HIPAA Security Rule mapping · v1.0 · last refresh 2026-05-16
HIPAA Security Rule mapping. 22 standards, citation by citation.
This is the public version of the control-mapping document referenced in our BAA Schedule 1. Each Security Rule standard from 45 CFR 164.308 through 164.316 is mapped to the kolm control or process that satisfies it, with a link to the artifact, endpoint, or policy that proves it. Refreshed quarterly. Last refresh 2026-05-16.
01administrative safeguards · 45 CFR 164.308
Administrative safeguards.
Nine standards covering security management, workforce controls, training, incident response, contingency, evaluation, and business associate contracts.
| Citation | Standard | R/A | kolm control | Evidence |
|---|---|---|---|---|
| 164.308(a)(1)(i) | Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. | Required | Written information security program reviewed annually. Risk analysis updated each release. Sanction policy and information system activity review documented. Continuous-monitoring evidence collection runs on every change via Vanta. | Internal policy on file. Request via security@kolm.ai. |
| 164.308(a)(2) | Assigned Security Responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures. | Required | Named Security Officer of record is the CTO. Contact path is security@kolm.ai and the disclosure mailbox is published in /.well-known/security.txt. |
/.well-known/security.txt |
| 164.308(a)(3)(i) | Workforce Security. Implement policies and procedures to ensure that all members of the workforce have appropriate access to ePHI and to prevent those who should not have access from obtaining access. | Required | Role-based access control. Background checks on hire for any role with PHI access. Quarterly access review. Immediate revocation on offboarding via single-source-of-truth identity provider. | Internal policy on file. Request via security@kolm.ai. |
| 164.308(a)(4)(i) | Information Access Management. Implement policies and procedures for authorizing access to ePHI consistent with the Privacy Rule. | Required | Least-privilege model. Production PHI access requires explicit ticketed grant with named purpose and time-bound expiry. Per-tenant API keys scope every read; cross-tenant reads return 404. Customer-hosted bridge keeps PHI inside Covered Entity infrastructure by default. | /baa Schedule 1 · /security |
| 164.308(a)(5)(i) | Security Awareness and Training. Implement a security awareness and training program for all members of the workforce. | Required | Annual HIPAA security awareness training required for every employee and contractor with potential PHI access. Phishing simulations quarterly. Completion records retained for the duration of employment plus six years. | Internal training records on file. Request via security@kolm.ai. |
| 164.308(a)(6)(i) | Security Incident Procedures. Implement policies and procedures to address security incidents. | Required | Documented incident response runbook with severity classification, on-call rotation, and customer-facing notification path. Breach notification under BAA Schedule 1 is 10 business days; operational best-effort initial notice within 24 hours of discovery. | /baa Breach Notification clause · /security#disclosure |
| 164.308(a)(7)(i) | Contingency Plan. Establish policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI. | Required | Data backup plan with daily Postgres backups retained 30 days. Disaster recovery plan tested annually. Customer-owned .kolm artifacts remain in customer possession and are unaffected by any kolm-side outage; the runtime is offline-capable. | Internal contingency plan on file. Request via security@kolm.ai. |
| 164.308(a)(8) | Evaluation. Perform a periodic technical and nontechnical evaluation that establishes the extent to which security policies and procedures meet the requirements of this subpart. | Required | Annual third-party penetration test (Halborn 2026-04, 0C / 1H / 3M / 3I, all P0/P1 closed). Continuous control monitoring via Vanta. SOC 2 Type I attestation target Q3 2026; Type II window opens Q4 2026. | /security/halborn-2026-04 · /soc2 |
| 164.308(b)(1) | Business Associate Contracts and Other Arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on its behalf only if the covered entity obtains satisfactory assurances. | Required | Founder-signable BAA with PHI Schedule 1 (10 clauses) covers Purpose, Permitted Uses, Safeguards, Breach Notification, Subprocessor flow-down, Return / Destruction, Audit Rights, Mitigation, Security Rule mapping, and Survival. Subprocessor flow-down published in the BAA and inventory at /subprocessors. | /baa · /subprocessors |
02physical safeguards · 45 CFR 164.310
Physical safeguards.
Four standards covering facility access, workstation use and security, and device and media controls. kolm runs on managed cloud infrastructure; physical controls are inherited from subprocessors and documented below.
| Citation | Standard | R/A | kolm control | Evidence |
|---|---|---|---|---|
| 164.310(a)(1) | Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed. | Required | kolm operates no data center. All production compute runs on Railway (US-East) and Vercel; both vendors inherit physical security from their hyperscaler substrates (AWS, GCP) with SOC 2 Type II and ISO 27001 attestations on file. kolm office access is keycarded with visitor log. | /subprocessors Railway and Vercel rows. |
| 164.310(b) | Workstation Use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. | Required | Acceptable Use Policy specifies workstations may be used only for assigned duties. Production PHI access from personal devices is prohibited. Workstation policy is mandatory at onboarding and reviewed annually. | Internal AUP on file. Request via security@kolm.ai. |
| 164.310(c) | Workstation Security. Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. | Required | Mandatory full-disk encryption (FileVault, BitLocker, LUKS). Screen lock under 5 minutes. Mobile device management enforces baseline configuration. Lost or stolen devices remote-wiped within the same business day. | Internal endpoint policy on file. Request via security@kolm.ai. |
| 164.310(d)(1) | Device and Media Controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. | Required | Removable media prohibited from production-access workstations. Decommissioned hardware wiped to NIST SP 800-88 Clear or Purge standard with destruction certificate retained. Cloud-side media disposal inherited from Railway and Vercel. | Internal disposal records on file. Request via security@kolm.ai. |
03technical safeguards · 45 CFR 164.312
Technical safeguards.
Five standards covering access control, audit controls, integrity, person or entity authentication, and transmission security. Each maps to a shipped surface that an auditor can verify directly.
| Citation | Standard | R/A | kolm control | Evidence |
|---|---|---|---|---|
| 164.312(a)(1) | Access Control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. | Required | Per-tenant API keys issued at signup; every record carries a tenant ID. Cross-tenant reads return 404 (existence-hiding) and cross-tenant writes return 400. Tested on every release in scripts/sensitive-data-readiness.sh. Automatic logoff via short-lived bearer tokens. |
/spec/codebase isolation section · sensitive-data-readiness.sh |
| 164.312(b) | Audit Controls. Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. | Required | 4-ring receipt chain (compile, run, eval, audit) with HMAC-SHA256 signatures. Tenant-scoped audit log retained 30 days, queryable via GET /v1/audit/log. Payload-free by design; no PHI in the log itself, only metadata (sha256, K-score, timestamp, tenant ID). |
/docs#audit · /spec/kolm-format-v1 |
| 164.312(c)(1) | Integrity. Implement policies and procedures to protect ePHI from improper alteration or destruction. | Required | HMAC-SHA256 4-ring receipt chain seals each compile, run, eval, and audit event. kolm inspect <artifact>.kolm re-runs verification over the manifest, recipes, eval set, and receipt body. Any tamper breaks the chain. Database integrity via Postgres transactional writes and daily backups. |
/spec/kolm-format-v1 receipt section |
| 164.312(d) | Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. | Required | API key authentication on every PHI-bearing route. Keys are hashed at rest (Argon2id) and verified in constant time. Human workforce access requires SSO with mandatory hardware-key MFA. Customer-side SSO/SAML available on Enterprise tier. | /docs auth section · /enterprise |
| 164.312(e)(1) | Transmission Security. Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. | Required | TLS 1.3 minimum on every endpoint. HSTS with max-age=63072000; includeSubDomains; preload in production. HTTP requests redirected to HTTPS with 308. Customer-hosted bridge architecture keeps PHI off the public network entirely for the default deployment. |
vercel.json headers · /security shipped controls |
04organizational, policies, documentation · 45 CFR 164.314 & 164.316
Organizational, policies, and documentation.
Four standards covering Business Associate Contracts (organizational requirement), Group Health Plan applicability, and the umbrella Policies and Procedures and Documentation requirements.
| Citation | Standard | R/A | kolm control | Evidence |
|---|---|---|---|---|
| 164.314(a)(1) | Business Associate Contracts (Organizational). The contract or other arrangement between the covered entity and the business associate must meet the requirements of paragraph (a)(2). | Required | Standard kolm BAA satisfies 45 CFR 164.314(a)(2)(i): permits and limits PHI uses, requires appropriate safeguards, requires reporting of unauthorized use or disclosure, requires subprocessor flow-down, requires return or destruction at termination, authorizes termination for material breach. PHI Schedule 1 enumerates the 10 operative clauses in plain language. | /baa |
| 164.314(b)(1) | Group Health Plan Requirements. The plan documents of the group health plan shall be amended to incorporate provisions to require the plan sponsor to reasonably and appropriately safeguard ePHI. | N/A | Not applicable. kolm is not a group health plan and does not sponsor or administer a group health plan. This standard applies to covered entities that are themselves group health plans. | N/A by entity type. |
| 164.316(a) | Policies and Procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart. | Required | Written information security policy set covers all 22 Security Rule standards. Policy library is reviewed at least annually and on any material change to the system. Policy ownership assigned to the Security Officer (CTO). | Internal policy library on file. Request via security@kolm.ai. |
| 164.316(b)(1) | Documentation. Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form, and if an action, activity or assessment is required by this subpart, maintain a written record of the action, activity, or assessment. | Required | All policies, risk analyses, incident records, training completions, access reviews, disposal certificates, and receipt-chain audit logs are retained for at least six years from the date of creation or the date last in effect, whichever is later. Receipt chain is durable per .kolm format v1.0. | Internal documentation set on file · /docs#compliance-package |
05auditor · verify in 60 seconds
How to verify this mapping yourself.
Five lookups any auditor or privacy officer can run today. Each returns a verifiable artifact, not a slide.
- Fetch the compliance package.
curl -H "Authorization: Bearer $KOLM_API_KEY" https://kolm.ai/v1/account/compliance-packagereturns a signed JSON bundle covering tenant, controls, BAA status, subprocessor inventory, HIPAA / SOC 2 / HITRUST / GDPR posture, receipt records, audit log, and signed-at timestamp. One file, attestation chain inside. See /docs#compliance-package. - Re-run the receipt chain offline.
kolm inspect <artifact>.kolmre-runs HMAC-SHA256 verification across all four rings using the tenant signing secret you archived at compile time. Tamper breaks the chain. Format spec at /spec/kolm-format-v1. This satisfies 164.312(c)(1) integrity in front of you. - Pull the audit log.
curl -H "Authorization: Bearer $KOLM_API_KEY" "https://kolm.ai/v1/audit/log?limit=100"returns the tenant-scoped 4-ring entries with HMAC signatures, sha256, K-score, and timestamps. Payload-free by design; no PHI in the log. This satisfies 164.312(b) audit controls. - Probe the OpenAPI surface.
curl https://kolm.ai/openapi.jsonreturns the complete operative API surface. Every PHI-bearing route requires authentication; unauthed calls return 401 and cross-tenant reads return 404. This satisfies 164.312(a)(1) and 164.312(d). - Inspect transmission security.
curl -I https://kolm.ai/v1/healthreturnsStrict-Transport-Security: max-age=63072000; includeSubDomains; preloadand TLS 1.3. HTTP requests redirect with 308. This satisfies 164.312(e)(1) transmission security. - Confirm subprocessor flow-down. Read /subprocessors for the full inventory with 30-day change-notice subscription. Confirm that, by design, Vercel, Railway, Stripe, Resend, Cloudflare, and GitHub do not receive PHI under the default architecture. This is the operational evidence for 164.308(b)(1) and the BAA Subprocessor flow-down clause.