HIPAA §164.312(a)(1) - Access Control | TITAN AI Audit Evidence

1. CONTROL IDENTIFICATION

Framework	HIPAA Security Rule
Control ID	`§164.312(a)(1)`
Control Family	Technical Safeguards > Access Control
Control Name	Access Control
Status	PARTIALLY IMPLEMENTED
Assessment Date	2026-04-19T02:25:35.202960+00:00
Assessor	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment Scope	Azure: Pay-As-You-Go (prod) (`4f29d094-1079-44c9-acb0-4d73a7a2dd34`)
Report ID	`af955e6e8af7b9e458d1b9f7b33cf28c1d0f2a98afd51b3d0cf361116131340f`

2. REGULATORY TEXT

Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Source: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

164.312(a)(2)(i) REQUIRED Unique User Identification PARTIALLY IMPLEMENTED

Assign a unique name and/or number for identifying and tracking user identity.

Evidence: #A1, #A2

164.312(a)(2)(ii) REQUIRED Emergency Access Procedure PARTIALLY IMPLEMENTED

Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.

Evidence: #A1, #A2

164.312(a)(2)(iii) ADDRESSABLE Automatic Logoff PARTIALLY IMPLEMENTED

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Evidence: #A1, #A2

164.312(a)(2)(iv) ADDRESSABLE Encryption & Decryption PARTIALLY IMPLEMENTED

Implement a mechanism to encrypt and decrypt electronic protected health information.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 RBAC Role Assignment Enumeration 2026-04-19T02:25:35.202960+00:00

127 role assignments across 42 users + 18 SPs + 7 groups.

Records: 127 Exceptions surfaced: 1 Sampling: full

#A2 Shared-Account Detection 2026-04-19T02:25:35.202960+00:00

1 SP flagged as shared (svc_legacy_etl).

Records: 1 Exceptions surfaced: 0 Sampling: full

#A3 Break-Glass Account + Access Log 2026-04-19T02:25:35.202960+00:00

sa_breakglass_admin exists, 0 activations in 180d.

Records: 1 Exceptions surfaced: 0 Sampling: full

#A4 Session Timeout Config 2026-04-19T02:25:35.202960+00:00

13 of 14 apps <=15min. 1 app at 45min.

Records: 14 Exceptions surfaced: 1 Sampling: full

#A5 Encryption-at-Rest 2026-04-19T02:25:35.202960+00:00

All 10 stores AES-256. 9 Microsoft-managed, 1 CMK.

Records: 10 Exceptions surfaced: 1 Sampling: full

#A6 TLS + Cipher Enumeration 2026-04-19T02:25:35.202960+00:00

22 public endpoints. All TLS 1.2+. No weak ciphers.

Records: 22 Exceptions surfaced: 0 Sampling: full

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Design - Unique User ID policy DESIGN PASS

Sample size: n/a

Policy covers specs.

Test of Operating - No shared accounts OPERATING FAIL

Sample size: 25 of 67 (AICPA AU-C 530)

1 shared SP found. See Finding #3.

Test of Operating - Session timeouts OPERATING PARTIAL

Sample size: 14 apps

13/14 compliant. See Finding #2.

Test of Design - Break-glass procedure DESIGN PASS

Sample size: n/a

Break-glass SOP v2.1 approved.

6. FINDINGS / EXCEPTIONS

Active findings: 2 · Accepted risks (exceptions): 1 · Total: 3

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#be2623b7d6882dac ACCEPTED RISK sa-finance-prod-eastus (Storage) Encryption uses Microsoft-managed key (not CMK). ▾

Recommendation	Enable CMK via Key Vault.
Remediation command	`az storage account update --name sa-finance-prod-eastus --encryption-key-source Microsoft.Keyvault ...`
Rollback	`az storage account update --encryption-key-source Microsoft.Storage`
CVSS	5.3
Maps to	NIST SC-13, PCI 3.5.1, ISO 27001 A.10.1.1

Reason	Compensating control: AES-256 + Azure HSM meets FIPS 140-2. CMK migration Q3 2026.
Approver	Jane Smith, CISO
Approval date	2026-04-18
Review by	2026-07-31
Compensating control	MS-managed AES-256 + HSM + customer Key Vault for secrets

#9c7fcebc0ceca5d8 HIGH app-hr-portal-prod Idle timeout 45 min (should be <=15). ▾

Recommendation	Reduce to 15 min.
Remediation command	`az webapp config appsettings set --settings SESSION_TIMEOUT_MINUTES=15`
Rollback	`az webapp config appsettings set --settings SESSION_TIMEOUT_MINUTES=45`
CVSS	6.1
Maps to	NIST AC-12, PCI 8.1.8

#b6fbf265369dded2 CRITICAL svc_legacy_etl Shared SP used by 3 ETL jobs + 2 devs. Violates unique user ID. ▾

Recommendation	Split to managed identities.
Remediation command	`az ad sp delete ...; create per-job MIs`
Rollback	`(not recommended)`
CVSS	8.1
Maps to	NIST AC-2, PCI 8.1.5

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 3 findings. Remediation on track per plan. Next review cycle: quarterly.

8. AUDIT TRAIL

Scanner	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner version	v2.0.1
Collection timestamp	2026-04-19T02:25:35.202960+00:00
Retention	2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)	`af955e6e8af7b9e458d1b9f7b33cf28c1d0f2a98afd51b3d0cf361116131340f`

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.

NIST 800-53: AC-2, AC-3, AC-12, IA-2(1), IA-11, SC-13, SC-28 — same evidence satisfies
SOC 2 (TSP100): CC6.1, CC6.2, CC6.3, CC6.6 — same evidence satisfies
PCI-DSS v4.0: 8.1, 8.2, 8.3, 8.5, 3.5.1 — same evidence satisfies
ISO 27001: A.9.2.1, A.9.4.2, A.10.1.1 — same evidence satisfies
HITRUST CSF: 01.b, 01.c, 01.d, 01.q — same evidence satisfies
FedRAMP Mod: AC-2, AC-3, AC-12 — same evidence satisfies