Compliance / HIPAA Security Rule
The HIPAA Security Rule requires covered entities and business associates to conduct periodic technical and non-technical evaluation. SecHive produces the technical artifacts: replayable, redacted-safe, and bound to the engagement scope.
The mapping is intentionally narrow. We list only the articles where SecHive produces a directly defensible artifact, and we name the artifact.
| Article / control | What it requires | SecHive artifact |
|---|---|---|
| §164.308(a)(1) — Risk analysis | Accurate and thorough assessment of potential risks and vulnerabilities. | Hypothesis graph and validated finding set per engagement. |
| §164.308(a)(8) — Evaluation | Periodic technical and non-technical evaluation. | Mode-labeled, retained, and replayable proof packs. |
| §164.312(a)(1) — Access control | Technical policies and procedures to allow access only to authorized persons. | Authorization-replay and IDOR findings, with replay scripts retained. |
| §164.312(b) — Audit controls | Hardware, software, and procedural mechanisms that record and examine activity. | Reproducible exploit chains feed detection and audit log design. |
| §164.314 — Business Associate contracts | Written assurances that BA will appropriately safeguard ePHI. | Source-audit run mode against BA-supplied components. |
What you can put in front of an auditor or a security review.
replay.sh per finding.SecHive renders an evidence matrix per engagement. Below is one row, redacted.
# evidence-row.yaml — redacted control: §164.308(a)(8) # effectiveness testing finding_id: VTX-RPL-0042 mode: black-box target: redacted target_ref: image@sha256:9c4e… # pinned artifact: path: artifacts/replay.sh sha256: 7c3a… signed: cosign:sechive-key disposition: reviewer: redacted-operator state: confirmed retest: status: fixed @ 2026-04-18 evidence: artifacts/retest-receipt.json
Bring the scope and the auditor's evidence list. We will produce the technical artifacts.