Skip to content

HIPAA

What Escape tests against HIPAA (the Security Rule and Breach Notification Rule), and how to use the HIPAA block in reporting.

What We Cover

Escape's HIPAA coverage focuses on the technical safeguards and the application-layer surface where PHI flows. Findings map to:

  • 164.308(a)(1) Security Management Process: continuous vulnerability scanning as evidence.
  • 164.312(a) Access Controls: BOLA, broken authentication, session-management findings.
  • 164.312(b) Audit Controls: we evidence audit-log coverage through the Audit Logs feature.
  • 164.312© Integrity: integrity bugs, mass assignment, IDOR on PHI-carrying endpoints.
  • 164.312(e) Transmission Security: TLS posture, cipher-suite checks, unencrypted PHI transport.

Sensitive-data scalars tuned for healthcare (patient identifiers, MRNs, ICD codes) are tracked so PHI exposure is flagged the moment it leaves a protected context.

How to Enable

  1. Turn on the HIPAA framework under Organization Settings -> Compliance.
  2. Tag your PHI-touching assets with the hipaa compliance tag.
  3. Add the HIPAA block to reports shared with your privacy and security office.

What the Report Contains

Per enabled asset: each relevant Security Rule section, the mapped security tests, findings in scope, and a pass / fail posture. Reports are ready to attach to a BAA audit trail.

No healthcare-specific warranty is implied; use Escape as one piece of a larger HIPAA compliance program.