Audit-ready export
One click. Every policy, every piece of evidence, every framework mapping — packaged the way auditors actually want it.
20 of 27 HITRUST requirements satisfied with linked evidence. The remaining 7 are flagged for fixes below.
Evidence locked at export time
Auditors get a tidy zip file with each section already labeled to their request list.
Policy binder
11 sections
Every approved policy & procedure with version + signature page.
Control matrix
27 controls
HITRUST requirement → AuditPilot control → status, with evidence links.
Evidence bundle
8 artifacts
Screenshots, exports, BAA PDFs, training rosters — already named & timestamped.
Cover letter
Auto-signed
Owner attestation, scope statement, period of performance.
HITRUST controls passing
18 / 27
Each contributes to your coverage %.
BAAs on file
3 / 4
PHI-handling vendors with current BAA.
Training complete
6 / 10
Annual workforce HIPAA & phishing.
Incidents closed
2 / 3
With timeline + risk assessment.
2 of 4 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
01.q User Authentication for External Connections | Multi-factor authentication enforced for all users AP-AC-001 | Failing | 1 Microsoft 365 MFA enforcement export |
01.b User Registration | Unique user accounts (no shared logins) AP-AC-002 | Passing | 1 Microsoft 365 MFA enforcement export |
01.e Review of User Access Rights | Access reviewed quarterly AP-AC-003 | In progress | 1 Q1 access review sign-off |
02.i Removal of Access Rights | Departing workforce access revoked within 24 hours AP-AC-004 | Passing | None — upload to satisfy |
2 of 4 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
06.d Cryptographic Controls | Full-disk encryption on all workstations AP-DV-001 | Failing | 1 BitLocker compliance report — Sept 2026 |
09.j Controls Against Malicious Code | Endpoint protection (antivirus / EDR) installed and current AP-DV-002 | Passing | 1 Bitdefender protection coverage |
10.k Change Control Procedures | Operating system and security patches applied within 30 days AP-DV-003 | In progress | None — upload to satisfy |
01.t Session Time-out | Automatic screen lock after 10 minutes of inactivity AP-DV-004 | Passing | None — upload to satisfy |
2 of 3 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
10.m Information Backup | Daily encrypted backups with offsite copy AP-DP-001 | Passing | 1 Datto backup verification — week 14 |
12.c Business Continuity Testing | Quarterly backup restore test documented AP-DP-002 | Needs review | 1 Datto backup verification — week 14 |
09.s Information Exchange | Email and file transfer encrypted in transit AP-DP-003 | Passing | None — upload to satisfy |
2 of 3 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
09.m Network Controls | Business-grade firewall with active subscription AP-NS-001 | Passing | 1 Firewall subscription renewal — SonicWall TZ470 |
09.m Network Segregation | Guest Wi-Fi isolated from clinical network AP-NS-002 | In progress | None — upload to satisfy |
01.j User Authentication for External Connections | VPN required for remote access to clinical systems AP-NS-003 | Passing | None — upload to satisfy |
2 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
09.aa Audit Logging | Audit logs retained for at least 6 years AP-ML-001 | Passing | None — upload to satisfy |
09.ab Monitoring System Use | Failed login alerts configured AP-ML-002 | Passing | None — upload to satisfy |
1 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
11.a Reporting Information Security Events | Documented incident response plan AP-IR-001 | Passing | None — upload to satisfy |
11.c Learning from Incidents | Annual incident response tabletop exercise AP-IR-002 | In progress | None — upload to satisfy |
1 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
05.k Addressing Security in Third Party Agreements | BAA on file for every vendor handling PHI AP-VM-001 | Failing | None — upload to satisfy |
05.i Identification of Risks Related to External Parties | Vendor risk assessed before onboarding AP-VM-002 | Passing | None — upload to satisfy |
1 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
02.e Information Security Awareness, Education, and Training | Annual HIPAA training completed by every workforce member AP-TR-001 | Passing | 1 Annual HIPAA training roster |
02.e Awareness Reinforcement | Quarterly phishing simulation AP-TR-002 | Needs review | None — upload to satisfy |
2 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
04.a Information Security Policy Document | Approved HIPAA Privacy & Security policy binder AP-PO-001 | Passing | 1 HIPAA Privacy & Security policy binder v3.1 |
03.a Risk Management Program Development | Annual risk analysis on file AP-PO-002 | Passing | None — upload to satisfy |
2 of 2 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
08.b Physical Entry Controls | Server / network closet physically secured AP-PH-001 | Passing | None — upload to satisfy |
08.c Securing Offices, Rooms, Facilities | Visitor sign-in maintained at front desk AP-PH-002 | Passing | None — upload to satisfy |
1 of 1 passing
| HITRUST requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
12.b Business Continuity and Risk Assessment | Documented contingency / disaster recovery plan AP-BC-001 | Passing | None — upload to satisfy |
Already working with an auditor?
We can deliver this package directly to their secure portal — most of our auditor partners accept AuditPilot exports without re-formatting. Generated Apr 20, 2026.