HIPAAAssessment Results45 CFR Part 164Enterprise

Job ID: demo-hipaa-0422

48 controls assessed

succeeded

Assessment scope

This assessment evaluates only the subset of the HIPAA Security Rule (45 CFR Part 164) that is observable from your Microsoft 365 tenant configuration. It does not cover workforce training, risk assessment documentation, Business Associate Agreements, physical facility controls, or other organizational safeguards. A high score on this scan is evidence of strong M365 configuration — not a substitute for a full HIPAA compliance program.

Compliance Score

45 CFR Part 164

Overall — Weighted score across all controls. Required controls count 2×.

Required — Must be implemented. No alternatives. Gaps are direct violations.

Addressable — Must implement or document an equivalent measure with risk justification.

48Controls

Safeguard Breakdown

Executive Summary

Visual HIPAA executive report with compliance scores, safeguard breakdown charts, and gap analysis for stakeholder review.

1 control is failing due to missing licenses

Detected licenses: Microsoft 365 E3, EMS_E3

Missing capabilities: Microsoft Purview Audit (Premium)

Under HIPAA, not having the required technology is itself a compliance gap. Add the required licenses and re-run the assessment to resolve them.

Next Actions

Generate Documents

Generate SOPs for passing controls and remediation runbooks for gaps.

Output format

Compliance Automator

Enterprise

Auto-remediate 8 failed HIPAA controls. All Conditional Access policies deploy in report-only mode.

Fix 8 Controls

Controls

48 total

Status

Type

Safeguard

Showing 48 of 48 matching (48 total)

CFR Section	Control	Status	Type	Safeguard
164.308(a)(1)(i)	Conduct a security risk assessment Security Management Process	Pass	Required	Administrative
164.308(a)(1)(ii)(A)	Risk analysis — identify threats & vulnerabilities to ePHI Security Management Process	Pass	Required	Administrative
164.308(a)(1)(ii)(B)	Risk management — implement measures to reduce risk to ePHI Security Management Process	Pass	Required	Administrative
164.308(a)(1)(ii)(C)	Sanction policy for workforce members who fail to comply Security Management Process	Skipped	Required	Administrative
164.308(a)(1)(ii)(D)	Information system activity review — regular audit-log review Security Management Process	Fail	Required	Administrative
164.308(a)(2)	Designate a Security Official Assigned Security Responsibility	Skipped	Required	Administrative
164.308(a)(3)(i)	Authorize & supervise workforce access to ePHI Workforce Security	Pass	Required	Administrative
164.308(a)(3)(ii)(B)	Workforce clearance procedures Workforce Security	Pass	Addressable	Administrative
164.308(a)(3)(ii)(C)	Termination procedures — deprovision access on workforce exit Workforce Security	Fail	Addressable	Administrative
164.308(a)(4)(ii)(A)	Isolating healthcare clearinghouse functions Information Access Management	Pass	Required	Administrative
164.308(a)(4)(ii)(B)	Access authorization — procedures to grant access to ePHI Information Access Management	Pass	Addressable	Administrative
164.308(a)(4)(ii)(C)	Access establishment & modification procedures Information Access Management	Pass	Addressable	Administrative
164.308(a)(5)(ii)(A)	Security reminders — periodic updates to the workforce Security Awareness & Training	Pass	Addressable	Administrative
164.308(a)(5)(ii)(B)	Protection from malicious software Security Awareness & Training	Report-Only	Addressable	Administrative
164.308(a)(5)(ii)(C)	Log-in monitoring & discrepancy reporting Security Awareness & Training	Fail	Addressable	Administrative
164.308(a)(5)(ii)(D)	Password management — procedures for creating & protecting passwords Security Awareness & Training	Pass	Addressable	Administrative
164.308(a)(6)(i)	Identify, respond to, & document security incidents Security Incident Procedures	Pass	Required	Administrative
164.308(a)(6)(ii)	Response & reporting — mitigate harmful effects of incidents Security Incident Procedures	Pass	Required	Administrative
164.308(a)(7)(i)	Establish policies for responding to emergencies that damage ePHI Contingency Plan	Pass	Required	Administrative
164.308(a)(7)(ii)(A)	Data backup plan — create retrievable exact copies of ePHI Contingency Plan	Fail	Required	Administrative
164.308(a)(7)(ii)(B)	Disaster recovery plan — restore lost data Contingency Plan	Pass	Required	Administrative
164.308(a)(7)(ii)(C)	Emergency mode operation plan — continue critical business processes Contingency Plan	Pass	Required	Administrative
164.308(a)(8)	Periodic technical & non-technical evaluation against the standard Evaluation	Pass	Required	Administrative
164.308(b)(1)	Obtain satisfactory assurances (BAA) from business associates Business Associate Contracts	Skipped	Required	Administrative
164.310(a)(1)	Limit physical access to electronic info systems & facilities Facility Access Controls	Skipped	Required	Physical
164.310(a)(2)(i)	Contingency operations — allow facility access during disasters Facility Access Controls	Skipped	Addressable	Physical
164.310(a)(2)(ii)	Facility security plan — safeguard the facility & equipment Facility Access Controls	Skipped	Addressable	Physical
164.310(a)(2)(iii)	Access control & validation procedures Facility Access Controls	Skipped	Addressable	Physical
164.310(a)(2)(iv)	Maintenance records — document facility repairs Facility Access Controls	Skipped	Addressable	Physical
164.310(b)	Specify proper functions & environments of workstations accessing ePHI Workstation Use	Skipped	Required	Physical
164.310(c)	Implement physical safeguards for workstations accessing ePHI Workstation Security	Skipped	Required	Physical
164.310(d)(1)	Govern receipt & removal of hardware containing ePHI Device & Media Controls	Skipped	Required	Physical
164.310(d)(2)(i)	Disposal — final disposition of ePHI & hardware Device & Media Controls	Skipped	Required	Physical
164.310(d)(2)(ii)	Media re-use — remove ePHI before re-use Device & Media Controls	Skipped	Required	Physical
164.310(d)(2)(iii)	Accountability — track hardware & media movement Device & Media Controls	Skipped	Addressable	Physical
164.310(d)(2)(iv)	Data backup & storage — create retrievable exact copy before movement Device & Media Controls	Skipped	Addressable	Physical
164.312(a)(1)	Unique user identification — name/number for tracking identity Access Control	Pass	Required	Technical
164.312(a)(2)(i)	Unique user identification implementation Access Control	Pass	Required	Technical
164.312(a)(2)(ii)	Emergency access procedure — obtain ePHI during emergencies Access Control	Pass	Required	Technical
164.312(a)(2)(iii)	Automatic logoff — terminate sessions after predetermined inactivity Access Control	Fail	Addressable	Technical
164.312(a)(2)(iv)	Encryption & decryption of ePHI at rest Access Control	Fail	Addressable	Technical
164.312(b)	Record & examine activity in info systems containing ePHI Audit Controls	Fail	Required	Technical
164.312(c)(1)	Protect ePHI from improper alteration or destruction Integrity	Pass	Required	Technical
164.312(c)(2)	Mechanism to authenticate ePHI — detect tampering Integrity	Fail (License)	Addressable	Technical
164.312(d)	Verify the claimed identity of users accessing ePHI Person or Entity Authentication	Pass	Required	Technical
164.312(e)(1)	Guard against unauthorized access to ePHI in transit Transmission Security	Pass	Required	Technical
164.312(e)(2)(i)	Integrity controls — detect modification of ePHI in transit Transmission Security	Pass	Addressable	Technical
164.312(e)(2)(ii)	Encryption — encrypt ePHI in transit whenever deemed appropriate Transmission Security	Fail	Addressable	Technical

Click any control row for evidence, reason, and remediation detail.

Ready to see your own tenant scored against HIPAA?

Read-only consent takes 60 seconds, the scan runs in under two minutes, and the CFR-cited gap report is yours to keep.

Get started Book a call