HIPAA §164.312(d) - Person or Entity Authentication

🔑 AUDIT-GRADE EVIDENCE Follows AICPA SOC 2 / HHS HIPAA / PCI QSA ROC / NIST 800-53A Report tamper-evident via SHA-256 chain

1. CONTROL IDENTIFICATION

FrameworkHIPAA Security Rule
Control ID§164.312(d)
Control FamilyTechnical Safeguards > Authentication
Control NamePerson or Entity Authentication
StatusPARTIALLY IMPLEMENTED
Assessment Date2026-04-19T02:25:35.202960+00:00
AssessorTITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Environment ScopeAzure: Pay-As-You-Go (prod) (4f29d094-1079-44c9-acb0-4d73a7a2dd34)
Report ID5cd4bc8a3b8d2b6daf66c5668c5ccfcd2530acda645f48d6902d3d7f1ac5a328

2. REGULATORY TEXT

Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Source: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312

3. IMPLEMENTATION SPECIFICATIONS

Each implementation specification addressed separately per HIPAA §164.306(d) / NIST 800-53A assessment methodology.

164.312(d) REQUIRED Authentication Mechanism PARTIALLY IMPLEMENTED

Multi-factor authentication, certificate-based auth, or equivalent strength mechanism for ePHI access.

Evidence: #A1, #A2

4. EVIDENCE ARTIFACTS

Summarized with counts + exceptions + drill-down. Raw data available on request per retention policy.

#A1 MFA Enrollment 2026-04-19T02:25:35.202960+00:00
42 of 42 human users enrolled in MFA (100%). 3 of 18 service principals have client certs; 15 still password.
Records: 60 Exceptions surfaced: 15 Sampling: full
#A2 Failed-Login Anomaly Detection 2026-04-19T02:25:35.202960+00:00
Sentinel rule SRV-LogonFailure-3sigma active. 0 alerts in last 90d.
Records: 1 Exceptions surfaced: 0 Sampling: config review
#A3 Password Policy 2026-04-19T02:25:35.202960+00:00
AAD: 14 char min, 4 class complexity, 90-day max age, 12 history, 10 lockout.
Records: 1 Exceptions surfaced: 0 Sampling: policy review

5. TESTING PROCEDURES & RESULTS

Test of Design (does the control exist?) + Test of Operating Effectiveness (does it work consistently?). Sampling per AICPA AU-C 530.

Test of Design - MFA policy DESIGN PASS
Sample size: n/a

Conditional access requires MFA for all ePHI-touching apps.

Test of Operating - 100% MFA enrollment OPERATING PASS
Sample size: 42 users

All 42 users enrolled.

Test of Operating - Strong SP auth OPERATING FAIL
Sample size: 18 SPs

15 of 18 SPs still password-based. Finding #1.

6. FINDINGS / EXCEPTIONS

Active findings: 1 · Accepted risks (exceptions): 0 · Total: 1

Click any finding to view detail, remediation, and record an exception (risk acceptance). Exceptions are retained in the report as part of the audit trail.

#5995871b35710fad HIGH azure-ad-service-principals 15 of 18 service principals use password auth instead of certificate/managed identity.

7. MANAGEMENT RESPONSE

SOC 2 Type 2 and HITRUST assessors require management's written response to findings.

Management has reviewed 1 findings. Remediation on track per plan. Next review cycle: quarterly.

8. AUDIT TRAIL

ScannerTITAN AI Scanner v2.0 (CONDUCTOR + BASTION + SCOUT + COMPLY + SAGE)
Scanner versionv2.0.1
Collection timestamp2026-04-19T02:25:35.202960+00:00
Retention2555 days (HIPAA 164.316(b)(2))
Report hash (SHA-256)5cd4bc8a3b8d2b6daf66c5668c5ccfcd2530acda645f48d6902d3d7f1ac5a328

9. CROSS-FRAMEWORK MAPPING

This same evidence is admissible for the following related controls. Scan once, satisfy multiple frameworks.