HIPAA §164.312(a)(2)(iv) - Encryption and Decryption

1. CONTROL IDENTIFICATION

Framework	HIPAA Security Rule
Control ID	`§164.312(a)(2)(iv)`
Control Family	Technical Safeguards > Access Control > Encryption
Control Name	Encryption and Decryption
Status	IMPLEMENTED
Assessment Date	2026-04-19T02:25:35.202960+00:00
Assessor	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment Scope	Azure: Pay-As-You-Go (prod) (`4f29d094-1079-44c9-acb0-4d73a7a2dd34`)
Report ID	`0a8fab4ce8c9ff789518a17ef684a9d1fc5ccbf753a79e3aba70b8938eec8581`

2. REGULATORY TEXT

Implementation Specification: Encryption and Decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Source: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

164.312(a)(2)(iv) ADDRESSABLE Encryption & Decryption Mechanism IMPLEMENTED

Encryption at rest and in transit with documented key management.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 Encryption-at-Rest Inventory 2026-04-19T02:25:35.202960+00:00

All 10 ePHI stores have AES-256.

Records: 10 Exceptions surfaced: 1 Sampling: full

#A2 Encryption-in-Transit Inventory 2026-04-19T02:25:35.202960+00:00

All 22 endpoints enforce TLS 1.2+.

Records: 22 Exceptions surfaced: 0 Sampling: full

#A3 Key Management Audit 2026-04-19T02:25:35.202960+00:00

Key Vault: 47 keys, 12 scheduled for 90-day rotation. All within SLA.

Records: 47 Exceptions surfaced: 0 Sampling: full

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Design - Encryption policy DESIGN PASS

Sample size: n/a

Crypto standard v1.5 current.

Test of Operating - All ePHI encrypted OPERATING PASS

Sample size: 10 stores

100% coverage.

6. FINDINGS / EXCEPTIONS

Active findings: 1 · Accepted risks (exceptions): 0 · Total: 1

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#3331efe761ea856d MEDIUM sa-finance-prod-eastus Microsoft-managed key instead of CMK. ▾

Recommendation	Migrate to CMK.
Remediation command	`az storage account update ...`
Rollback	`revert to MS-managed`
CVSS	5.3
Maps to	NIST SC-13, PCI 3.5.1

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 1 findings. Remediation on track per plan. Next review cycle: quarterly.

8. AUDIT TRAIL

Scanner	TITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner version	v2.0.1
Collection timestamp	2026-04-19T02:25:35.202960+00:00
Retention	2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)	`0a8fab4ce8c9ff789518a17ef684a9d1fc5ccbf753a79e3aba70b8938eec8581`

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.

NIST 800-53: SC-13, SC-28, SC-8 — same evidence satisfies
SOC 2 (TSP100): CC6.7, CC6.8 — same evidence satisfies
PCI-DSS v4.0: 3.5, 3.6, 3.7, 4.1 — same evidence satisfies
ISO 27001: A.10.1, A.14.1.3 — same evidence satisfies
HITRUST CSF: 01.v, 06.d, 10.f — same evidence satisfies