HIPAA Compliance Guard

Purpose and Intent

The hipaa-compliance-guard is a specialized auditing tool for the healthcare industry. Its goal is to provide a technical assessment of how well an application adheres to the HIPAA Security Rule, specifically focusing on the protection of Electronic Protected Health Information (ePHI).

When to Use

• Architecture Reviews: Run during the design phase to ensure encryption and logging are planned.
• Pre-Audit Self-Assessment: Use before a formal 3rd-party HIPAA audit to identify and fix low-hanging violations.
• Infrastructure Changes: Run after modifying Terraform or Cloud scripts to ensure security groups or encryption haven’t been compromised.

When NOT to Use

• Real Patient Data: This tool should NOT be used on live databases containing PHI. It is for checking the systems that handle the data.
• Legal Certification: Passing this audit does not mean you are “HIPAA Certified”; it means your technical configuration follows best practices.

Error Conditions and Edge Cases

• Obfuscated Infrastructure: If cloud resources are created via manual console actions (ClickOps) instead of code, this tool cannot see them.
• Custom Encryption: Proprietary or non-standard encryption methods may be flagged as warnings.

Security and Data-Handling Considerations

• No PHI Access: The tool is designed to look at configurations, not data.
• Local Analysis: Keep your infrastructure code local and run the scan within your trusted environment.