K
HIPAA & GDPR · Control Posture07:30:48Sun, May 24
Compliance
HIPAA & GDPR
Live control posture across the HIPAA Security Rule, GDPR Articles 25, 28, 32, and PIPL Article 38.
Controls compliant
127/128
Open findings
1
Encryption coverage
100%
Jurisdictions
12
HIPAA Security Rule · §164.308-316
| Citation | Control | Evidence | Status |
|---|---|---|---|
| 164.308(a)(1) | Security Management Process | Risk analysis 2026-Q1 · accepted | Compliant |
| 164.308(a)(3) | Workforce Security | Background checks + Okta SCIM | Compliant |
| 164.308(a)(4) | Information Access Management | RBAC matrix v4.2 · ABAC overlay | Compliant |
| 164.308(a)(5) | Security Awareness & Training | 98% completion · refreshed Q1 | Compliant |
| 164.308(a)(6) | Security Incident Procedures | Runbook last drill 2026-04-22 | Compliant |
| 164.310(a)(1) | Facility Access Controls | Badge + biometric at DC | Compliant |
| 164.312(a)(1) | Access Control · technical | MFA + SSO enforced 100% | Compliant |
| 164.312(b) | Audit Controls | Immutable WORM logs · 7yr retention | Compliant |
| 164.312(c)(1) | Integrity | SHA-256 Merkle hourly verification | Compliant |
| 164.312(d) | Person/Entity Authentication | SAML 2.0 + WebAuthn | Compliant |
| 164.312(e)(1) | Transmission Security | TLS 1.3 · mTLS internal | Compliant |
| 164.316(b) | Documentation & Retention | Policy v8 review overdue 12d | Action required |
Data residency
US (HIPAA)us-east-1, us-west-2
EU (GDPR)eu-central-1 (Frankfurt)
UK (UK GDPR)eu-west-2 (London)
China (PIPL)cn-north-1 (separate plane)
Singapore (PDPA)ap-southeast-1
Australia (Privacy Act)ap-southeast-2
BAAs / DPAs in force
AWS · BAA #BAA-2024-0182
Stripe · DPA v2024.3
Okta · BAA + DPA
Datadog · BAA #DD-2024-088
MongoDB Atlas · BAA + DPA
Anthropic · BAA + DPA
Open items
Policy v8 review
§164.316(b) requires 6-yr review cycle. Overdue by 12 days.
SOC 2 Type II renewal
On track · auditor field work scheduled Jul 8-22.