The documents this site is actually built on.
If you find a claim on this site that needs a citation, this is where the citation lives. The framework documents below are the ones healthcare cybersecurity programs are measured against in 2026 — by OCR, by Joint Commission, by your cyber-insurance carrier, by your assessor. The internal documents under "what we provide on request" are what procurement is going to ask for during the second call.
HIPAA Security Rule.
45 CFR Part 164, Subpart C — the Security Rule, including §164.308 Administrative Safeguards, §164.310 Physical Safeguards, §164.312 Technical Safeguards. Available on the eCFR.
HHS 405(d) Health Industry Cybersecurity Practices (HICP), 2023 Edition.
Technical Volume 1 (small) and Technical Volume 2 (medium and large), plus the Resources and Templates package. Available at 405d.hhs.gov.
HSCC Joint Cyber Working Group publications.
HIC-MaLTS (Managing Legacy Technology Security), the model contract language, and the periodic JCWG publications. Available at healthsectorcouncil.org.
HHS HPH Sector Cybersecurity Performance Goals.
Voluntary CPGs at Essential and Enhanced tiers. Available at hhs.gov.
NIST IR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management.
Plus the HIPAA Security Rule crosswalk to NIST CSF. Available at nist.gov.
OCR HIPAA Resolution Agreements.
The public index of HIPAA enforcement actions, including the Risk Analysis Initiative agreements since 2024. Available at hhs.gov.
Downloadable artifacts.
Forwardable to your assessor, your broker, your privacy officer, your CMO. Yours whether or not you become a customer.
§164.308(a)(1)(ii)(A) methodology paragraph.
A paste-ready 220-word paragraph that drops into the methodology section of a HIPAA risk-analysis file. Edit the bracketed fields to match your environment, paste, and the assessor accepts it as-is. Open the methodology paragraph →
OCR audit-prep checklist.
A printable, six-section checklist organized around the four document-request categories an OCR investigator typically opens with: most recent risk analysis, asset inventory, risk-management plan, audit-controls evidence — plus before-the-interview and during-the-interview sections. Open the checklist →
Documents we provide on request.
BAA template, subprocessor list, current data-handling memorandum, security white paper, sample inventory output, sample assessor-methodology paragraph, integration guides for the SIEM, GRC, and NAC platforms named on the integrations page.