Audit-ready export
One click. Every policy, every piece of evidence, every framework mapping — packaged the way auditors actually want it.
20 of 26 HIPAA requirements satisfied with linked evidence. The remaining 6 are flagged for fixes below.
Evidence locked at export time
Auditors get a tidy zip file with each section already labeled to their request list.
Policy binder
11 sections
Every approved policy & procedure with version + signature page.
Control matrix
26 controls
HIPAA requirement → AuditPilot control → status, with evidence links.
Evidence bundle
8 artifacts
Screenshots, exports, BAA PDFs, training rosters — already named & timestamped.
Cover letter
Auto-signed
Owner attestation, scope statement, period of performance.
HIPAA controls passing
18 / 26
Each contributes to your coverage %.
BAAs on file
3 / 4
PHI-handling vendors with current BAA.
Training complete
6 / 10
Annual workforce HIPAA & phishing.
Incidents closed
2 / 3
With timeline + risk assessment.
2 of 4 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.312(d) Person or Entity Authentication | Multi-factor authentication enforced for all users AP-AC-001 | Failing | 1 Microsoft 365 MFA enforcement export |
§164.312(a)(2)(i) Unique User Identification | Unique user accounts (no shared logins) AP-AC-002 | Passing | 1 Microsoft 365 MFA enforcement export |
§164.308(a)(4) Information Access Management | Access reviewed quarterly AP-AC-003 | In progress | 1 Q1 access review sign-off |
§164.308(a)(3)(ii)(C) Termination Procedures | Departing workforce access revoked within 24 hours AP-AC-004 | Passing | None — upload to satisfy |
2 of 4 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.312(a)(2)(iv) Encryption and Decryption | Full-disk encryption on all workstations AP-DV-001 | Failing | 1 BitLocker compliance report — Sept 2026 |
§164.308(a)(5)(ii)(B) Protection from Malicious Software | Endpoint protection (antivirus / EDR) installed and current AP-DV-002 | Passing | 1 Bitdefender protection coverage |
§164.308(a)(1)(ii)(B) Risk Management | Operating system and security patches applied within 30 days AP-DV-003 | In progress | None — upload to satisfy |
§164.310(b) Workstation Use | Automatic screen lock after 10 minutes of inactivity AP-DV-004 | Passing | None — upload to satisfy |
2 of 3 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(a)(7)(ii)(A) Data Backup Plan | Daily encrypted backups with offsite copy AP-DP-001 | Passing | 1 Datto backup verification — week 14 |
§164.308(a)(7)(ii)(D) Testing and Revision Procedures | Quarterly backup restore test documented AP-DP-002 | Needs review | 1 Datto backup verification — week 14 |
§164.312(e)(1) Transmission Security | Email and file transfer encrypted in transit AP-DP-003 | Passing | None — upload to satisfy |
2 of 3 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(a)(1)(ii)(D) Information System Activity Review | Business-grade firewall with active subscription AP-NS-001 | Passing | 1 Firewall subscription renewal — SonicWall TZ470 |
§164.312(a)(1) Access Control | Guest Wi-Fi isolated from clinical network AP-NS-002 | In progress | None — upload to satisfy |
§164.312(e)(1) Transmission Security | VPN required for remote access to clinical systems AP-NS-003 | Passing | None — upload to satisfy |
2 of 2 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.316(b)(2) Time Limit | Audit logs retained for at least 6 years AP-ML-001 | Passing | None — upload to satisfy |
§164.308(a)(5)(ii)(C) Log-in Monitoring | Failed login alerts configured AP-ML-002 | Passing | None — upload to satisfy |
1 of 2 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(a)(6) Security Incident Procedures | Documented incident response plan AP-IR-001 | Passing | None — upload to satisfy |
§164.308(a)(7)(ii)(D) Testing and Revision | Annual incident response tabletop exercise AP-IR-002 | In progress | None — upload to satisfy |
1 of 2 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(b)(1) Business Associate Contracts | BAA on file for every vendor handling PHI AP-VM-001 | Failing | None — upload to satisfy |
§164.308(a)(1)(ii)(A) Risk Analysis | Vendor risk assessed before onboarding AP-VM-002 | Passing | None — upload to satisfy |
1 of 1 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(a)(5) Security Awareness and Training | Annual HIPAA training completed by every workforce member AP-TR-001 | Passing | 1 Annual HIPAA training roster |
2 of 2 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.316(a) Policies and Procedures | Approved HIPAA Privacy & Security policy binder AP-PO-001 | Passing | 1 HIPAA Privacy & Security policy binder v3.1 |
§164.308(a)(1)(ii)(A) Risk Analysis | Annual risk analysis on file AP-PO-002 | Passing | None — upload to satisfy |
2 of 2 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.310(a)(1) Facility Access Controls | Server / network closet physically secured AP-PH-001 | Passing | None — upload to satisfy |
§164.310(a)(2)(iii) Access Control and Validation | Visitor sign-in maintained at front desk AP-PH-002 | Passing | None — upload to satisfy |
1 of 1 passing
| HIPAA requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
§164.308(a)(7)(i) Contingency Plan | Documented contingency / disaster recovery plan AP-BC-001 | Passing | None — upload to satisfy |
Already working with an auditor?
We can deliver this package directly to their secure portal — most of our auditor partners accept AuditPilot exports without re-formatting. Generated Apr 20, 2026.