Source documents and reference links.
External sources we cite throughout this site, plus internal documents we hand to procurement and assessors on request.
HIPAA Security Rule.
45 CFR Part 164, Subpart C — the Security Rule, including §164.308 Administrative Safeguards, §164.310 Physical Safeguards, §164.312 Technical Safeguards. Available on the eCFR.
HHS 405(d) Health Industry Cybersecurity Practices (HICP), 2023 Edition.
Technical Volume 1 (small) and Technical Volume 2 (medium and large), plus the Resources and Templates package. Available at 405d.hhs.gov.
HSCC Joint Cyber Working Group publications.
HIC-MaLTS (Managing Legacy Technology Security), the model contract language, and the periodic JCWG publications. Available at healthsectorcouncil.org.
HHS HPH Sector Cybersecurity Performance Goals.
Voluntary CPGs at Essential and Enhanced tiers. Available at hhs.gov.
NIST IR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management.
Plus the HIPAA Security Rule crosswalk to NIST CSF. Available at nist.gov.
OCR HIPAA Resolution Agreements.
The public index of HIPAA enforcement actions, including the Risk Analysis Initiative agreements since 2024. Available at hhs.gov.
Documents we provide on request.
BAA template, subprocessor list, current data-handling memorandum, security white paper, sample inventory output, sample assessor-methodology paragraph, integration guides for the SIEM, GRC, and NAC platforms named on the integrations page.