HIPAA Security Rule

Official / Regulatory

U.S. healthcare security standard (45 CFR 164 Subpart C) protecting electronic Protected Health Information. Assessed via the dedicated HIPAA scanner.

Official documentation

Controls

Auto-Remediable

Domains

Entra ID(4)

HIPAA-A-002

Risky sign-ins monitored by Identity Protection

Medium

HIPAA405D 8.M.A405D 8.M.B

HIPAA-T-005

Sensitivity labels with encryption deployed

Medium

HIPAA405D 4.M.A

HIPAA-T-009

Break-glass account excluded from all Conditional Access policies

High

HIPAA

HIPAA-T-010

Entra ID audit logs exported to SIEM or storage

Medium

HIPAA405D 8.M.A

Purview(3)

HIPAA-A-001

Alert policies active in Microsoft Purview / Defender

High

HIPAA405D 8.M.B

HIPAA-T-001

Unified Audit Log enabled

High

HIPAA405D 8.M.A

HIPAA-T-002

Audit log retention configured (90+ days)

High

HIPAA405D 8.M.A

Exchange(3)

HIPAA-T-003

Exchange Admin Audit Log enabled

High

HIPAA405D 8.M.A

HIPAA-T-004

Mailbox auditing enabled org-wide

High

HIPAA

HIPAA-T-007

Office Message Encryption (OME) configured

Medium

HIPAA405D 1.M.C

Intune(2)

HIPAA-P-001

Device compliance policy requiring encryption enforced

High

HIPAA405D 2.M.A405D 2.M.B

HIPAA-P-002

Remote wipe capability configured for managed devices

Medium

HIPAA405D 5.M.D

SharePoint(1)

HIPAA-T-006

SharePoint document versioning enabled

Low

HIPAA

Teams(1)

HIPAA-T-008

Teams end-to-end encryption available

Low

HIPAA