Compliance engine
27 canonical controls mapped across 4 frameworks. Currently 72% compliant.
Status
Framework
Category
Multi-factor authentication enforced for all users
Every user with access to PHI or production systems must authenticate with a second factor (TOTP, push, or hardware token).
Unique user accounts (no shared logins)
Each workforce member has an individually identifiable account. No generic 'frontdesk' or 'doctor' shared logins.
Access reviewed quarterly
A documented quarterly review of who has access to which systems, with approvals from a manager or compliance officer.
Departing workforce access revoked within 24 hours
When someone leaves, their accounts (M365, EHR, VPN, badge access) are disabled within one business day.
Full-disk encryption on all workstations
Every laptop, desktop, and tablet that touches PHI has full-disk encryption (BitLocker on Windows, FileVault on macOS).
Endpoint protection (antivirus / EDR) installed and current
All endpoints run a managed AV/EDR with current signatures and active monitoring.
Operating system and security patches applied within 30 days
Critical OS and application patches are deployed within 30 days of release; security-rated patches within 14 days.
Automatic screen lock after 10 minutes of inactivity
Workstations lock automatically after 10 minutes; this is critical at the front desk where screens face waiting rooms.
Daily encrypted backups with offsite copy
All systems holding PHI are backed up at least daily. Backups are encrypted and at least one copy is stored offsite or in the cloud.
Quarterly backup restore test documented
Backups are not just running — they are actually verified by performing a restore test at least quarterly.
Email and file transfer encrypted in transit
Any electronic transmission of PHI uses TLS 1.2+. Patient-facing email uses an encrypted portal or message-level encryption.
Business-grade firewall with active subscription
A managed, business-grade firewall (SonicWall, Fortinet, Meraki) with active threat protection subscription is in place at every clinic location.
Guest Wi-Fi isolated from clinical network
Patient and guest Wi-Fi is on a separate VLAN/SSID with no route to internal systems or PHI.
VPN required for remote access to clinical systems
Remote workforce members access clinical systems exclusively via a VPN with MFA — no exposed RDP or unauthenticated remote tools.
Audit logs retained for at least 6 years
Sign-in logs, EHR access logs, and security event logs are retained for the HIPAA-required 6-year minimum.
Failed login alerts configured
Repeated failed sign-in attempts and impossible-travel events trigger alerts to the compliance officer.
Documented incident response plan
A written incident response plan that defines roles, escalation, breach-notification timing, and recovery steps.
Annual incident response tabletop exercise
At least one tabletop exercise per year that walks the clinic through a simulated breach.
BAA on file for every vendor handling PHI
Every third-party that creates, receives, maintains, or transmits PHI on the clinic's behalf has a current, signed Business Associate Agreement.
Vendor risk assessed before onboarding
Before introducing a new vendor that touches PHI or critical systems, document a risk assessment.
Annual HIPAA training completed by every workforce member
Every workforce member (including new hires within 30 days) completes documented HIPAA Privacy & Security training annually.
Quarterly phishing simulation
Workforce members are tested with a simulated phishing email at least quarterly; click rates are tracked over time.
Approved HIPAA Privacy & Security policy binder
A complete, approved, version-controlled set of HIPAA policies covering Privacy Rule, Security Rule, and Breach Notification.
Annual risk analysis on file
A documented risk analysis identifying threats, vulnerabilities, likelihood, and impact for systems that handle PHI.
Server / network closet physically secured
Networking equipment and any on-prem servers are stored in a locked room or rack with limited key access.
Visitor sign-in maintained at front desk
All non-workforce visitors are logged with name, time in, time out, and host.