NSAuditor AI EE produces a §164.312 Technical Safeguards pre-audit gap report mapped to the HIPAA Security Rule (45 CFR §164.312, 2013 Final Rule). Signed artifacts, RFC 3161 trusted timestamps, SHA-256 chain-of-custody, suppression workflow, R/A discipline enforced per HHS — and Zero BAA required because ePHI never leaves your infrastructure.
SHIPPED 2026-05-21 in EE 0.9.0: HIPAA Security Rule §164.312 is the second supported compliance framework alongside SOC 2. The engine reads data/compliance/hipaa.json with 175 mappings inherited from soc2.json's grep-verified pattern set plus HIPAA-grounded rationales. Single scan with --compliance soc2,hipaa produces both evidence packs. Zero engine / CLI changes — parseFrameworks already accepts CSV. See the SOC 2 coverage matrix for the SOC 2 framework.
NSAuditor AI EE generates §164.312 Technical Safeguards evidence — and ONLY §164.312. It maps cloud infrastructure findings (AWS, Azure, GCP) and network scan results to specific HIPAA Technical Safeguard control IDs, produces signed evidence artifacts (cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, cryptographic suppression signing — all at the same institutional grade as the SOC 2 framework), and ships HIPAA reports in machine-readable form suitable for HIPAA-focused GRC platform ingestion.
It is not a §164.308 Administrative Safeguards evidence source (workforce training, sanction policies, contingency planning, BAAs, security incident procedures — pair with Drata HIPAA, Vanta HIPAA, Compliancy Group, Tugboat Logic). It is not a §164.310 Physical Safeguards evidence source (facility access controls, workstation security, device/media disposal — pair with facility-management + endpoint-management + asset-disposal vendors). It is not a complete HIPAA Security Rule attestation (§164.312 is one of three safeguard families). It is not a substitute for a §164.308(a)(1)(ii)(A) HIPAA Risk Analysis (this scanner produces input data the analysis can consume but cannot itself BE the risk analysis).
What it IS: the technical-evidence layer for §164.312, complete and auditor-ready; compatible with §164.308(a)(1)(ii)(D) Information System Activity Review and §164.308(a)(7)(ii)(A) Data Backup Plan (provides their technical substrate); compatible with HHS-OCR 2024 ransomware-enforcement guidance via the §164.312(c)(1) Integrity substrate (Logically Air-Gapped Backup Vault cross-verification — the strongest evidence available on the AWS layer for ransomware-resilient ePHI backups).
The market split: HIPAA-focused GRC platforms (Drata HIPAA, Vanta HIPAA, Compliancy Group) automate workforce-policy + BAA-tracking workflow but lack deep cloud-infrastructure scanning; legacy scanners (Tenable, Qualys, Rapid7) produce voluminous CVE reports but don't map findings to §164.312 sub-criteria. NSAuditor's wedge is the bridge — deep scanning + HIPAA-mapped output + same Zero Data Exfiltration architecture used for SOC 2 (no BAA required — ePHI never leaves customer infrastructure).
HIPAA Security Rule specifications carry one of two HHS-defined classifications:
Misrepresenting an Addressable specification as "must-implement" or treating Required as Addressable is overclaiming — auditors specifically test for this discipline. NSAuditor surfaces the R/A classification per control in data/compliance/hipaa.json and in every rendered compliance report.
| §164.312 Spec | R/A | Standard / Implementation Specification |
|---|---|---|
| (a)(1) Access Control | R | Standard |
| (a)(2)(i) Unique User Identification | R | Implementation Specification |
| (a)(2)(ii) Emergency Access Procedure | R | Implementation Specification |
| (a)(2)(iii) Automatic Logoff | A | Implementation Specification |
| (a)(2)(iv) Encryption and Decryption | A | Implementation Specification |
| (b) Audit Controls | R | Standard |
| (c)(1) Integrity | R | Standard |
| (c)(2) Mechanism to Authenticate ePHI | A | Implementation Specification |
| (d) Person or Entity Authentication | R | Standard |
| (e)(1) Transmission Security | R | Standard |
| (e)(2)(i) Integrity Controls (transit) | A | Implementation Specification |
| (e)(2)(ii) Encryption (transit) | A | Implementation Specification |
Source of truth is data/compliance/hipaa.json; this matrix mirrors it. The anchor-drift defense test asserts every (source, titlePattern) pair in hipaa.json exists in soc2.json (inheritance contract — closes the silent false-CLEAN class at the HIPAA mapping layer).
| Status | Count | §164.312 Sub-Criteria |
|---|---|---|
| ✓ Covered | 7 | §164.312(a)(1), (a)(2)(i), (a)(2)(iv), (b), (d), (e)(1), (e)(2)(ii) |
| ⚠ Partial | 3 | §164.312(c)(1), (c)(2), (e)(2)(i) |
| ⚪ OOS within §164.312 | 2 | §164.312(a)(2)(ii), (a)(2)(iii) |
| ⚪ OOS §164.308 entire | 31 | All Administrative Safeguards |
| ⚪ OOS §164.310 entire | 12 | All Physical Safeguards |
Read this: "Covered" means the engine produces direct evidence the auditor can attach to the §164.312 sub-criterion. "Partial" means we evidence one dimension of the control (e.g., backup-substrate integrity but not application-layer record-level checksumming) but not all of it. "Out of scope" means the control is fundamentally not addressable by infrastructure scanning — a different evidence source is required.
Once the EE package is installed and your license is activated, every scan can emit HIPAA evidence by passing --compliance hipaa. The CLI's --compliance flag accepts CSV — added in EE 0.3.0, no flag-parser change needed in 0.9.0.
For the §164.308(a)(8) Evaluation requirement (periodic technical and non-technical evaluation), run the same compliance scan on a fixed cadence; the recurring-attestation module automatically discovers prior scans, builds a chronological matrix across your assessment window, detects cadence gaps and scope drift, and emits the technical-evaluation evidence component. Pair with HR-tracked policy reviews for the non-technical component.
Pre-EE 0.9.0, the engine emitted SOC 2 artifacts only. EE 0.9.0 makes the engine framework-agnostic — loadFrameworkMap reads data/compliance/{framework}.json by parameter, schema-additive fields pass through transparently. One scan with --compliance soc2,hipaa produces separate per-framework artifacts:
| Framework | Citation slot | SLA cadence citation | Identity verification citation |
|---|---|---|---|
| SOC 2 | governance | CC7.1 remediation cadence | CC6.2 / CC6.3 |
| HIPAA | governance (sentinel) | §164.312(b) audit-controls cadence | §164.312(d) Person or Entity Authentication |
HIPAA reports no longer cite SOC 2 control IDs — auditor-detectable cross-framework citation leak closed in EE 0.9.0 via the new frameworkControlCitation(framework, slot) helper. SOC 2 reports remain byte-identical apart from a single-line cosmetic citation-prefix diff (redundant "SOC 2 " prefix removed since the report-level Framework declaration already names the framework). Same findings → two evidence packs; auditors get one HIPAA pre-audit gap report and one SOC 2 pre-audit gap report from a single execution.
Each --compliance hipaa run writes the evidence bundle to out/<scan-id>/. Every artifact ships with a .sha256 integrity sidecar.
| File | Purpose |
|---|---|
| scan_compliance_hipaa.md | Human-readable HIPAA pre-audit gap report — cover-page Scope Attestation, per-control status (PASS/FAIL/PARTIAL/OOS) with §164.312 rule-text citations, per-violation evidence with HIPAA-grounded rationale, Appendix A Cloud Bucket Exposure, Appendix B Accepted Risks & False Positives. |
| scan_compliance_hipaa.html | Standalone HTML version with inline CSS — auditor-friendly visual presentation. |
| scan_compliance_hipaa.json | Machine-readable for GRC platform ingestion. |
| *.sha256 | Per-artifact SHA-256 sidecars — verify with shasum -a 256 -c <file>.sha256. |
| *.tsr / *.tsr.bundle.json | RFC 3161 Time-Stamp Response + TSA cert chain bundle (when complianceTsaUrl set). |
| scan_attestation_hipaa.json | Scope envelope: targets, exclusions, scanner version, scan window, framework + label + version. |
| scan_chain_of_custody_hipaa.json | Links scan-id → finding manifest → suppressions → artifact hashes. |
All artifacts can run side-by-side with the SOC 2 artifacts when --compliance soc2,hipaa is used.
For each control below, the engine produces a finding that the auditor can attach to the §164.312 sub-criterion with a stable HIPAA-grounded rationale. Patterns inherited from soc2.json's grep-verified pattern set; HIPAA-specific rationales cite §164.312 rule text and cross-reference §164.308 information-access-management (§164.308(a)(4)) where appropriate.
"Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4)."
| Source | Example finding | Why it violates §164.312(a)(1) |
|---|---|---|
| auth_agent | SSH password authentication enabled | Password-only SSH violates least-privilege boundary enforcement on the host-access layer to ePHI-bearing systems. |
| aws-iam-deep-auditor | SHADOW ADMIN: User has full wildcard (*) permissions | Shadow admins aggregate effective-admin permissions across attached/inline policies, bypassing intended access restrictions to ePHI-bearing resources (cross-references §164.308(a)(4)). |
| aws-iam-deep-auditor | Shadow admin path (PassRole): user/devops can PassRole + lambda:CreateFunction → admin role | PassRole-mediated privesc — textbook Rhino Security Labs IAM privesc primitive that bypasses access-control boundary on ePHI-bearing workloads. |
| azure-rbac-auditor | RBAC: Owner role assigned at subscription scope | Owner role at subscription scope violates §164.308(a)(4)(ii)(C) — auditors expect just-in-time PIM elevation or limited break-glass identities only. |
| azure-keyvault-auditor | Key Vault network ACL default action is Allow | Key Vault houses cryptographic material protecting ePHI; the access boundary is the network ACL — default=Allow defeats the boundary. |
| gcp-iam-project-auditor | Project IAM policy has bindings granting the 'allUsers' sentinel | Grants role permissions to unauthenticated internet callers — full bypass of access control on any ePHI-bearing GCP project resource. |
| gcp-iam-project-auditor | SA-impersonation path detected | Multi-hop SA-impersonation paths give a principal effective admin to ePHI-bearing GCP resources — equivalent to AWS shadow-admin AssumeRole chains. |
| aws-apigateway-auditor | method 'GET /ePHI-endpoint' has AuthorizationType: NONE | API Gateway method with NONE-auth exposes ePHI integration directly to unauthenticated callers — canonical serverless §164.312(a)(1) violation. |
| aws-lambda-auditor | Lambda function has a public Function URL with AuthType: NONE | Exposes the function to unauthenticated callers — parallel to API Gateway NONE-auth class. |
| aws-iam-effective-decrypt-auditor | IAM principal has effective kms:Decrypt on Resource:* | Account-wide decrypt blast-radius — ePHI confidentiality boundary scope gap (also fires §164.312(a)(2)(iv)). |
| aws-ec2-sg-perimeter-auditor | Security Group has all-protocol (-1) ingress from 0.0.0.0/0 | Catastrophic network-segmentation gap on ePHI-bearing ENIs — every port exposed to public internet. |
| gcp-cloud-storage-auditor | Bucket has IAM binding(s) granting the 'allUsers' sentinel | GCS bucket public exposure — full bypass of access control on bucket-resident ePHI. |
| aws-backup-auditor | Backup vault access policy contains Allow statement(s) granting WILDCARD-Principal | Wildcard-Principal on backup vault permits any AWS account to interact with the vault — defeats the access-control boundary on ePHI backup material. |
"Assign a unique name and/or number for identifying and tracking user identity."
| Source | Example finding | Why it violates §164.312(a)(2)(i) |
|---|---|---|
| auth_agent | SNMP default community string 'public' detected | Shared anonymous credentials defeat the user-identification requirement on monitored ePHI-bearing infrastructure. |
| auth_agent | Anonymous FTP access enabled | Anonymous FTP grants access with NO user identity — all activity attributes to 'anonymous'. |
| aws-ec2-sg-perimeter-auditor | Security Group is not attached to any ENI (orphan SG) | Auditors cannot map orphan SG to a specific workload identity, breaking the auditable-identity chain expected for ePHI-bearing AWS resources. |
"Implement a mechanism to encrypt and decrypt electronic protected health information." Addressable per HHS — but encryption-at-rest is the safe-harbor approach to breach-notification (45 CFR §164.402).
| Source | Example finding | Why it violates §164.312(a)(2)(iv) |
|---|---|---|
| aws-s3-auditor | No default encryption / Server-side encryption not enabled | Direct absence of the encryption mechanism for at-rest ePHI in S3. |
| aws-kms-auditor | Customer-managed KMS key has automatic key rotation DISABLED | Disabled rotation on a CMK protecting ePHI means key bytes never rotate; compromised key remains valid indefinitely. |
| aws-kms-auditor | KMS key policy grants Principal: AWS:* + kms:* | Catastrophic encryption-mechanism failure — any AWS principal can decrypt ePHI protected by this key. |
| aws-rds-auditor | RDS DB instance has storage encryption DISABLED | RDS stores ePHI in cleartext on EBS volumes — direct absence of the encryption mechanism. |
| aws-sqs-sns-auditor | SQS queue / SNS topic has encryption-at-rest DISABLED | Message-bus payloads (potentially carrying ePHI in transit between systems) stored in cleartext at the SQS/SNS storage layer. |
| aws-elasticache-redis-auditor | ElastiCache Redis has at-rest encryption DISABLED | Cached ePHI stored in cleartext. |
| azure-keyvault-auditor | Key Vault purge protection NOT enabled | Permitting permanent destruction of ePHI-protecting key material during 7-90 day retention results in irrevocable encrypted-ePHI loss. |
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI." HIPAA reports cite §164.312(b) audit-controls cadence for SLA/MTTR tracking (the analog of SOC 2's CC7.1).
| Source | Example finding | Why it violates §164.312(b) |
|---|---|---|
| aws-cloudtrail-auditor | no trails configured for this account | Catastrophic gap — ZERO record of API activity in AWS account hosting ePHI. |
| aws-cloudtrail-auditor | does not log data events | Granularity gap — management-only CloudTrail misses data-plane (GetObject, GetItem) ePHI access activity. |
| aws-cloudtrail-auditor | log file validation disabled | Cross-references §164.312(c)(1) — log-file-validation enables tamper-detection on the audit log itself. |
| aws-rds-auditor | RDS DB instance (postgres) has pgAudit DISABLED | Database-layer audit gap — pgAudit provides session + object-level audit logging on ePHI tables. |
| aws-rds-auditor | CloudWatch Logs retention below institutional baseline | Audit-retention gap — records age out before HHS-recommended retention horizon (§164.530(j) — 6-year administrative requirement; technical floor must support it). |
| aws-inspector-guardduty-auditor | GuardDuty is NOT ENABLED in region | Cross-references §164.308(a)(1)(ii)(D) Information System Activity Review (admin OOS but technically substrated here). |
"Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed." HIPAA reports cite §164.312(d) for identity-verification (the analog of SOC 2's CC6.2 / CC6.3).
| Source | Example finding | Why it violates §164.312(d) |
|---|---|---|
| aws-iam-deep-auditor | no MFA configured / WITHOUT MFA | Single-factor authentication cannot verify identity to HHS-expected standard for ePHI-access-bearing AWS IAM users. |
| aws-secrets-auditor | Secrets Manager secret has rotation DISABLED / rotation is OVERDUE | Long-lived credentials defeat entity-authentication freshness invariant on ePHI access paths. |
| aws-rds-auditor | RDS DB instance has IAMDatabaseAuthenticationEnabled=true | PASS substrate — short-lived IAM-mediated auth tokens (15-min expiry) replace long-lived passwords for ePHI-bearing RDS instances. |
| aws-elasticache-redis-auditor | ElastiCache Redis has NO authentication configured | Authentication-absent gap — relies SOLELY on Security Group perimeter; defeats entity-authentication entirely on ePHI cache. |
"Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network."
| Source | Example finding | Why it violates §164.312(e)(1) |
|---|---|---|
| crypto_agent | TLSv1.0 / TLSv1.1 / SSLv3 / SSLv2 | Deprecated TLS/SSL with known cryptographic vulnerabilities (POODLE, BEAST) — ePHI in transit exposed to MITM. |
| crypto_agent | Weak cipher suites | RC4 / 3DES / EXPORT-grade nominally encrypts but is cryptographically broken — ePHI in transit at plaintext-recovery risk. |
| aws-rds-auditor | RDS DB instance does NOT enforce SSL connections | Database-transit gap — ePHI transmitted between application and database exposed if client opts out of TLS. |
| aws-sqs-sns-auditor | SQS queue has Policy without Deny on aws:SecureTransport | Message-bus transit gap — permits cleartext HTTP API calls; ePHI in queue messages may transit unencrypted. |
| aws-ses-auditor | SES configuration set TlsPolicy=OPTIONAL | Email-transit policy — OPTIONAL falls back to cleartext SMTP if receiver lacks TLS support. |
Subset of §164.312(e)(1) focused specifically on the encryption mechanism. Patterns mapped: crypto_agent deprecated-protocol + weak-cipher + weak-KEX; aws-rds-auditor SSL enforcement; aws-sqs-sns-auditor SecureTransport Deny; aws-elasticache-redis-auditor transit encryption; aws-ses-auditor TLS policy.
For each control below, NSAuditor evidences ONE dimension of the §164.312 requirement (typically the storage-substrate dimension) but not all dimensions (typically the application-layer record-level dimension). Auditors should pair with application-tier attestations for full coverage.
"Implement policies and procedures to protect ePHI from improper alteration or destruction."
Partial because: Infrastructure scanning evidences the STORAGE-SUBSTRATE integrity dimension (backup-vault immutability, PITR, replication, snapshot retention, KMS-grants integrity on backup keys, GCS retention policies) but cannot evidence APPLICATION-LAYER integrity (per-record checksumming, tamper-detection on database rows, ePHI-payload integrity verification at access time).
"Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner." Subset of §164.312(c)(1) focused on integrity-verification specifically — KMS-policy verifier, KMS-Grants verifier, air-gapped KMS-VPC-endpoint, S3 MFA Delete, CloudTrail log-file validation.
"Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of." Subset of §164.312(e)(1) focused on TLS-integrity substrate — deprecated TLS protocols (integrity-weakening), weak cipher suites (weak MAC), RDS SSL enforcement, ElastiCache transit encryption.
HHS-OCR has highlighted ransomware-resilient ePHI backups in 2024 enforcement actions. Healthcare organizations under HIPAA must demonstrate that backed-up ePHI can be restored in its last-known-good state even after a full source-account compromise. NSAuditor AI EE's aws-backup-auditor plugin provides the strongest substrate evidence available on the AWS layer for this requirement:
A composite-attestation PASS evidences that ePHI backups would survive a full source-account compromise — exactly the §164.312(c)(1) integrity-preservation posture HHS-OCR expects post-ransomware-incident.
The mapping is at data/compliance/hipaa.json under 164.312(c)(1) (also dual-mapped to 164.312(c)(2) for the integrity-verification dimension).
| Spec | R/A | OOS Reason |
|---|---|---|
| §164.312(a)(2)(ii) Emergency Access Procedure | R | Procedural break-glass-runbook control — pair with documented break-glass procedure + workforce training records. |
| §164.312(a)(2)(iii) Automatic Logoff | A | Session-timeout configuration at the application or OS tier — not addressable by API-based infrastructure scanning. |
All §164.308 specifications cover the human-process and governance dimensions of the HIPAA Security Rule: Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, and Business Associate Contracts. These are governance, training, contractual, and policy-cycle evidence streams — they require HR systems, signed policies, training records, formal risk-register documents, and BAA legal records, none of which infrastructure scanning can produce. Pair NSAuditor with a HIPAA-focused GRC platform (Drata HIPAA, Vanta HIPAA, Compliancy Group, Tugboat Logic) for §164.308 coverage.
Note: §164.312 technical-safeguard substrate evidence DOES inform §164.308(a)(1)(ii)(D) Information System Activity Review and §164.308(a)(7)(ii)(A) Data Backup Plan (technical substrate FOR those administrative reviews), but the formal administrative-process documentation itself is OOS.
All §164.310 specifications cover physical-asset and facility dimensions: Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. These are physical-asset evidence streams — they require building access logs, badge systems, workstation-inventory + endpoint-management records, hardware-disposal certificates (e.g., NAID-certified destruction), and physical chain-of-custody documentation. Pair NSAuditor with facilities-management + endpoint-management + asset-disposal vendors for §164.310 coverage.
The infrastructure-layer KMS-key-disposal substrate (Vault Lock, Key Vault purge protection, multi-region key controls) is mapped under §164.312(a)(2)(iv) Encryption/Decryption — the technical-safeguard counterpart to §164.310(d) media-disposal controls.
HIPAA does not formally use the Type-I / Type-II terminology (that's SOC 2 / SSAE 18 / ISAE 3402 convention). However, HHS-OCR audits typically expect:
scan_compliance_hipaa.* artifacts.
The same architectural principle that makes NSAuditor AI EE a Zero-BAA tool for SOC 2 applies to HIPAA: ePHI never leaves customer infrastructure under any condition. Nsasoft does not see, store, or process customer ePHI. No Business Associate Agreement is needed under HIPAA §160.103 because Nsasoft is not a Business Associate — this is a self-hosted scanner, not a SaaS service. Customer credentials, scan results, and ePHI all remain in customer-managed compute; reports are written to the customer's local out/ directory.
This is the institutional differentiator vs SaaS HIPAA-focused GRC platforms (Drata HIPAA, Vanta HIPAA, Compliancy Group) — those platforms require BAAs because they process customer policy + workforce-training + BAA-tracking data SaaS-side. NSAuditor AI EE pairs with them (covering §164.308 + §164.310 surfaces they specialize in) without BAA scope creep on the §164.312 technical evidence layer.
| Category | Vendor | Wedge | NSAuditor differentiation |
|---|---|---|---|
| HIPAA-focused GRC | Compliancy Group, Drata HIPAA, Vanta HIPAA, Tugboat Logic | Workforce-training tracking, BAA management, policy templates, risk-analysis workflow | NSAuditor produces the §164.312 Technical Safeguards substrate evidence the GRC platform cannot. Complement, not replacement. |
| Legacy security scanners | Tenable, Qualys, Rapid7 | CVE detection at scale | NSAuditor produces §164.312-mapped evidence (the format auditors actually want) rather than raw CVE lists. |
| HIPAA consulting firms | KirkpatrickPrice, Coalfire, A-LIGN | Audit + advisory services | NSAuditor produces the pre-audit gap report the consultant builds the audit on top of — reduces consultant billable hours. |
| AWS-native HIPAA | AWS Audit Manager (HIPAA framework) | Pre-built control assessments using AWS Config | AWS Audit Manager covers AWS-only; NSAuditor adds Azure + GCP + on-prem scanning + cross-cloud bucket dedup + GRC platform push + WORM evidence storage. AWS Audit Manager doesn't produce institutional-grade evidence artifacts (no RFC 3161 timestamps, no Ed25519 suppression signing, no chain-of-custody envelope). |
No. Zero Data Exfiltration architecture means ePHI never leaves customer infrastructure. No BAA needed — Nsasoft is not a Business Associate under §160.103.
No — explicitly only §164.312 Technical Safeguards. §164.308 Administrative + §164.310 Physical are architecturally out of scope. Pair with a HIPAA-focused GRC platform.
No. §164.308(a)(1)(ii)(A) Risk Analysis is a formal documented process. NSAuditor produces input data the risk analysis can consume but cannot itself BE the risk analysis.
Per-control requiredOrAddressable: 'R'|'A' field in data/compliance/hipaa.json surfaced in the rendered report. Addressable specs (e.g., §164.312(a)(2)(iv) Encryption-at-rest) are not over-reported as "must implement".
HHS-OCR has highlighted ransomware-resilient ePHI backups in 2024 enforcement actions. NSAuditor's aws-backup-auditor plugin provides Logically Air-Gapped Backup Vault cross-verification (KMS policy + Grants + replicas + VPC-endpoint composite attestation). A PASS evidences that ePHI backups would survive a full source-account compromise.
No. BAAs are legal documents managed in contract-lifecycle systems (e.g., GRC platforms, contract-management software).
§164.530(j) is administrative — the technical floor must SUPPORT 6-year retention. NSAuditor flags audit-log retention below institutional baseline (aws-rds-auditor CloudWatch Logs retention check). Operator configures the baseline per audit-retention policy.
DKIM/DMARC are email-authentication controls — they evidence cross-organizational sender identity assurance, NOT HIPAA Technical Safeguards. The defense test at tests/hipaa_mapping_anchor_drift.test.mjs explicitly excludes DKIM/DMARC patterns from hipaa.json.