HIPAA Compliance Statement
Document owner: Privacy and Compliance Officer
Version: 3.0
Effective date: January 1, 2026
Last updated: January 15, 2026
Classification: Public — Trust Center
Review cadence: Annual review; ad hoc review upon material changes to PHI processing capabilities
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA
Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
1. Document Purpose and Objectives
This HIPAA Compliance Statement describes how Acme Cloud, Inc. supports healthcare organizations, healthcare providers, health plans, healthcare clearinghouses, and their business associates that are subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The statement details our administrative, physical, and technical safeguards for Protected Health Information (PHI) when customers configure the Acme Cloud platform to process PHI under an executed Business Associate Agreement (BAA).
The primary objectives of this HIPAA Compliance Statement include the following commitments to healthcare customers and the patients whose information they entrust to Acme Cloud:
| Objective | Description | Verification Method |
|---|
| Regulatory Compliance | Implement safeguards meeting HIPAA Security Rule requirements for electronic PHI | Annual HIPAA security risk assessment; SOC 2 Type II audit |
| Patient Privacy Protection | Protect the confidentiality, integrity, and availability of PHI processed in our platform | Security controls; access auditing; breach monitoring |
| Business Associate Obligations | Fulfill all obligations under executed Business Associate Agreements | BAA compliance tracking; contractual adherence |
| Breach Notification | Detect and report breaches of unsecured PHI within required timelines | Incident response procedures; notification workflows |
| Customer Enablement | Provide customers with tools and documentation to maintain their own HIPAA compliance | Configuration guides; evidence packages; training resources |
| Continuous Improvement | Maintain and enhance HIPAA controls based on evolving threats and regulatory guidance | Annual risk assessment; remediation tracking; control updates |
This statement aligns with the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D), and HITECH Act requirements. It complements our Security Overview, Incident Response Plan, Data Retention Policy, and Encryption Standards.
2. Definitions and Terminology
This section establishes standard terminology used throughout the HIPAA Compliance Statement consistent with regulatory definitions.
| Term | Definition |
|---|
| Protected Health Information (PHI) | Individually identifiable health information transmitted or maintained in any form or medium, relating to past, present, or future physical or mental health condition, healthcare provision, or payment for healthcare |
| Electronic Protected Health Information (ePHI) | PHI that is created, received, maintained, or transmitted in electronic form |
| Covered Entity | Health plans, healthcare clearinghouses, and healthcare providers who transmit health information in electronic form in connection with HIPAA-covered transactions |
| Business Associate | A person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity, or provides services to a covered entity involving PHI disclosure |
| Business Associate Agreement (BAA) | Contract between a covered entity and business associate (or between business associates) establishing permitted uses and disclosures of PHI and required safeguards |
| Subcontractor | A person or entity to whom a business associate delegates a function, activity, or service involving the creation, receipt, maintenance, or transmission of PHI |
| Minimum Necessary | Standard requiring that uses, disclosures, and requests for PHI be limited to the minimum necessary to accomplish the intended purpose |
| Breach | Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI |
| Unsecured PHI | PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction |
| Security Incident | Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations |
| Workforce | Employees, volunteers, trainees, and other persons under the direct control of a covered entity or business associate |
| Administrative Safeguards | Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures |
| Physical Safeguards | Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment |
| Technical Safeguards | Technology and related policies and procedures to protect and control access to ePHI |
| Required Specification | Security Rule implementation specification that must be implemented |
| Addressable Specification | Security Rule implementation specification that must be assessed; if reasonable and appropriate, implemented; or if not, documented with alternative measure |
3. Scope and Applicability
This HIPAA Compliance Statement applies to the processing of PHI within the Acme Cloud platform under an executed Business Associate Agreement.
3.1 Business Associate Agreement Availability
| Plan Tier | BAA Available | Execution Method | Prerequisites |
|---|
| Enterprise | Yes | Order form addendum or standalone BAA | Enterprise subscription; designated HIPAA workspace |
| Business | Yes (healthcare vertical) | Sales-assisted execution | Business subscription; healthcare use case verification |
| Starter | No | N/A | PHI processing prohibited |
| Free | No | N/A | PHI processing prohibited |
A signed Business Associate Agreement is required before processing PHI in the Acme Cloud platform. Without an executed BAA, customers must not submit, store, or process PHI through the Service. Customers using Starter or Free plans are prohibited from processing PHI under any circumstances.
3.2 Customer Obligations
Customers processing PHI in Acme Cloud acknowledge and accept the following obligations:
| Obligation Category | Customer Responsibility | Acme Cloud Support |
|---|
| BAA Execution | Execute BAA before any PHI processing | BAA template; execution workflow |
| Configuration | Enable required security settings for HIPAA workspaces | Configuration guide; workspace templates |
| Access Control | Implement minimum necessary access for their users | RBAC capabilities; access review tools |
| Training | Train their workforce on PHI handling in the platform | Training documentation; configuration guides |
| Incident Reporting | Report suspected incidents involving PHI | Incident reporting channels; response coordination |
| Documentation | Maintain their own HIPAA compliance documentation | Evidence packages; audit support |
| Risk Assessment | Include Acme Cloud in their own risk assessment process | Risk assessment questionnaire; security documentation |
3.3 Scope of PHI Processing
| Processing Activity | In Scope | Configuration Required |
|---|
| Storage of ePHI in designated workspaces | Yes | HIPAA workspace designation |
| Transmission of ePHI through APIs | Yes | TLS 1.2+ enforcement |
| Processing of ePHI for service delivery | Yes | BAA execution |
| Support access to environments containing ePHI | Yes | Support authorization configuration |
| Analytics and reporting on ePHI | Limited - aggregated/de-identified only | Analytics configuration |
| AI feature processing of ePHI | No - explicitly prohibited without written approval | AI features disabled by default |
| Backup and recovery of ePHI | Yes | Standard backup coverage |
4. Administrative Safeguards
Acme Cloud implements administrative safeguards aligned with 45 CFR §164.308 to manage the selection, development, implementation, and maintenance of security measures protecting ePHI.
4.1 Security Management Process (§164.308(a)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Risk Analysis (Required) | Annual HIPAA security risk assessment following NIST SP 800-30 methodology; continuous vulnerability scanning; threat monitoring | Risk assessment report; vulnerability scan results |
| Risk Management (Required) | Risk treatment plans with defined owners and timelines; control implementation tracking; residual risk acceptance process | Risk register; remediation tracking |
| Sanction Policy (Required) | Documented sanction policy for workforce members violating security policies; progressive discipline aligned with Code of Conduct | Sanction policy; HR procedures |
| Information System Activity Review (Required) | SIEM-based log monitoring and alerting; quarterly access reviews; annual audit log analysis | Monitoring dashboards; review records |
4.2 Assigned Security Responsibility (§164.308(a)(2))
| Role | Responsibility | Current Assignment |
|---|
| Security Official | Overall HIPAA security program responsibility | Chief Information Security Officer (CISO) |
| Privacy Official | HIPAA privacy and breach notification oversight | Privacy and Compliance Officer |
| Security Operations | Day-to-day security monitoring and response | Security Engineering team |
| Compliance | HIPAA compliance monitoring and audit coordination | GRC team |
4.3 Workforce Security (§164.308(a)(3))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Authorization and/or Supervision (Addressable) | Role-based access control; manager approval for access grants; supervised access for contractors | Access request workflow; approval records |
| Workforce Clearance Procedure (Addressable) | Background checks for all employees; enhanced checks for security roles; reference verification | HR screening records |
| Termination Procedures (Addressable) | Same-day access revocation upon termination; exit interview; equipment recovery | Offboarding checklist; access logs |
4.4 Information Access Management (§164.308(a)(4))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Isolating Healthcare Clearinghouse Functions (Required) | N/A - Acme Cloud is not a healthcare clearinghouse | N/A |
| Access Authorization (Addressable) | Formal access request and approval process; role-based access aligned with job functions | Access request tickets; RBAC configuration |
| Access Establishment and Modification (Addressable) | Documented procedures for granting, modifying, and revoking access; just-in-time access for production | Access management procedures; JIT logs |
4.5 Security Awareness and Training (§164.308(a)(5))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Security Reminders (Addressable) | Monthly security awareness communications; threat briefings; policy reminders | Communication records |
| Protection from Malicious Software (Addressable) | Endpoint protection training; phishing awareness; safe computing practices | Training modules |
| Log-in Monitoring (Addressable) | Failed login alerting; anomaly detection; user notification of suspicious activity | Monitoring configuration; alert records |
| Password Management (Addressable) | Password policy training; password manager guidance; MFA requirements | Training completion records |
4.6 HIPAA-Specific Training
| Training Component | Content Coverage | Frequency | Completion Tracking |
|---|
| HIPAA Overview | PHI definition; permitted uses and disclosures; patient rights | Annual | LMS completion |
| Minimum Necessary | Limiting PHI access and disclosure to minimum necessary | Annual | LMS completion |
| Incident Reporting | Recognizing and reporting potential breaches | Annual | LMS completion |
| Sanctions | Consequences of HIPAA violations | Annual | LMS completion |
| Acme Cloud-Specific | Platform configuration for PHI; workspace security | Annual | LMS completion |
Training completion is tracked in the Learning Management System (LMS). Non-completion triggers access suspension for roles with potential PHI access. FY2025 HIPAA training completion: 100% of applicable workforce.
4.7 Security Incident Procedures (§164.308(a)(6))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Response and Reporting (Required) | Incident Response Plan with HIPAA-specific procedures; 24/7 incident reporting; breach assessment workflow | Incident Response Plan; incident records |
4.8 Contingency Plan (§164.308(a)(7))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Data Backup Plan (Required) | Backup and Recovery Policy; automated backups; cross-region replication | Backup policy; backup verification |
| Disaster Recovery Plan (Required) | Business Continuity Plan; DR failover procedures; RTO/RPO targets | BCP; DR test results |
| Emergency Mode Operation Plan (Required) | Procedures for critical operations during emergencies; degraded mode capabilities | Emergency procedures |
| Testing and Revision Procedures (Addressable) | Quarterly backup restore testing; semi-annual DR exercises; annual plan review | Test records; plan revision history |
| Applications and Data Criticality Analysis (Addressable) | Business Impact Analysis; system tiering; recovery prioritization | BIA documentation |
4.9 Evaluation (§164.308(a)(8))
| Evaluation Activity | Frequency | Methodology | Evidence |
|---|
| HIPAA Security Risk Assessment | Annual | NIST SP 800-30; OCR guidance | Risk assessment report |
| Technical Vulnerability Assessment | Continuous + quarterly comprehensive | Automated scanning; penetration testing | Scan results; pen test reports |
| Policy and Procedure Review | Annual | Internal review; external benchmarking | Review records |
| SOC 2 Type II Audit | Annual | AICPA Trust Services Criteria | SOC 2 report |
4.10 Business Associate Contracts and Other Arrangements (§164.308(b))
| Requirement | Implementation | Evidence |
|---|
| Written Contract or Arrangement (Required) | BAA template meeting regulatory requirements; executed BAAs tracked | BAA register |
| Subcontractor BAAs | BAAs or equivalent agreements with subcontractors accessing PHI | Subcontractor BAA register |
5. Physical Safeguards
Acme Cloud implements physical safeguards aligned with 45 CFR §164.310 to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
5.1 Facility Access Controls (§164.310(a)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Contingency Operations (Addressable) | DR site access procedures; emergency access protocols | DR procedures |
| Facility Security Plan (Addressable) | AWS data center physical security; corporate office security controls | AWS SOC reports; office security policy |
| Access Control and Validation Procedures (Addressable) | Badge access for corporate facilities; visitor management; AWS physical controls | Access logs; AWS compliance documentation |
| Maintenance Records (Addressable) | AWS maintains infrastructure; equipment maintenance tracking | AWS compliance; maintenance records |
Production infrastructure is hosted in AWS data centers with comprehensive physical security controls:
| AWS Physical Security Control | Description |
|---|
| Perimeter Security | Fencing, barriers, security personnel, video surveillance |
| Entry Controls | Badge readers, biometric scanners, mantrap entries |
| Monitoring | 24/7 security operations center, CCTV, intrusion detection |
| Environmental Controls | Fire detection/suppression, climate control, flood prevention |
| Compliance | SOC 2 Type II, ISO 27001, HIPAA-eligible services |
5.2 Workstation Use and Security (§164.310(b)-(c))
| Requirement | Implementation | Evidence |
|---|
| Workstation Use (Required) | Acceptable use policy; screen lock requirements; clean desk policy | Policies; compliance monitoring |
| Workstation Security (Required) | Endpoint protection; full disk encryption; MDM enrollment; remote wipe capability | MDM compliance reports |
5.3 Device and Media Controls (§164.310(d)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Disposal (Required) | NIST 800-88 media sanitization for end-of-life devices; AWS media destruction for infrastructure | Destruction certificates |
| Media Re-use (Required) | Secure wipe procedures before device reassignment | Wipe verification records |
| Accountability (Addressable) | Hardware inventory tracking; chain of custody for media | Asset inventory; transfer records |
| Data Backup and Storage (Addressable) | Encrypted backup storage; access-controlled backup systems | Backup encryption configuration |
6. Technical Safeguards
Acme Cloud implements technical safeguards aligned with 45 CFR §164.312 to protect and control access to ePHI through technology and related policies and procedures.
6.1 Access Control (§164.312(a)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Unique User Identification (Required) | Unique user accounts for all workforce; no shared accounts; SSO integration | Identity management system |
| Emergency Access Procedure (Required) | Break-glass procedures for emergency access; documented and audited | Emergency access procedures; access logs |
| Automatic Logoff (Addressable) | Session timeout configuration; idle session termination | Session policy configuration |
| Encryption and Decryption (Addressable) | AES-256 encryption at rest; TLS 1.2+ in transit; KMS key management | Encryption configuration; KMS policies |
6.2 Audit Controls (§164.312(b))
| Audit Capability | Implementation | Retention | Evidence |
|---|
| Authentication Events | Login success/failure; MFA events; session creation | 1 year hot; 3 years archive | SIEM logs |
| Authorization Events | Access grants/revocations; permission changes | 1 year hot; 3 years archive | Audit logs |
| Data Access Events | PHI access logging; query logging; download logging | 1 year hot; 3 years archive | Application audit logs |
| Administrative Events | Configuration changes; user management; system administration | 1 year hot; 3 years archive | CloudTrail; admin logs |
| Security Events | Alert triggers; incident creation; response actions | 1 year hot; 3 years archive | SIEM; incident records |
6.3 Integrity Controls (§164.312(c)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Mechanism to Authenticate ePHI (Addressable) | Database integrity verification; checksum validation; version control; change management | Integrity verification logs |
6.4 Person or Entity Authentication (§164.312(d))
| Authentication Mechanism | Implementation | Evidence |
|---|
| Multi-Factor Authentication | Required for all access; hardware token or authenticator app | MFA policy; enrollment records |
| SSO Integration | SAML/OIDC federation with customer identity providers | SSO configuration |
| API Authentication | OAuth 2.0; API key management; token expiration | API security configuration |
| Service Authentication | Service accounts with managed credentials; automatic rotation | Secrets management |
6.5 Transmission Security (§164.312(e)(1))
| Implementation Specification | Acme Cloud Implementation | Evidence |
|---|
| Integrity Controls (Addressable) | TLS message integrity; checksum verification; tamper detection | TLS configuration; integrity checks |
| Encryption (Addressable) | TLS 1.2+ for all ePHI transmission; certificate management; cipher suite controls | TLS scan results; certificate inventory |
7. ePHI Data Flow and Architecture
This section describes how ePHI flows through the Acme Cloud platform and the security controls applied at each stage.
7.1 ePHI Data Flow Matrix
| Flow Stage | Encryption | Access Control | Logging | Monitoring |
|---|
| Customer to Acme Cloud (ingress) | TLS 1.2+ | Customer RBAC + MFA | Full request logging | Real-time traffic analysis |
| Acme Cloud application processing | N/A (memory only) | Application access control | Processing audit trail | Application monitoring |
| Acme Cloud storage | AES-256 at rest (KMS) | Tenant isolation; row-level security | Access logging | Storage monitoring |
| Acme Cloud to subprocessor | TLS 1.2+ | Minimum necessary; contractual limits | Metadata only (PHI excluded) | Integration monitoring |
| Support access (authorized) | TLS 1.2+ | JIT elevation; ticket-based | Full session logging | Session recording |
| Backup and recovery | AES-256 at rest | Backup access control | Backup access logging | Backup monitoring |
| Customer export/download | TLS 1.2+ | Customer authorization | Export audit logging | Download monitoring |
7.2 Architecture Security Controls
| Architecture Layer | Security Controls |
|---|
| Network | VPC isolation; security groups; WAF; DDoS protection; network segmentation |
| Application | Authentication; authorization; input validation; output encoding; secure session management |
| Data | Encryption at rest; encryption in transit; key management; tenant isolation |
| Infrastructure | Hardened AMIs; patch management; configuration management; immutable infrastructure |
| Monitoring | SIEM; log aggregation; anomaly detection; alerting; incident response |
8. Breach Notification
Acme Cloud implements breach notification procedures aligned with 45 CFR Part 164 Subpart D and the HITECH Act.
8.1 Breach Definition and Assessment
| Assessment Factor | Evaluation Criteria |
|---|
| Was PHI acquired, accessed, used, or disclosed? | Evidence of access or acquisition; disclosure to unauthorized party |
| Was the access/disclosure not permitted by the Privacy Rule? | Analysis against permitted uses and disclosures |
| Does an exception apply? | Unintentional acquisition by workforce; inadvertent disclosure within organization; good faith belief of no retention |
| Is there a low probability of compromise? | Risk assessment considering nature/extent, unauthorized recipient, whether PHI actually acquired/viewed, extent of risk mitigation |
8.2 Notification Obligations
| Notification Recipient | Trigger | Timeline | Notification Method | Content Requirements |
|---|
| Covered Entity (Customer) | Breach of unsecured PHI | Without unreasonable delay; maximum 60 days from discovery | Written notice to BAA designated contact | Nature of breach; types of PHI; recommended actions; Acme Cloud actions; contact information |
| Individual Notification Support | Customer request for breach affecting individuals | Per customer instruction | Cooperate with customer as controller | Per customer direction and regulatory requirements |
| HHS Notification Support | Breach affecting 500+ individuals | Customer responsibility; support provided | Information and documentation support | Per HHS requirements |
| Media Notification Support | Breach affecting 500+ in single state | Customer responsibility; support provided | Information and documentation support | Per regulatory requirements |
8.3 Breach Response Procedures
| Phase | Acme Cloud Actions | Timeline | Responsible |
|---|
| Detection | Security monitoring; incident identification; initial assessment | Immediate | Security Engineering |
| Assessment | Breach determination; PHI involvement analysis; scope identification | Within 24 hours | Security + Privacy |
| Escalation | HIPAA breach classification; customer notification preparation | Within 48 hours | Privacy Officer |
| Customer Notification | Written notification to affected covered entities | Within 60 days (earlier when possible) | Privacy Officer |
| Documentation | Breach documentation; regulatory filing support; lessons learned | Ongoing | GRC |
| Remediation | Root cause correction; control enhancement; monitoring | Per incident | Security Engineering |
9. Business Associate Subprocessor Chain
Acme Cloud maintains Business Associate Agreements or equivalent agreements with subcontractors that may access ePHI infrastructure.
9.1 PHI-Capable Subprocessors
| Subprocessor | Service Provided | PHI in Scope | BAA Status | Controls |
|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting | Yes - infrastructure | BAA executed | HIPAA-eligible services; encryption; access controls |
| Datadog | Monitoring and observability | Excluded by configuration | BAA executed | Log filtering; no PHI in monitoring data |
9.2 Subprocessor PHI Configuration
| Subprocessor | PHI Exclusion Method | Verification |
|---|
| Datadog | Log filtering to exclude PHI fields; scrubbing rules; data masking | Configuration audit; sampling verification |
9.3 Subprocessor Change Notification
| Change Type | Notification Timeline | Customer Rights |
|---|
| New PHI-capable subprocessor | 30 days advance notice | Objection right per BAA |
| Material change to existing subprocessor | 30 days advance notice | Objection right per BAA |
| Removal of subprocessor | Informational notice | N/A |
10. HIPAA Security Rule Crosswalk
This section provides a detailed mapping of HIPAA Security Rule requirements to Acme Cloud implementations.
10.1 Administrative Safeguards (§164.308)
| Standard | Implementation Specification | Status | Acme Cloud Implementation |
|---|
| §164.308(a)(1)(i) | Security Management Process | Required | Documented security management program |
| §164.308(a)(1)(ii)(A) | Risk Analysis | Required | Annual HIPAA risk assessment |
| §164.308(a)(1)(ii)(B) | Risk Management | Required | Risk treatment and tracking |
| §164.308(a)(1)(ii)(C) | Sanction Policy | Required | Documented sanction policy |
| §164.308(a)(1)(ii)(D) | Information System Activity Review | Required | SIEM monitoring; audit log review |
| §164.308(a)(2) | Assigned Security Responsibility | Required | CISO designated |
| §164.308(a)(3)(i) | Workforce Security | Required | Authorization and termination procedures |
| §164.308(a)(3)(ii)(A) | Authorization and/or Supervision | Addressable | Implemented - access request workflow |
| §164.308(a)(3)(ii)(B) | Workforce Clearance Procedure | Addressable | Implemented - background checks |
| §164.308(a)(3)(ii)(C) | Termination Procedures | Addressable | Implemented - same-day revocation |
| §164.308(a)(4)(i) | Information Access Management | Required | Formal access management |
| §164.308(a)(4)(ii)(A) | Isolating Healthcare Clearinghouse Functions | Required | N/A - not a clearinghouse |
| §164.308(a)(4)(ii)(B) | Access Authorization | Addressable | Implemented - RBAC |
| §164.308(a)(4)(ii)(C) | Access Establishment and Modification | Addressable | Implemented - documented procedures |
| §164.308(a)(5)(i) | Security Awareness and Training | Required | Annual HIPAA training |
| §164.308(a)(5)(ii)(A) | Security Reminders | Addressable | Implemented - monthly communications |
| §164.308(a)(5)(ii)(B) | Protection from Malicious Software | Addressable | Implemented - endpoint protection |
| §164.308(a)(5)(ii)(C) | Log-in Monitoring | Addressable | Implemented - failed login alerting |
| §164.308(a)(5)(ii)(D) | Password Management | Addressable | Implemented - password policy |
| §164.308(a)(6)(i) | Security Incident Procedures | Required | Incident Response Plan |
| §164.308(a)(6)(ii) | Response and Reporting | Required | 24/7 incident response |
| §164.308(a)(7)(i) | Contingency Plan | Required | Business Continuity Plan |
| §164.308(a)(7)(ii)(A) | Data Backup Plan | Required | Automated backup procedures |
| §164.308(a)(7)(ii)(B) | Disaster Recovery Plan | Required | DR procedures and testing |
| §164.308(a)(7)(ii)(C) | Emergency Mode Operation Plan | Required | Emergency procedures |
| §164.308(a)(7)(ii)(D) | Testing and Revision Procedures | Addressable | Implemented - quarterly testing |
| §164.308(a)(7)(ii)(E) | Applications and Data Criticality Analysis | Addressable | Implemented - BIA |
| §164.308(a)(8) | Evaluation | Required | Annual evaluation |
| §164.308(b)(1) | Business Associate Contracts | Required | BAA program |
| §164.308(b)(4) | Written Contract or Other Arrangement | Required | BAA template; execution tracking |
10.2 Physical Safeguards (§164.310)
| Standard | Implementation Specification | Status | Acme Cloud Implementation |
|---|
| §164.310(a)(1) | Facility Access Controls | Required | AWS data centers; office security |
| §164.310(a)(2)(i) | Contingency Operations | Addressable | Implemented - DR access procedures |
| §164.310(a)(2)(ii) | Facility Security Plan | Addressable | Implemented - AWS + office |
| §164.310(a)(2)(iii) | Access Control and Validation Procedures | Addressable | Implemented - badge access |
| §164.310(a)(2)(iv) | Maintenance Records | Addressable | Implemented - equipment tracking |
| §164.310(b) | Workstation Use | Required | Acceptable use policy |
| §164.310(c) | Workstation Security | Required | Endpoint protection; encryption |
| §164.310(d)(1) | Device and Media Controls | Required | Media handling procedures |
| §164.310(d)(2)(i) | Disposal | Required | NIST 800-88 sanitization |
| §164.310(d)(2)(ii) | Media Re-use | Required | Secure wipe procedures |
| §164.310(d)(2)(iii) | Accountability | Addressable | Implemented - asset inventory |
| §164.310(d)(2)(iv) | Data Backup and Storage | Addressable | Implemented - encrypted backup |
10.3 Technical Safeguards (§164.312)
| Standard | Implementation Specification | Status | Acme Cloud Implementation |
|---|
| §164.312(a)(1) | Access Control | Required | Technical access controls |
| §164.312(a)(2)(i) | Unique User Identification | Required | Unique accounts; no sharing |
| §164.312(a)(2)(ii) | Emergency Access Procedure | Required | Break-glass procedures |
| §164.312(a)(2)(iii) | Automatic Logoff | Addressable | Implemented - session timeout |
| §164.312(a)(2)(iv) | Encryption and Decryption | Addressable | Implemented - AES-256 |
| §164.312(b) | Audit Controls | Required | Comprehensive audit logging |
| §164.312(c)(1) | Integrity | Required | Integrity controls |
| §164.312(c)(2) | Mechanism to Authenticate ePHI | Addressable | Implemented - checksums |
| §164.312(d) | Person or Entity Authentication | Required | MFA; authentication controls |
| §164.312(e)(1) | Transmission Security | Required | TLS encryption |
| §164.312(e)(2)(i) | Integrity Controls | Addressable | Implemented - TLS integrity |
| §164.312(e)(2)(ii) | Encryption | Addressable | Implemented - TLS 1.2+ |
11. Customer HIPAA Configuration Requirements
Customers must complete the following configuration steps before processing PHI in Acme Cloud.
11.1 Pre-Processing Checklist
| Step | Requirement | Verification Method | Responsible |
|---|
| 1 | Execute Business Associate Agreement with Acme Cloud | Signed BAA on file | Customer + Acme Cloud Legal |
| 2 | Designate HIPAA workspace(s) in Acme Cloud | Workspace configuration | Customer Admin |
| 3 | Enable MFA for all users with access to HIPAA workspaces | MFA enrollment verification | Customer Admin |
| 4 | Configure minimum necessary role permissions | RBAC configuration | Customer Admin |
| 5 | Enable audit logging and configure retention | Audit configuration | Customer Admin |
| 6 | Disable AI features for HIPAA workspaces (or obtain written approval) | Feature configuration | Customer Admin |
| 7 | Review and approve subprocessor list | Acknowledgment on file | Customer Compliance |
| 8 | Designate BAA contact for breach notification | Contact on file | Customer Admin |
| 9 | Complete Acme Cloud HIPAA configuration guide | Guide completion | Customer Admin |
| 10 | Document PHI data flows in customer's compliance program | Customer documentation | Customer Compliance |
| 11 | Train customer workforce on PHI handling in platform | Training completion | Customer |
11.2 Ongoing Compliance Activities
| Activity | Frequency | Customer Responsibility | Acme Cloud Support |
|---|
| Access review | Quarterly | Review and certify user access | Access review reports |
| Configuration audit | Annual | Verify HIPAA configuration maintained | Configuration export |
| Risk assessment update | Annual | Include Acme Cloud in risk assessment | Security questionnaire |
| BAA review | Upon renewal | Review BAA terms | BAA update communication |
| Subprocessor review | Upon notification | Review subprocessor changes | Subprocessor documentation |
| Incident review | Upon occurrence | Review incidents for PHI impact | Incident reports |
12. Evidence and Audit Support
Acme Cloud provides healthcare customers with evidence packages and audit support to facilitate their own HIPAA compliance programs.
12.1 Available Evidence
| Evidence Type | Content | Availability | Request Process |
|---|
| SOC 2 Type II Report | Trust services criteria including HIPAA-relevant controls | Under NDA | trust@acmecloud.com |
| HIPAA Security Crosswalk | Mapping of controls to Security Rule requirements | Under NDA | trust@acmecloud.com |
| HECVAT Questionnaire | Higher Education CAIQ | 7 business day completion | trust@acmecloud.com |
| SIG Lite Questionnaire | Shared Assessments questionnaire | 10 business day completion | trust@acmecloud.com |
| BAA Template | Standard Business Associate Agreement | Upon request | trust@acmecloud.com |
| Subprocessor List | Current PHI-capable subprocessors | Trust Center | Subprocessor List |
| Penetration Test Summary | Executive summary of security testing | Under NDA with CISO approval | trust@acmecloud.com |
| Risk Assessment Summary | HIPAA risk assessment summary | Enterprise under NDA | trust@acmecloud.com |
12.2 Audit Support
| Support Type | Scope | Timeline | Contact |
|---|
| Written questionnaire response | Customer security questionnaire | 10 business days | trust@acmecloud.com |
| Customer audit call | Security review discussion | 2 weeks scheduling | Account Executive |
| On-site audit (Enterprise) | Document review; control walkthrough | 30 days advance notice | trust@acmecloud.com |
| Regulator inquiry support | OCR or state AG inquiry response | Expedited | legal@acmecloud.com |
13. Limitations and Clarifications
13.1 Role Clarification
| Entity | HIPAA Role | Responsibilities |
|---|
| Customer (Covered Entity) | Covered Entity or Business Associate | HIPAA compliance program; patient authorization; minimum necessary determinations; workforce training; breach notification to individuals |
| Acme Cloud | Business Associate | Safeguards per BAA; breach notification to customer; subcontractor management; compliance documentation |
| Acme Cloud Subprocessors | Subcontractor / Business Associate | Safeguards per subcontractor BAA; breach notification to Acme Cloud |
13.2 Scope Limitations
| Limitation | Description |
|---|
| Covered Entity Obligations | Customer remains responsible for covered entity obligations including Notice of Privacy Practices, patient authorization, and individual rights requests |
| Minimum Necessary Determinations | Customer determines minimum necessary for their organization; Acme Cloud provides tools to implement |
| Workforce Training | Customer responsible for training their own users on PHI handling |
| Individual Breach Notification | Customer responsible for notifying individuals; Acme Cloud provides information support |
14. Framework Compliance Mapping
| HIPAA Requirement | Citation | SOC 2 Mapping | ISO 27001 Mapping | Implementation Reference |
|---|
| Security Management Process | §164.308(a)(1) | CC3.1, CC3.2 | A.5.1, A.5.2 | Section 4.1 |
| Assigned Security Responsibility | §164.308(a)(2) | CC1.1 | A.5.2 | Section 4.2 |
| Workforce Security | §164.308(a)(3) | CC6.1, CC6.2 | A.6.1, A.6.5 | Section 4.3 |
| Information Access Management | §164.308(a)(4) | CC6.3 | A.5.15 | Section 4.4 |
| Security Awareness and Training | §164.308(a)(5) | CC1.4 | A.6.3 | Section 4.5-4.6 |
| Security Incident Procedures | §164.308(a)(6) | CC7.3, CC7.4 | A.5.24-A.5.28 | Section 8 |
| Contingency Plan | §164.308(a)(7) | A1.2 | A.5.29, A.5.30 | Section 4.8 |
| Evaluation | §164.308(a)(8) | CC4.1 | A.5.35 | Section 4.9 |
| Business Associate Contracts | §164.308(b) | CC9.2 | A.5.19-A.5.22 | Section 9 |
| Facility Access Controls | §164.310(a) | CC6.4 | A.7.1-A.7.4 | Section 5.1 |
| Workstation Use and Security | §164.310(b)-(c) | CC6.7 | A.7.9 | Section 5.2 |
| Device and Media Controls | §164.310(d) | CC6.5 | A.7.10, A.8.10 | Section 5.3 |
| Access Control | §164.312(a) | CC6.1-CC6.3 | A.5.15-A.5.18 | Section 6.1 |
| Audit Controls | §164.312(b) | CC6.8 | A.8.15 | Section 6.2 |
| Integrity | §164.312(c) | CC6.6 | A.8.5 | Section 6.3 |
| Person or Entity Authentication | §164.312(d) | CC6.1 | A.8.5 | Section 6.4 |
| Transmission Security | §164.312(e) | CC6.7 | A.8.24 | Section 6.5 |
Related Trust Center documents
security overview, encryption standards, incident response, backup recovery, business continuity, data retention, access control, subprocessor list, dpa, compliance frameworks
Document revision history
| Version | Date | Author | Summary of changes |
|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400
San Francisco, CA 94103, USA
HIPAA inquiries: trust@acmecloud.com
BAA requests: trust@acmecloud.com
Privacy Officer: privacy@acmecloud.com
Security concerns: security@acmecloud.com
Visit EthicPages