HIPAA §164.310(c) - Workstation Security

1. CONTROL IDENTIFICATION

Framework	HIPAA Security Rule
Control ID	`§164.310(c)`
Control Family	Physical Safeguards > Workstation Security
Control Name	Workstation Security
Status	PARTIALLY IMPLEMENTED
Assessment Date	2026-04-19T02:25:35.202960+00:00
Assessor	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment Scope	Azure: Pay-As-You-Go (prod) (`4f29d094-1079-44c9-acb0-4d73a7a2dd34`)
Report ID	`b49411963b864e3a98e4aa93a9659610ca5f63797ca7cb1513f947dbf347f406`

2. REGULATORY TEXT

Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Source: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

164.310(c) REQUIRED Physical Workstation Safeguards PARTIALLY IMPLEMENTED

Physical measures (cable locks, privacy screens, controlled rooms) that restrict workstation access.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 Disk Encryption Status 2026-04-19T02:25:35.202960+00:00

BitLocker / FileVault enabled: 140 of 142 endpoints.

Records: 142 Exceptions surfaced: 2 Sampling: full fleet

#A2 Screen Lock Timeout 2026-04-19T02:25:35.202960+00:00

141 of 142 endpoints enforce <=10 min screen lock via Intune.

Records: 142 Exceptions surfaced: 1 Sampling: full

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Operating - Disk encryption on endpoints OPERATING PARTIAL

Sample size: 142 endpoints

98.6% coverage. 2 outliers remediation in flight.

6. FINDINGS / EXCEPTIONS

Active findings: 1 · Accepted risks (exceptions): 0 · Total: 1

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#1bf756121cf075e8 HIGH endpoint:WKSTN-0047, WKSTN-0119 2 Mac endpoints with FileVault disabled. ▾

Recommendation	Force FileVault via Jamf policy. Issue replacements if hardware-unsupported.
Remediation command	`jamf policy -event 'enable-filevault'`
Rollback	`n/a`
CVSS	6.5
Maps to	NIST MP-2, ISO 27001 A.8.2.3

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 1 findings. Remediation on track per plan. Next review cycle: quarterly.

8. AUDIT TRAIL

Scanner	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner version	v2.0.1
Collection timestamp	2026-04-19T02:25:35.202960+00:00
Retention	2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)	`b49411963b864e3a98e4aa93a9659610ca5f63797ca7cb1513f947dbf347f406`

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.

NIST 800-53: PE-2, PE-3, PE-5, AC-11 — same evidence satisfies
ISO 27001: A.11.2.8 — same evidence satisfies
HITRUST CSF: 08.j, 08.k, 08.l — same evidence satisfies