HIPAAAssessment Results45 CFR Part 164Enterprise
Job ID: demo-hipaa-0501
48 controls assessed
Assessment scope
This assessment evaluates only the subset of the HIPAA Security Rule (45 CFR Part 164) that is observable from your Microsoft 365 tenant configuration. It does not cover workforce training, risk assessment documentation, Business Associate Agreements, physical facility controls, or other organizational safeguards. A high score on this scan is evidence of strong M365 configuration — not a substitute for a full HIPAA compliance program.
Compliance Score
45 CFR Part 164Overall — Weighted score across all controls. Required controls count 2×.
Required — Must be implemented. No alternatives. Gaps are direct violations.
Addressable — Must implement or document an equivalent measure with risk justification.
Safeguard Breakdown
Executive Summary
Visual HIPAA executive report with compliance scores, safeguard breakdown charts, and gap analysis for stakeholder review.
1 control is failing due to missing licenses
Detected licenses: Microsoft 365 E3, EMS_E3
Missing capabilities: Microsoft Purview Audit (Premium)
Under HIPAA, not having the required technology is itself a compliance gap. Add the required licenses and re-run the assessment to resolve them.
Next Actions
Generate Documents
Generate SOPs for passing controls and remediation runbooks for gaps.
Compliance Automator
EnterpriseAuto-remediate 8 failed HIPAA controls. All Conditional Access policies deploy in report-only mode.
Generate Breach-Notification Tabletop
EnterpriseHIPAAA facilitator-ready §164.402 4-factor + §164.404 cascade scenario — composed from the safeguard gaps in this scan.
Learn more about Veri-Tech IR Tabletops
Source: demo-hipaa-0501
Org-shape (per drill, demo only)
Veri-Tech sizes every drill around your actual team, not a generic enterprise template. The demo lets you nudge the shape with the controls below; the real product gives you the full freedom described in the callout.
You write your own role labels — not ours.
In your real tenant, you type the role names your team actually uses: M365 Admin, Service Manager, VP IT, External IR Retainer — whatever your lexicon is. The AI uses those exact labels in drill participants, IR-plan owners, AI Coaching recommendations, and the auditor manifest’s orgShape field.
You can also add roles for a specific drill on the fly — e.g. spin up an “Inland Energy AP Clerk” row before running a BEC scenario without touching tenant-wide settings. The demo simulates this with a curated roster + slider; real customers get the full custom-label form (60-char cap, name-detection guardrail, per-role headcount).
Auditor-grade IR evidence in one click — satisfies HIPAA §164.308(a)(8), SOC 2 CC7.4, and ISO 27001 A.5.24 evaluation requirements.
Generation runs in ~3–5 minutes; output lands in Veri-Vault as a tabletop artifact.
Preview a sample tabletopbased on findings shape
Misdirected fax exposes 312 patient records to competitor's office
HIPAA · v1.0.0Your HIPAA scan flagged that fax-out workflow has no validation step. This scenario walks the §164.402 4-factor and §164.404 notification mechanics for a misdirected-PHI event.
Respond (RS.CO, RS.AN)
75–90 minutes (longer than other tabletops because §164.402 + §164.404 require careful documentation)
6 timed
7 criteria
On a Wednesday at 14:08 ET, a billing clerk at your organization fax-batches 312 patient encounter summaries to what they believe is the third-party billing service. The destination number was off by one digit; the fax actually landed at a competing healthcare practice's general office line. The competing practice's office manager calls your privacy officer 47 minutes later and politely asks 'Did you mean to send us 312 of someone's patient records?' The fax is paper-only at the receiving end (their MFP printed it).
Threat actor: None. This is an unauthorized disclosure due to internal process failure, not a malicious actor. Most HIPAA breaches are this category.
Attack chain
- 1Cause: Fax destination was hand-keyed by a clerk; no second-person check, no fax-cover-sheet validation, no destination whitelist.
- 2Disclosure: 312 encounter summaries print at unrelated organization. Receiving organization's office manager picks them up from MFP.
- 3Notification (inbound): Receiving practice calls your privacy officer at 14:55 ET to flag the misdirection.
- 4Mitigation window: From 14:08 to 14:55, the fax pages were physically present at receiving organization. Multiple staff may have walked past the printer.
Affected assets
- 312 patient encounter summaries (PHI: name, DOB, MRN, visit date, diagnosis codes, billing codes)
- Patient trust + reputation
- OCR breach reporting requirement (§164.408 — likely required since count >500 across rolling 12mo)
- Optional state AG notification (depending on state)
Linked scan findings
| Control ID | Severity | Finding |
|---|---|---|
| HIPAA-AS-002 | High | No documented fax-validation procedure for outbound PHI AdministrativeRequired |
| HIPAA-AS-014 | Medium | No documented training on minimum-necessary disclosure standard AdministrativeAddressable |
| HIPAA-PS-008 | Medium | Workforce sanction policy not documented for accidental disclosure AdministrativeRequired |
Generated from HIPAA scan demo-hipaa-0501 on 2026-05-07. This is facilitator material — verify scenario specifics against your tenant before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the source scan job (which IS auditor evidence) and your own IR plan and Notice of Privacy Practices.
Controls
48 totalReading the table
Definitions for each value in the Status, Type, and Safeguard columns.
Reading the table
Definitions for each value in the Status, Type, and Safeguard columns.
Status
- Pass
- A configuration matching this control was observed in your tenant.
- Fail
- No matching configuration was observed and the gap is addressable through M365 settings.
- Report-Only
- A matching policy exists but is in monitoring mode — switch it to "On" to count as passing.
- Fail (License)
- The capability that would satisfy this control requires a license tier the tenant does not hold.
- Skipped
- A prerequisite is not met or the control depends on a feature this tenant cannot evaluate from M365 alone.
- N/A
- This control does not apply to the tenant scope (platform, license, or feature gate).
Type — per 45 CFR §164.306
- Required
- Must be implemented exactly as written. No flexibility — if you handle ePHI, you must do this.
- Addressable
- Implement as written, OR implement an equivalent alternative, OR document why neither is reasonable. Not optional — auditors check the documentation trail just as hard.
Safeguard
- Technical
- Technology controls — authentication, encryption, access logs, transmission security.
- Administrative
- Process and policy — security officer, workforce training, sanction policy, contingency plans.
- Physical
- Hardware and facility controls — workstation security, device disposal, facility access.
Status
Type
Safeguard
Showing 48 of 48 matching (48 total)
| CFR Section | Control | Status | Type | Safeguard |
|---|---|---|---|---|
| 164.308(a)(1)(i) | Conduct a security risk assessment Security Management Process | Pass | Required | Administrative |
| 164.308(a)(1)(ii)(A) | Risk analysis — identify threats & vulnerabilities to ePHI Security Management Process | Pass | Required | Administrative |
| 164.308(a)(1)(ii)(B) | Risk management — implement measures to reduce risk to ePHI Security Management Process | Pass | Required | Administrative |
| 164.308(a)(1)(ii)(C) | Sanction policy for workforce members who fail to comply Security Management Process | Skipped | Required | Administrative |
| 164.308(a)(1)(ii)(D) | Information system activity review — regular audit-log review Security Management Process | Fail | Required | Administrative |
| 164.308(a)(2) | Designate a Security Official Assigned Security Responsibility | Skipped | Required | Administrative |
| 164.308(a)(3)(i) | Authorize & supervise workforce access to ePHI Workforce Security | Pass | Required | Administrative |
| 164.308(a)(3)(ii)(B) | Workforce clearance procedures Workforce Security | Pass | Addressable | Administrative |
| 164.308(a)(3)(ii)(C) | Termination procedures — deprovision access on workforce exit Workforce Security | Fail | Addressable | Administrative |
| 164.308(a)(4)(ii)(A) | Isolating healthcare clearinghouse functions Information Access Management | Pass | Required | Administrative |
| 164.308(a)(4)(ii)(B) | Access authorization — procedures to grant access to ePHI Information Access Management | Pass | Addressable | Administrative |
| 164.308(a)(4)(ii)(C) | Access establishment & modification procedures Information Access Management | Pass | Addressable | Administrative |
| 164.308(a)(5)(ii)(A) | Security reminders — periodic updates to the workforce Security Awareness & Training | Pass | Addressable | Administrative |
| 164.308(a)(5)(ii)(B) | Protection from malicious software Security Awareness & Training | Report-Only | Addressable | Administrative |
| 164.308(a)(5)(ii)(C) | Log-in monitoring & discrepancy reporting Security Awareness & Training | Fail | Addressable | Administrative |
| 164.308(a)(5)(ii)(D) | Password management — procedures for creating & protecting passwords Security Awareness & Training | Pass | Addressable | Administrative |
| 164.308(a)(6)(i) | Identify, respond to, & document security incidents Security Incident Procedures | Pass | Required | Administrative |
| 164.308(a)(6)(ii) | Response & reporting — mitigate harmful effects of incidents Security Incident Procedures | Pass | Required | Administrative |
| 164.308(a)(7)(i) | Establish policies for responding to emergencies that damage ePHI Contingency Plan | Pass | Required | Administrative |
| 164.308(a)(7)(ii)(A) | Data backup plan — create retrievable exact copies of ePHI Contingency Plan | Fail | Required | Administrative |
| 164.308(a)(7)(ii)(B) | Disaster recovery plan — restore lost data Contingency Plan | Pass | Required | Administrative |
| 164.308(a)(7)(ii)(C) | Emergency mode operation plan — continue critical business processes Contingency Plan | Pass | Required | Administrative |
| 164.308(a)(8) | Periodic technical & non-technical evaluation against the standard Evaluation | Pass | Required | Administrative |
| 164.308(b)(1) | Obtain satisfactory assurances (BAA) from business associates Business Associate Contracts | Skipped | Required | Administrative |
| 164.310(a)(1) | Limit physical access to electronic info systems & facilities Facility Access Controls | Skipped | Required | Physical |
| 164.310(a)(2)(i) | Contingency operations — allow facility access during disasters Facility Access Controls | Skipped | Addressable | Physical |
| 164.310(a)(2)(ii) | Facility security plan — safeguard the facility & equipment Facility Access Controls | Skipped | Addressable | Physical |
| 164.310(a)(2)(iii) | Access control & validation procedures Facility Access Controls | Skipped | Addressable | Physical |
| 164.310(a)(2)(iv) | Maintenance records — document facility repairs Facility Access Controls | Skipped | Addressable | Physical |
| 164.310(b) | Specify proper functions & environments of workstations accessing ePHI Workstation Use | Skipped | Required | Physical |
| 164.310(c) | Implement physical safeguards for workstations accessing ePHI Workstation Security | Skipped | Required | Physical |
| 164.310(d)(1) | Govern receipt & removal of hardware containing ePHI Device & Media Controls | Skipped | Required | Physical |
| 164.310(d)(2)(i) | Disposal — final disposition of ePHI & hardware Device & Media Controls | Skipped | Required | Physical |
| 164.310(d)(2)(ii) | Media re-use — remove ePHI before re-use Device & Media Controls | Skipped | Required | Physical |
| 164.310(d)(2)(iii) | Accountability — track hardware & media movement Device & Media Controls | Skipped | Addressable | Physical |
| 164.310(d)(2)(iv) | Data backup & storage — create retrievable exact copy before movement Device & Media Controls | Skipped | Addressable | Physical |
| 164.312(a)(1) | Unique user identification — name/number for tracking identity Access Control | Pass | Required | Technical |
| 164.312(a)(2)(i) | Unique user identification implementation Access Control | Pass | Required | Technical |
| 164.312(a)(2)(ii) | Emergency access procedure — obtain ePHI during emergencies Access Control | Pass | Required | Technical |
| 164.312(a)(2)(iii) | Automatic logoff — terminate sessions after predetermined inactivity Access Control | Fail | Addressable | Technical |
| 164.312(a)(2)(iv) | Encryption & decryption of ePHI at rest Access Control | Fail | Addressable | Technical |
| 164.312(b) | Record & examine activity in info systems containing ePHI Audit Controls | Fail | Required | Technical |
| 164.312(c)(1) | Protect ePHI from improper alteration or destruction Integrity | Pass | Required | Technical |
| 164.312(c)(2) | Mechanism to authenticate ePHI — detect tampering Integrity | Fail (License) | Addressable | Technical |
| 164.312(d) | Verify the claimed identity of users accessing ePHI Person or Entity Authentication | Pass | Required | Technical |
| 164.312(e)(1) | Guard against unauthorized access to ePHI in transit Transmission Security | Pass | Required | Technical |
| 164.312(e)(2)(i) | Integrity controls — detect modification of ePHI in transit Transmission Security | Pass | Addressable | Technical |
| 164.312(e)(2)(ii) | Encryption — encrypt ePHI in transit whenever deemed appropriate Transmission Security | Fail | Addressable | Technical |
Click any control row for evidence, reason, and remediation detail.
Ready to see your own tenant scored against HIPAA?
Read-only consent takes 60 seconds, the scan runs in under two minutes, and the CFR-cited gap report is yours to keep.