HIPAA / HITECH
Regulator: U.S. Department of Health and Human Services, Office for Civil Rights
Signal Provenance is configured as a HIPAA Business Associate. Every Technical Safeguard at 164.312 is addressed in code: unique user IDs, MFA, automatic logoff, encryption at rest, tamper-evident audit trails, and integrity verification. A BAA template ships with each deployment to satisfy 164.308(b)(1).
Scope
HIPAA's Security Rule (45 CFR Part 164, Subparts A and C) governs the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Covered entities and business associates must implement administrative, physical, and technical safeguards. Breach penalties scale with willful neglect.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| 164.312(a)(1) | Access control: unique user identification, emergency access, automatic logoff, encryption | Strong | RBAC module with unique user IDs, scrypt-hashed passwords, and role-differentiated permissions. Emergency break-glass with time-bounded TTL. Automatic session logoff after 30 minutes idle (OPS_SESSION_IDLE_TIMEOUT). | ops/rbac.py, ops/dashboard/auth.py |
| 164.312(a)(2)(i) | Unique user identification | Complete | rbac_users.user_id is the unique key. Every operational write records the actor. Every electronic signature records the signing user. | ops/db.py rbac_users |
| 164.312(a)(2)(ii) | Emergency access procedure | Complete | ops rbac emergency-grant issues time-bounded (1-1440 minute) emergency access with full ledger witness (certification_issued). Revocation is also witnessed. | ops/rbac.py grant_emergency_access |
| 164.312(a)(2)(iii) | Automatic logoff after predetermined time of inactivity | Complete | Session idle timeout enforced in AuthMiddleware. Expired sessions are deleted and users redirected to login. Default 30 minutes, configurable via OPS_SESSION_IDLE_TIMEOUT. | ops/dashboard/auth.py _valid_session |
| 164.312(a)(2)(iv) | Encryption and decryption of ePHI | Complete | AES-256 Fernet encryption at rest for PHI-adjacent operational data. Secure delete support. | engine/vanta/vanta_security.py |
| 164.312(b) | Audit controls: hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI | Complete | 49 operational witness points plus inference log plus training-run log, all hash-chained in Aletheia with workstation and actor identification. | engine/aletheia/ledger.py, ops/db.py |
| 164.312(c)(1) | Integrity: protect ePHI from improper alteration or destruction | Complete | Hash chain: modifying any entry breaks all subsequent chain_hash values. verify_chain() detects tampering at the exact seq. | engine/aletheia/ledger.py verify_chain |
| 164.312(c)(2) | Mechanism to corroborate that ePHI has not been altered or destroyed | Complete | SHA-256 content hashing on every harvest. Temporal reconstruction proves what a file looked like at any past timestamp. | provenance/db.py |
| 164.312(d) | Person or entity authentication | Complete | Two-factor authentication: scrypt-hashed password plus RFC 6238 TOTP. MFA can be enforced per-user. | ops/rbac.py authenticate, verify_totp |
| 164.312(e)(1)-(2) | Transmission security with integrity and encryption controls | Strong | Localhost-only network binding by default. Remote management via TLS 1.2+ tunnel. Hash chain verifies pre- and post-transmission integrity. | Architecture, engine/aletheia/ledger.py |
| 164.308(b)(1) | Business Associate contracts and other arrangements | Complete | BAA template deliverable ships with every Signal Provenance deployment. Generates a Markdown BAA with technical safeguards pre-filled and legal fields ready for counsel review. | ops/deliverables/templates/signal_baa.py |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- 164.310 Physical safeguards (facility access, workstation security, device and media controls). These require physical implementation at the client site.
- 164.308(a)(3)-(5) Workforce security, access management procedures, and awareness training (organizational).
- Privacy Rule individual authorization workflows. Signal captures the audit evidence; the consent workflow lives in the client EHR or intake system.
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
BAA template (HIPAA 164.308(b)(1))
ops compliance baa <deployment-id> --covered-entity "<name>" --covered-entity-signatory "<signer>" Pre-fills safeguards, breach notification window, 6-year retention, and deployment-specific identifiers.
HIPAA audit export (PDF + JSON)
ops compliance audit <deployment-id> --framework hipaa Access control report
ops rbac user-list Users, roles, MFA status, last authentication.
Emergency access log
ops rbac emergency-list Chain integrity verification
ops ledger verify <deployment-id> Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first HIPAA / HITECH coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/hipaa/ \u00b7 Cited in every compliance export for HIPAA / HITECH.