Canonical FrameworkCompliance & Audit

HIPAA (Business Associate)

HIPAA business-associate control-mapping starter for service providers that handle PHI for covered entities. It references BAA and subcontractor duties and provides configurable gateway controls for access, auditing, and encryption; contractual and breach-response obligations require separate implementation.

This template is a configurable starting point and control mapping. It is not certification, legal advice, or a guarantee of compliance; validate it against your obligations and environment before use.

Regions

US

References

4 references

Mapped Control Domains

6 mapped domains

Deployment

Clinical Zero-Retention, Private Cloud

Referenced Frameworks, Standards & Obligations

HIPAA Privacy Rule (45 CFR Part 164 Subpart E)HIPAA Security Rule (45 CFR Part 164 Subpart C)45 CFR Parts 160 and 164HITECH Act § 13401

Mapped Control Domains

PHI Protection
Data Processing Agreements
Audit Logging
Access Control
Data Encryption
Breach Notification

Deployment profiles

Clinical Zero-Retention
Private Cloud

Get started in 3 steps

1

Open the template

Open the catalog entry in the Keeptrusts console and review its included controls, references, and deployment metadata.

2

Adapt the configuration

Use the template as a starting point, then adjust relevant policies, thresholds, routing, and review settings for your requirements.

3

Validate before rollout

Test every outcome you configure—such as allow, redact, block, or operator review—before deploying through a supported gateway workflow.