HIPAA Security Rule Controls Mapping — Coverage & Gap Analysis | ControlMap

HIPAA Security Rule

The HIPAA Security Rule (45 CFR Part 164) establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. The rule includes both required and addressable implementation specifications.

94%

Coverage

46

Controls Covered

3

Gaps

49

Total Controls

Covered Controls

Controls that have explicit mappings to HIPAA requirements.

Govern (6 controls)

Gp Governance Policy

§164.308(a)(1)(i), §164.316(a)

Rm Risk Management

§164.308(a)(1)(ii)(A), §164.308(a)(1)(ii)(B)

Sc Supply Chain Risk

§164.308(b)(1), §164.314(a)(1)

Rr Roles & Responsibilities

§164.308(a)(2), §164.308(a)(3)(i)

§164.308(a)(8), §164.316(b)(1)

Vr Vendor Risk Mgmt

§164.308(b)(1), §164.314(a)(1), §164.314(a)(2)(i)

Identify (5 controls)

Am Asset Management

§164.310(d)(1), §164.310(d)(2)(iii)

Ra Risk Assessment

§164.308(a)(1)(ii)(A)

Be Business Environment

§164.308(a)(1)(i)

Da Data Classification

§164.312(a)(1)

Vn Vulnerability Mgmt

§164.308(a)(1)(ii)(A), §164.308(a)(8)

Protect (19 controls)

Aw Awareness & Training

§164.308(a)(5)(i), §164.308(a)(5)(ii)(A)

Ac Access Control

§164.312(a)(1), §164.312(a)(2)(i)

Mf Multi-Factor Auth

§164.312(a)(2)(iv), §164.312(e)(2)(ii)

Dp Data Protection

§164.312(a)(2)(iv), §164.312(c)(1), §164.312(e)(1)

Bk Backup & Recovery

§164.308(a)(7)(ii)(A), §164.310(d)(2)(iv)

Pa Privileged Access

§164.312(a)(1), §164.308(a)(3)(ii)(B)

Fw Firewall / Net Seg

§164.312(e)(1)

Ep Endpoint Protection

§164.308(a)(5)(ii)(B), §164.310(d)(1)

Pm Patch Management

§164.308(a)(1)(ii)(A), §164.308(a)(8)

Cf Secure Config

§164.310(d)(1), §164.312(a)(1)

Ml Email Security

§164.308(a)(5)(ii)(A), §164.312(e)(1)

Ws Web Security

§164.312(e)(1)

§164.312(a)(1)

Mb Mobile Security

§164.310(d)(1), §164.312(a)(1)

Cl Cloud Security

§164.308(b)(1), §164.314(a)(1)

§164.312(e)(1)

§164.312(a)(1), §164.312(e)(1)

Ap API Security

§164.312(a)(1), §164.312(e)(1)

Detect (6 controls)

Sm Cont. Monitoring

Lg Logging & Audit

§164.312(b), §164.308(a)(1)(ii)(D)

Id Intrusion Detection

§164.308(a)(1)(ii)(D), §164.312(b)

An Anomaly Detection

§164.308(a)(1)(ii)(D)

§164.308(a)(1)(ii)(D), §164.312(b)

It Insider Threat

§164.308(a)(3)(ii)(A), §164.308(a)(4)

Respond (5 controls)

Ir Incident Response

§164.308(a)(6)(i), §164.308(a)(6)(ii)

§164.308(a)(6)(ii)

Co Communication

§164.308(a)(6)(ii), §164.404(a)(1)

§164.308(a)(6)(ii)

§164.308(a)(6)(ii), §164.404(a)(1), §164.408(a)

Recover (5 controls)

Rc Recovery Planning

§164.308(a)(7)(i), §164.308(a)(7)(ii)(B)

Bc Business Continuity

§164.308(a)(7)(i), §164.308(a)(7)(ii)(C)

Ll Lessons Learned

§164.308(a)(8)

Cr Comms & Restore

§164.308(a)(7)(ii)(C)

Dr Disaster Recovery

§164.308(a)(7)(ii)(A), §164.308(a)(7)(ii)(B)

Not Covered by HIPAA (3 controls)

These controls are tracked by ControlMap but do not have explicit HIPAA mappings. Organizations relying on HIPAA should consider supplementing with additional frameworks to address these gaps.

Ti Threat Intelligence

Covered by: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53

Sd Secure Development

Covered by: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Ds DNS Security

Covered by: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53

HIPAA vs Other Frameworks

HIPAA provides 94% coverage of the 49 cybersecurity controls tracked by ControlMap. NIST CSF 2.0 covers 100%, ISO 27001 covers 100%, CIS v8 covers 90%, SOC 2 covers 100%, PCI DSS covers 100%, CMMC covers 94%, 800-53 covers 100%, GDPR covers 96%. For maximum coverage, organizations often combine HIPAA with complementary frameworks to address gaps in areas like threat intelligence, secure development, dns security.

Other Frameworks

NIST CSF 2.0 ISO 27001 CIS v8 SOC 2 PCI DSS CMMC 800-53 GDPR

View HIPAA in Interactive Dashboard