HIPAA Compliance Pack
Enterprise add-on · $199/mo
Maps 67 of your Veri-Guard M365 controls to 45 CFR Part 164 across 17 CFR sections, with Required vs. Addressable scoring per the HIPAA Security Rule. Generates CFR-cited evidence packages, gap reports, and AI-driven PHI Breach Drills — all without ever accessing the protected health information itself.
How HIPAA Compliance Pack Works
Step-by-step walkthrough from scan to evidence handoff
Run a Veri-Guard scan first
HIPAA Compliance Pack layers on top of your existing Veri-Guard tenant assessment. The 67 HIPAA-mapped controls are a subset of the 548 controls Veri-Guard scans across Identity, Intune, Exchange, Teams, SharePoint, and Defender. Re-runs of the underlying scan automatically refresh the HIPAA mapping.
Open the HIPAA Hub
From the sidebar, click HIPAA. Your dashboard shows per-safeguard status grouped by Administrative (§164.308), Physical (§164.310), and Technical (§164.312) safeguards. Each safeguard shows pass / fail with Required vs. Addressable badges and direct citations into 45 CFR Part 164.
Review the scope honestly
The pack assesses what Microsoft 365 can prove. It covers Technical safeguards in full, the M365-observable portion of Administrative safeguards, and a limited subset of Physical safeguards (Workstation Security §164.310(c) and Device/Media Controls §164.310(d)). It does NOT cover workforce training, BAAs, risk-analysis documentation, contingency planning, or facility access controls — those organizational safeguards require separate evidence outside of M365.
Generate the evidence packet
Click "Export Evidence" to produce an auditor-ready packet — per-safeguard evidence with CFR citations, the underlying M365 policy proofs, the assessment date, Required vs. Addressable scoring, and SHA-256 signed manifests. Available as PDF or DOCX, optionally white-labeled for MSP clients.
Run PHI Breach IR drills
Spin up AI-generated PHI breach incident response drills calibrated to your tenant's actual safeguard configuration. Scenarios are tied to your specific gaps — e.g., "an unencrypted export to a personal device" or "an unauthorized PHI disclosure via shared link." Multi-attendee runner with WORM-locked audit trail.
Hand off to your Privacy Officer
Evidence packets, gap reports, and PHI Breach Drill transcripts are signed, dated, and exportable for the HIPAA Privacy Officer, Business Associate auditor, or third-party HITRUST / 405(d) assessor. Public verification URLs let auditors confirm authenticity without portal access.
Data Handling
What the assessment touches, processes, stores, and explicitly never accesses
Data the HIPAA pack assesses
- →Conditional Access policies enforcing MFA and access controls (mapped to §164.308(a)(4), §164.312(a)(1))
- →Exchange encryption and S/MIME settings (mapped to §164.312(e)(1) Transmission Security)
- →Audit logging configuration in Entra and Microsoft Purview (§164.312(b))
- →Workstation security policies in Intune (§164.310(c))
- →Device/Media Controls — Intune device wipe, remote lock, encryption (§164.310(d))
- →Anti-malware and threat protection settings (§164.308(a)(1), §164.308(a)(5))
- →Information access management policies (§164.308(a)(4))
How the assessment is processed
- →67 Veri-Guard controls are cross-mapped to 17 CFR sections in 45 CFR Part 164
- →Each control is scored Required (mandatory) or Addressable (must be implemented or documented why not)
- →Per-safeguard pass / fail status with CFR citations
- →Gap reports generated with auditor-friendly evidence narratives
- →AI Breach Drill scenarios tied to actual safeguard configuration (not generic playbooks)
What is stored after assessment
- →HIPAA gap reports with CFR citations in Azure Table Storage
- →Per-safeguard pass / fail history with assessment dates
- →Evidence packet exports (PDF / DOCX) in Azure Blob Storage (encrypted at rest)
- →PHI Breach Drill session transcripts (WORM-locked, Enterprise audit trail)
- →Retention: 3 years (Enterprise/MSP) for HIPAA-tagged artifacts
Data the HIPAA pack never accesses
- ✗Protected Health Information (PHI) itself — message contents, attachments, file payloads
- ✗Mailbox contents, OneDrive files, SharePoint document libraries
- ✗User passwords, MFA secrets, or recovery codes
- ✗Audit log content (only audit-logging configuration is assessed, not the logs themselves)
- ✗Patient records, clinical notes, or any ePHI stored in M365
Permissions
All read-only — HIPAA Compliance Pack inherits Veri-Guard's permissions and adds none of its own
Permission Model
HIPAA Compliance Pack inherits the read-only Microsoft Graph permissions Veri-Guard already uses. No additional Microsoft 365 permissions are required, and the pack performs no writes to your tenant. The mapping, scoring, and evidence-pack generation are all read-only post-processing of the underlying scan data.
Policy.Read.AllInherited from Veri-Guard — read Conditional Access policies, named locations, and authentication methods for §164.312(a)(1) mapping
Directory.Read.AllInherited from Veri-Guard — read directory objects for access-management evaluation §164.308(a)(4)
SecurityEvents.Read.AllInherited from Veri-Guard — read security configurations for §164.308(a)(1) and §164.308(a)(5) mapping
Organization.Read.AllInherited from Veri-Guard — read tenant metadata and licensing for safeguard prerequisite checks
Safety Controls
- ✓Read-only assessment — HIPAA Compliance Pack performs zero writes to your tenant
- ✓No PHI access — the pack assesses safeguard configuration, never the protected data itself
- ✓CFR-cited evidence — every assessed safeguard cites the specific 45 CFR Part 164 section
- ✓Required vs. Addressable distinction preserved exactly as written in the HIPAA Security Rule
- ✓SHA-256 signed evidence manifests for auditor verification
- ✓Public verification URLs let auditors confirm authenticity without portal access
- ✓WORM-locked PHI Breach Drill sessions — immutable audit trail
- ✓Honest scope — assessment clearly identifies what M365 cannot prove (BAAs, training, contingency plans)