| Control | Title | Status | Evidence |
|---|---|---|---|
| 164.308(a)(1)(ii)(D) | (R) Information system activity review | implemented | CloudTrail multi-region 7-yr retention, CW Logs CMK-encrypted, per-request audit row in DDB. Regular review surfaced via the operator console. |
| 164.308(a)(3)(ii)(A) | (A) Authorization and/or supervision | partial |
API key issuance + usage plan scope at the gateway. End-user authorization inside the customer's app is the customer's IdP responsibility.
Gateway: API keys. End-user IAM: customer. |
| 164.308(a)(4)(ii)(B) | (A) Access authorization | partial |
Per-API-key compliance floor restricts which models/providers a key can invoke. Customer-app role-based authorization is customer responsibility.
API-key gating: Optimal. App RBAC: customer. |
| 164.308(a)(5)(ii)(B) | (A) Protection from malicious software | implemented | ECR scan-on-push for the gateway image. Inline detection on prompts (PII / prompt-injection / tool-call governance). |
| 164.308(a)(5)(ii)(C) | (A) Log-in monitoring | implemented | API Gateway access logs to CW (365 d). All admin authn events to CloudTrail (7 yr). Failed-auth alerting via GuardDuty. |
| 164.308(a)(5)(ii)(D) | (A) Password management | customer responsibility |
Gateway authenticates customer applications via API key, not password. End-user password management lives in the customer's own IdP.
Gateway boundary stops at the API key. Passwords are out of scope. |
| 164.308(a)(6)(ii) | (R) Response and reporting | implemented | Incident notification procedure ships per-tenant with SLA. See incident_procedure emitter. |
| 164.308(a)(7)(ii)(A) | (R) Data backup plan | implemented | DDB PITR (35-d continuous backup) for audit metadata. CloudTrail S3 versioned + Glacier @ 1y, retained 7 yr. ePHI in transit only — no body content at rest in the gateway. |
| 164.308(a)(7)(ii)(B) | (R) Disaster recovery plan | implemented |
Lambda regional managed multi-AZ. DDB regional managed. Contingency plan documented; quarterly drill cadence pending.
POAM: POAM-RECOVERY-DRILL |
| 164.308(b)(1) | (R) Business Associate Agreement (BAA) | implemented | Optimal executes a BAA with each healthcare-vertical customer. Optimal BAAs with its sub-business-associates (AWS, GCP, Azure) per their HIPAA-eligible service terms. |
| Control | Title | Status | Evidence |
|---|---|---|---|
| 164.310(a)(1) | (R) Facility access controls | customer responsibility |
Cloud provider (AWS / GCP / Azure) controls data center facility access under their HIPAA-eligible service BAA. Optimal does not operate physical facilities.
Facilities: cloud provider BAA. |
| 164.310(b) | (R) Workstation use | customer responsibility |
Customer workforce workstation policy. Optimal personnel use managed endpoints (Jamf/Intune) for any administrative access.
Customer workforce: customer. Optimal personnel: Optimal. |
| 164.310(d)(1) | (R) Device and media controls | customer responsibility |
Customer-controlled media handling. Optimal does not write ePHI to any media — zero-persistence means body content does not exist at rest in the boundary.
Customer media: customer. In-boundary media: zero-persistence (no ePHI media exists). |
| Control | Title | Status | Evidence |
|---|---|---|---|
| 164.312(a)(1) | (R) Access control standard | implemented | API key validation at API Gateway. Usage plan throttling. Per-key compliance floor. Default SG deny-all. NACL denies SSH/RDP inbound. |
| 164.312(a)(2)(i) | (R) Unique user identification | partial |
Each customer application authenticates with a unique sk-optimal-* API key (api_key_id is the unique identifier in the audit trail). End-user uniqueness inside the customer's app is customer responsibility.
Service-principal uniqueness: gateway. End-user uniqueness: customer IdP. |
| 164.312(a)(2)(ii) | (R) Emergency access procedure | implemented | Emergency revocation of compromised API keys via API Gateway. Documented in the customer onboarding playbook. |
| 164.312(a)(2)(iii) | (A) Automatic logoff | customer responsibility |
End-user session lifecycle is the customer application's responsibility. API keys themselves do not 'log off' — they revoke. Customer rotates keys on schedule per their internal policy.
API-key revocation: shared. End-user session timeout: customer. |
| 164.312(a)(2)(iv) | (A) Encryption and decryption (at rest) | implemented | ePHI does not land at rest in the boundary (zero-persistence). For metadata that does land (audit rows, secrets, CW Logs, CT S3): CMK arn:aws:kms:us-east-2:317839577064:key/optimal-cnapp-cmk, FIPS 140-2 validated. Cross-cloud: GCP CMEK, Azure BYOK HSM L3. |
| 164.312(b) | (R) Audit controls | implemented | CloudTrail multi-region 7-yr + CW Logs (app 90 d, access 365 d) + hash-chained per-request audit row in DDB. All audit destinations CMK-encrypted. |
| 164.312(c)(1) | (R) Integrity standard | implemented | Hash-chained audit per services/ai-gateway/audit.py — each row references the previous chain anchor, tampering is detected via verify_chain. |
| 164.312(c)(2) | (A) Mechanism to authenticate ePHI | partial |
Gateway does not modify ePHI in transit; it forwards verbatim. Integrity of ePHI content at the application layer is customer responsibility.
Transit integrity: TLS-FIPS. Content integrity: customer app. |
| 164.312(d) | (R) Person or entity authentication | partial |
Entity authentication via sk-optimal-* API key (HMAC validation at API Gateway). Person authentication inside the customer's app is customer responsibility.
Entity: gateway. Person: customer IdP. |
| 164.312(e)(1) | (R) Transmission security standard | implemented | All transmission TLS 1.2 over FIPS 140-2 validated modules (AWS-LC FIPS 140-2 (Cert #4759), AWS KMS HSM (FIPS 140-2 L3)). Cross-cloud: SigV4 via VPCE (Bedrock), WIF tokens (GCP), API key over TLS-FIPS (Azure). |
| 164.312(e)(2)(i) | (A) Integrity controls (in transit) | implemented | TLS provides transit integrity. Hash-chained audit provides record integrity. Tampering of audit rows detected via chain verification. |
| 164.312(e)(2)(ii) | (A) Encryption (in transit) | implemented | TLS 1.2 over FIPS-validated modules end-to-end. No clear-text transmission of ePHI through the gateway boundary. |
| Control | Title | Status | Evidence |
|---|---|---|---|
| 164.314(a)(1) | (R) Business associate contracts | implemented | BAA executed at contract start. Standard BAA terms include breach notification SLA, sub-BA disclosures, and security incident reporting. See incident_procedure emitter. |
| 164.314(a)(2)(i) | (R) BAA implementation specifications | implemented | Optimal BAA enumerates safeguards Optimal applies to ePHI in transit through the gateway (this artifact). Sub-BA chain (AWS / GCP / Azure HIPAA-eligible services) documented in the BAA. |