In the last few months, especially soon after the release of Azure Security and Compliance Blueprint – HIPAA/HITRUST Health Data and AI, many customers requested for an executive Dashboard with Scorecards at the HIPAA control category levels.

As we worked with Industry leading CISOs, Compliance Advisors and IT Directors, we learned that most want to get the same information but the levels of information are different. We are taking a series of improvements to that end.

  1. Scorecard at Compliance Categoy levels: Pivot the dashboard towards Compliance categories. We heard you! Please find the below details
  2. More Coverage: More HIPAA controls, more Azure Resource Providers, more more..We heard you! Please find the below details
  3. Drill down to Azure Resource Providers and specific Azure Resources: Although the policy titles and recommendations state the resource providers, you are telling us to add explicit filters for Azure Resources Providers. Watch this space for more on this…

With a recent release, we have now updated the dashboard as well the policy mapping to reflect a more accurate reflection of the HIPAA requirements.

You would notice that the Score card is now pivoted to HIPAA control categories.

This list of Control categories included are

1. Administrative Safeguards – Security Management Process

Implement policies and procedures to prevent, detect, contain and correct security violations. HIPAA Citation / Controls Automated are…

  • 164.308(a)(1)(i)

2. Administrative Safeguards – Business Continuity

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. HIPAA Citation / Controls Automated are…

  • 164.308(a)(7)(i)
  • 164.308(a)(7)(ii)(A)

3. Administrative Safeguards – Vulnerability Management

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.  HIPAA Citation / Controls Automated are…

  • 164.308(a)(1)(ii)(A)

4. Technical Safeguards – Access Controls

Implement policies and procedures to limit physical & virtual access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.  HIPAA Citation / Controls Automated are…

  • 164.312(a)(1)

5. Technical Safeguards – Data Transmission Security

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. HIPAA Citation / Controls Automated are…

  • 164.312(e)(1)

6. Technical Safeguards – Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  • 164.312(b)

7. Technical Safeguards – Encrypt ePHI

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. HIPAA Citation / Controls Automated are…

  • 164.312(e)(2)(ii)

8. Technical Safeguards – Integrity of ePHI

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. HIPAA Citation / Controls Automated are…

  • 164.312(c)(1)


Let us know what you think.