Technical Safeguards¶

HIPAA Rule: §164.312

Technical safeguards are the technology and related policies that protect PHI and control access to it.

Access Control (§164.312(a))¶

Requirement	Implementation	Status
Unique user identification	IAM users + application accounts	✅ Policy in place
Emergency access procedure	Break-glass IAM role + root recovery	❌ Runbook needed
Automatic logoff	Console: 1-hour idle; App: 30-min idle	❌ Not confirmed
Encryption and decryption	KMS CMKs	❌ Not yet deployed

Mechanism	Tool	Status
AWS API activity	CloudTrail (multi-region)	❌ Not deployed
Network activity	VPC Flow Logs	❌ Not deployed
Application activity	CloudWatch Logs (app-level logging)	❌ Unconfirmed
S3 access	S3 Server Access Logging	❌ Not deployed

Requirement	Implementation	Status
PHI alteration / destruction detection	CloudTrail + S3 versioning	❌ Partial
CloudTrail log integrity	Log file validation (SHA-256)	❌ Not deployed
Database integrity	RDS automated backups + point-in-time recovery	❌ Not confirmed

Requirement	Implementation	Status
Guard against unauthorized access	VPC + security groups	❌ Not confirmed
Encryption in transit	TLS 1.2+ on all endpoints	❌ Not confirmed
HTTPS enforcement	ALB listener + WAF	❌ Not deployed

AWS Service	Safeguard Area
KMS	Access control, encryption
CloudTrail	Audit controls
VPC Flow Logs	Audit controls, transmission security
AWS Config	Integrity monitoring
GuardDuty	Integrity, access control
Security Hub	Cross-service compliance visibility
WAF	Transmission security, access control
SSM Session Manager	Access control (replaces SSH)
AWS Backup	Integrity (backup and restore)