equivalent.
Click on the links below to navigate the documentation by control.
HIPAA S5 - Security Management Process - Information System Activity Review - § 164.308(a)(1)(ii)(D)¶
HIPAA S12 - Information Access Management - Isolating Healthcare Clearinghouse Functions - § 164.308(a)(4)(ii)(A)¶
HIPAA S13 - Information Access Management - Access Authorization - § 164.308(a)(4)(ii)(B)¶
HIPAA S14 - Information Access Management - Access Establishment and Modification - § 164.308(a)(4)(ii)(C)¶
HIPAA S16 - Security Awareness and Training - Security Reminders - § 164.308(a)(5)(ii)(A)¶
HIPAA S17 - Security Awareness, Training, and Tools - Protection from Malicious Software - § 164.308(a)(5)(ii)(B)¶
HIPAA S18 - Security Awareness, Training, and Tools - Log-in Monitoring - § 164.308(a)(5)(ii)(C)¶
HIPAA S20 - Security Incident Procedures - § 164.308(a)(6)¶
HIPAA S23 - Contingency Plan - Data Backup Plan - § 164.308(a)(7)(ii)(A)¶
HIPAA S24 - Contingency Plan - Disaster Recovery Plan - § 164.308(a)(7)(ii)(B)¶
HIPAA S26 - Contingency Plan - Testing and Revision Procedure - § 164.308(a)(7)(ii)(D)¶
HIPAA S29 - Business Associate Contracts and Other Arrangements - § 164.308(b)(1)¶
HIPAA S31 - Facility Access Controls - § 164.310(a)(1)¶
HIPAA S32 - Facility Access Controls - Contingency Operations - § 164.310(a)(2)(i)¶
HIPAA S33 - Facility Access Controls - Facility Security Plan - § 164.310(a)(2)(ii)¶
HIPAA S34 - Facility Access Controls - Access Control and Validation Procedures - § 164.310(a)(2)(iii)¶
HIPAA S35 - Facility Access Controls - Maintain Maintenance Records - § 164.310(a)(2)(iv)¶
HIPAA S39 - Device and Media Controls - Disposal - § 164.310(d)(2)(i)¶
HIPAA S43 - Access Control - § 164.312(a)(1)¶
HIPAA S44 - Access Control - Unique User Identification - § 164.312(a)(2)(i)¶
HIPAA S45 - Access Control - Emergency Access Procedure - § 164.312(a)(2)(ii)¶
HIPAA S47 - Access Control - Encryption and Decryption - § 164.312(a)(2)(iv)¶
HIPAA S48 - Audit Controls - § 164.312(b)¶
HIPAA S52 - Transmission - § 164.312(e)(1)¶
HIPAA S53 - Transmission Security - Integrity Controls - § 164.312(e)(2)(i)¶
HIPAA S54 - Transmission Security - Encryption - § 164.312(e)(2)(ii)¶
Other HIPAA Controls¶
HIPAA controls are taken from these documents:
- HIPAA Security Series - Security Standards: Administrative Safeguards
- HIPAA Security Series - Security Standards: Physical Safeguards
- HIPAA Security Series - Security Standards: Technical Safeguards
The following controls are outside the scope of Compliant Kubernetes and need to be implemented by the organization operating Compliant Kubernetes. ISO-27001-certified Compliant Kubernetes operators, such as Elastisys already have the right processes in place.
- S1 - Security Management Process - § 164.308(a)(1)
- S2 - Security Management Process - Risk Analysis - § 164.308(a)(1)(ii)(A)
- S3 - Security Management Process - Risk Management - § 164.308(a)(1)(ii)(B)
- S4 - Security Management Process - Sanction Policy - § 164.308(a)(1)(ii)(C)
- S6 - Assigned Security Responsibility - § 164.308(a)(2)
- S7 - Workforce Security - § 164.308(a)(3)
- S8 - Workforce security - Authorization and/or Supervision - § 164.308(a)(3)(ii)(A)
- S9 - Workforce security - Workforce Clearance Procedure - § 164.308(a)(3)(ii)(B)
- S10 - Workforce security - Establish Termination Procedures - § 164.308(a)(3)(ii)(C)
- S11 - Information Access Management - § 164.308(a)(4)
- S15 - Security Awareness and Training - § 164.308(a)(5)
- S19 - Security Awareness, Training, and Tools - Password Management - § 164.308(a)(5)(ii)(D)
- S21 - Security Incident Procedures - Response and Reporting - § 164.308(a)(6)
- S22 - Contingency Plan - § 164.308(a)(7)
- S25 - Contingency Plan - Emergency Mode Operation Plan - § 164.308(a)(7)(ii)(C)
- S27 - Contingency Plan - Application and Data Criticality Analysis - § 164.308(a)(7)(ii)(E)
- S28 - Evaluation - § 164.308(a)(8)
- S30 - Business Associate Contracts and Other Arrangements - Written Contract or Other Arrangement - § 164.308(b)(4)
- S36 - Workstation Use - § 164.310(b)
- S37 - Workstation Security - § 164.310(c)
- S38 - Device and Media Controls - § 164.310(d)(1)
- S40 - Device and Media Controls - Media Re-use - § 164.310(d)(2)(ii)
- S41 - Device and Media Controls - Accountability - § 164.310(d)(2)(iii)
- S42 - Device and Media Controls - Data Backup and Storage Procedures - § 164.310(d)(2)(iv)
- S46 - Access Control - Automatic Logoff - § 164.312(a)(2)(iii)
!!!important
Compliant Kubernetes API access is configured so as to require a new OpenID flow every 12 hours.
- S49 - Integrity - § 164.312(c)(1)
- S50 - Integrity - Mechanism to Authenticate ePHI - § 164.312(c)(2)
- S51 - Person or Entity Authentication - § 164.312(d)