Framework · HIPAA

HIPAA, enforced for healthtech from Day 0.

Healthtech is our beachhead. ZeroTB enforces every Safeguard across the same engine that runs SOC 2 and ISO 27001. PHI handling, BAA enforcement, audit log retention, breach notification.

HIPAAHealth Insurance Portability and Accountability Act
Scope

Three Safeguards. One enforcement engine.

HIPAA does not specify the technology. It specifies what must be controlled and what must be provable. ZeroTB takes that intent and maps it onto enforcement actions across your actual stack.

Administrative Safeguards run on People & Process plus Identity. Physical Safeguards run on Endpoint. Technical Safeguards run on Identity, Cloud, and Change. Same engine. Different lens.

Engagement begins with a structured PHI scope review. Every system that touches PHI is identified, mapped, and enforced. No implicit coverage assumed.

Layered concentric compliance perimeters around a protected core, in architectural blueprint style

Scope at a glance

Safeguards
Administrative · Physical · Technical
Audit log retention
6 years, immutable
Encryption
AES-256 at rest, TLS 1.3 in transit
BAA
Required for all subprocessors touching PHI
Breach notification
60-day window, automated workflow
Domains used
All five
How the Safeguards map

Three Safeguards across the five domains.

HIPAA's three Safeguards translate cleanly to ZeroTB's enforcement model. Each Safeguard category is owned by one or more domains and enforced continuously.

01

Administrative Safeguards

Workforce management, access management, incident response, BAA oversight.

  • Workforce training on hire and annually, with sequenced escalation
  • Access provisioning, modification, and termination tied to HRIS events
  • Sanction policy enforced through workflow
  • Incident response readiness, evidenced by tabletop attestations
  • Business associate due diligence and re-attestation cadence
  • Risk analysis and risk management cadence enforced
02

Physical Safeguards

Workstation security, device controls, facility access where applicable.

  • Full disk encryption with key escrow on every PHI-bearing device
  • Device posture verified before SSO access to PHI systems
  • Patch level within SLA
  • Malware protection with current signatures
  • Device decommissioning and media disposal evidenced
03

Technical Safeguards

Access control, audit controls, integrity, transmission security.

  • Unique user identification enforced across PHI systems
  • Automatic logoff and emergency access procedures
  • Audit logs at the row level, retained 6 years, immutable
  • Encryption at rest with customer-managed keys
  • TLS 1.3 in transit; no weak cipher fallbacks
  • Integrity controls preventing unauthorized PHI modification
What ZeroTB enforces specifically

Concrete actions, traced and timestamped.

01

PHI access controlled at the IdP, with audit trail to the row level

02

BAA-bound subprocessors tracked, scoped, and re-attested on schedule

03

Audit log retention to the 6-year HIPAA standard, immutable

04

Encryption at rest with customer-managed keys; TLS 1.3 in transit

05

Breach notification workflow tied to incident detection, with the 60-day clock auto-tracked

06

Endpoint encryption verified before SSO access to PHI systems

07

Workforce training tracked per role, with non-completion routed to managers

08

Risk analysis cadence enforced; outputs become evidence for audit

09

Termination access removal cascading across every system in scope, in real time

10

Tamper-evident audit trail readable directly by an auditor or BAA partner

Run a HIPAA scope review.

Talk to the founder
See all frameworks