HIPAA Compliance Guide

import { Aside, Card, CardGrid } from ‘@astrojs/starlight/components’;

Bastion EDR Professional includes a live HIPAA compliance dashboard that maps your current security posture to the HIPAA Security Rule (45 CFR Part 164). This guide explains which controls Bastion satisfies out of the box and which require your configuration.

Bastion can generate a HIPAA compliance report from the console under **Compliance → HIPAA → Export Report**. This report is structured for auditors and OCR investigations.

HIPAA Security Rule — Control coverage

Administrative Safeguards (§164.308)

Requirement	Bastion coverage	Status
Security Management Process — Risk Analysis (§164.308(a)(1)(ii)(A))	Threat detection, vulnerability scoring, and incident correlation provide continuous risk evidence	✓ Built-in
Workforce Training — Security Awareness (§164.308(a)(5))	Audit logs capture every access event; use as training evidence	✓ Partial
Contingency Plan — Data Backup (§164.308(a)(7)(ii)(A))	Bastion does not manage backup policy — your backup tool satisfies this	✗ External
Security Incident Procedures (§164.308(a)(6))	Incident management with correlation, status tracking, and breach notification workflow	✓ Built-in
Audit Controls (§164.308(a)(1))	Tamper-evident audit trail for all PHI access and admin actions	✓ Built-in

Physical Safeguards (§164.310)

Requirement	Bastion coverage
Workstation Use (§164.310(b))	Process monitoring detects policy violations
Device and Media Controls (§164.310(d))	USB write blocking policy enforced by agent

Technical Safeguards (§164.312)

Requirement	Bastion coverage	Status
Access Control — Unique User Identification (§164.312(a)(1))	Per-user audit log with JWT-authenticated access	✓ Built-in
Audit Controls (§164.312(b))	Hash-chained audit logs for all PHI access, export-ready	✓ Built-in
Integrity — PHI Alteration/Destruction Protection (§164.312(c)(1))	Tamper-evident logs; PHI encrypted at rest	✓ Built-in
Person Authentication (§164.312(d))	Console requires authenticated session; SAML SSO supported	✓ Built-in
Encryption at Rest (§164.312(a)(2)(iv))	AES-256-GCM encryption for all stored PHI	✓ Built-in
Encryption in Transit (§164.312(e)(2)(ii))	TLS 1.2+ for all API traffic; gRPC over TLS	✓ Built-in

PHI access timeline

Every access to PHI-tagged data is recorded in the HIPAA → PHI Access Timeline view:

• User identity
• Timestamp (UTC)
• Resource accessed
• Action performed (read, write, export)
• Outcome (allowed, denied)

Entries are immutable and hash-chained. Any tampering breaks the chain and is flagged.

PHI encryption

Bastion encrypts PHI fields at rest using AES-256-GCM with automatic key rotation. The encryption key is stored separately from the data.

To verify encryption status:

Console → Settings → Security → Encryption Status

This shows the current key ID, last rotation date, and the count of encrypted records.

Generating a compliance report

1. Navigate to Compliance → HIPAA
2. Review the live compliance score and control checklist
3. Click Export Report to generate a PDF suitable for auditors

The report includes:

• Compliance score (percentage of controls satisfied)
• Control-by-control status with evidence
• PHI access summary for the selected date range
• Open incident list

Breach notification

If a breach is detected or suspected:

1. Navigate to Compliance → Breach Notification
2. Select the affected data scope and incident
3. Bastion generates a draft HHS breach notification letter per 45 CFR §164.410

The generated letter is a **draft starting point** — it must be reviewed by your legal or compliance team before submission to HHS.

Business Associate Agreement

Bastion EDR runs entirely on your infrastructure. Halden Technologies does not receive, store, or process your PHI. A Business Associate Agreement (BAA) is not required for the on-premises product.

If you use Bastion’s hosted demo environment (demo.bastionedr.com) for evaluation, contact [email protected] to execute a BAA before loading any real PHI.