HIPAA
HIPAA 45 CFR §164 control mapping — LinuxGuard agent and console capabilities aligned to Security Rule technical safeguards with Satisfies / Supports / Out of scope tiers.
Note: This page maps LinuxGuard against HIPAA 45 CFR §164 (Omnibus Final Rule effective 2013-03-26). Last verified against the framework on 2026-05-31. Canonical framework document: U.S. HHS Office for Civil Rights — HIPAA Administrative Simplification 45 CFR §164. For the vocabulary contract used here, see Audit & Comply.
Scope
This page maps LinuxGuard's agent and console capabilities against HIPAA 45 CFR §164 (Security Rule). The mapping is scoped to technical safeguards in §164.312 — audit controls, integrity, access control, and person/entity authentication — on Linux systems within the customer's HIPAA scope. Controls in the administrative safeguards of §164.308 (security management program, workforce training, contingency planning, business associate agreements) and the physical safeguards of §164.310 (facility access, workstation security, device and media controls) are largely out of scope for this product and are listed in the mapping table as Out of scope or Supports (where LinuxGuard provides partial evidence) rather than omitted. The Privacy Rule (§164.500 et seq.) and Breach Notification Rule (§164.400 et seq.) are out of scope for the agent — LinuxGuard does not process Protected Health Information (PHI). This mapping is informational and not a substitute for an independent audit by a qualified assessor.
Important: LinuxGuard does NOT process Protected Health Information (PHI). The agent collects operational metadata (hostnames, IPs, usernames, file paths, command-line arguments) from monitored Linux systems. This operational metadata is NOT PHI under HIPAA. Customers running LinuxGuard on systems that ALSO process PHI must implement workforce access controls, log retention, and Business Associate Agreements consistent with their HIPAA program — LinuxGuard is one input to that program, not the program itself.
Customers remain responsible for executing Business Associate Agreements with covered entities and downstream business associates, designating a Security Official, conducting the §164.308(a)(1)(ii)(A) risk analysis, implementing workforce security and clearance procedures, administering contingency and disaster recovery plans, and breach notification under §164.400-414.
Shared responsibility
LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor.
The shared-responsibility framing for HIPAA 45 CFR §164:
LinuxGuard responsibility. Produce continuous audit log generation, file-integrity monitoring telemetry, configuration baselines and drift detection, and identity intelligence for Linux systems within the customer's HIPAA scope. Maintain the framework version pin and per-control evidence pointers. Operational metadata captured by the agent is not PHI.
Customer responsibility. Designate a Security Official under §164.308(a)(2), conduct and document the risk analysis under §164.308(a)(1)(ii)(A), implement workforce security and training, manage Business Associate Agreements, operate physical safeguards (facility access, workstation security), administer encryption-in-transit and at-rest for PHI, manage cryptographic keys, and execute breach notification timelines under §164.400-414.
Out-of-scope domains for this framework. Physical safeguards (§164.310), workforce training and clearance (§164.308(a)(3) and (a)(5)), Business Associate Agreement administration (§164.308(b)), contingency planning (§164.308(a)(7)), encryption-in-transit (§164.312(e)), key management, and the Privacy and Breach Notification Rules.
Control mapping
The Tier column uses one of three labels and only those three: Satisfies, Supports, Out of scope. The Evidence column points to a row of the canonical Evidence Location table or to a specific console page. See Audit & Comply for the three-tier vocabulary contract.
§164.308(a)(1)(ii)(D)
Information system activity review — regular review of audit logs, access reports, security incident tracking
Supports
Console Compliance Expansion → History; Console Audit pillar
LinuxGuard provides the system activity log surface for review. Customer responsible for assigning the review workflow, documenting reviewer sign-off, and integrating with the broader information-security program.
§164.308(a)(3)(ii)(C)
Termination procedures — terminate access when workforce member leaves
Supports
Console Identity Intelligence → Orphaned Key detection; Console Audit pillar → Authorizations audit
Orphaned SSH key detection and account/group drift surface stale access after termination. Customer responsible for the HR-driven termination workflow and IAM deprovisioning.
§164.308(a)(4)(ii)(B)
Access authorization — implement policies and procedures for granting access to electronic PHI
Supports
Console Audit pillar → Authorizations audit
LinuxGuard audits granted access (sudo rules, group membership, SSH access). Customer responsible for the authorization policy and the access-granting workflow itself.
§164.308(a)(5)(ii)(C)
Log-in monitoring — procedures for monitoring log-in attempts and reporting discrepancies
Satisfies
Agent log (raw events) with auth.event attribute; Console Identity Intelligence → Brute Force Detection
eBPF-based authentication event capture records every login attempt with method, user, source IP, and timestamp. Brute force detection surfaces credential stuffing and targeted attack patterns.
§164.308(a)(6)(ii)
Security incident procedures — identify, respond, and document security incidents
Supports
Console Zero Trust Enforcement; Agent log (raw events); Support bundle
Signals, drift events, and support bundles provide the technical evidence base for incident identification and response. Customer responsible for the incident response procedure, documentation, and notification workflow.
§164.308(a)(7)
Contingency plan — data backup, disaster recovery, emergency mode operation
Out of scope
n/a
Contingency planning, data backup, and disaster recovery are not addressed by LinuxGuard.
§164.308(a)(8)
Evaluation — periodic technical and non-technical evaluation against the Security Rule
Supports
Console Compliance Expansion → Reports; Console Compliance Expansion → History
LinuxGuard provides the technical evidence packet for the periodic evaluation. Customer responsible for conducting the evaluation, documenting findings, and the broader non-technical evaluation.
§164.310(a)
Facility access controls — physical access to electronic information systems
Out of scope
n/a
Physical facility access controls are not addressed by LinuxGuard.
§164.310(b)
Workstation use — policies for proper workstation use
Out of scope
n/a
Workstation use policy is an administrative responsibility not addressed by LinuxGuard.
§164.310(c)
Workstation security — physical safeguards for workstations accessing electronic PHI
Out of scope
n/a
Physical workstation security is not addressed by LinuxGuard.
§164.310(d)
Device and media controls — receipt and removal of hardware and electronic media
Out of scope
n/a
Device and media physical lifecycle controls are not addressed by LinuxGuard.
§164.312(a)(1)
Access control — technical policies and procedures for systems containing electronic PHI
Supports
Console Audit pillar → Authorizations audit; Console Identity Intelligence
LinuxGuard provides authorization audit, account inventory, SUDO rule baselines, and identity intelligence. Customer responsible for the IAM system, role definition, and access-granting policy.
§164.312(a)(2)(i)
Unique user identification — assign a unique name and/or number for identifying and tracking user identity
Supports
Agent log (raw events) with loginUID attribute; Console Identity Intelligence
loginUID capture survives sudo/su escalation for non-repudiation. Customer responsible for the IAM system, account provisioning workflow, and identity governance.
§164.312(a)(2)(iii)
Automatic logoff — terminate an electronic session after a predetermined time of inactivity
Out of scope
n/a
Session timeout enforcement at the application or PAM layer is not addressed by LinuxGuard.
§164.312(a)(2)(iv)
Encryption and decryption — encrypt and decrypt electronic PHI
Out of scope
n/a
Encryption-at-rest and key management for PHI are not addressed by LinuxGuard.
§164.312(b)
Audit controls — implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing electronic PHI
Satisfies
Agent log (raw events) at /var/log/linuxguard/agent.log; Console Audit pillar; Support bundle
The agent generates structured audit logs continuously on every enrolled Linux host. Authentication events, file integrity events, SUDO execution events, and configuration drift events are recorded. See Log Management.
§164.312(c)(1)
Integrity — protect electronic PHI from improper alteration or destruction
Satisfies
Agent log (raw events); Console Zero Trust Enforcement → Config Drift
File monitoring with eBPF tracks writes to sudoers, sshd_config, passwd, shadow, authorized_keys, and operator-configured paths. Drift detection surfaces unauthorized modification of the configuration files that protect electronic PHI access.
§164.312(c)(2)
Mechanism to authenticate electronic PHI — confirm that electronic PHI has not been altered or destroyed in an unauthorized manner
Satisfies
Agent log (raw events); Console Zero Trust Enforcement → Config Drift
File baseline integrity verification via hash, permission, and ownership comparison surfaces unauthorized modification.
§164.312(d)
Person or entity authentication — verify that a person or entity seeking access to electronic PHI is the one claimed
Supports
Agent log (raw events); Console Identity Intelligence
LinuxGuard captures authentication events including method (password, publickey, keyboard-interactive). Customer responsible for the IAM platform, password policy, MFA enforcement, and identity verification workflow.
§164.312(e)(1)
Transmission security — guard against unauthorized access to electronic PHI being transmitted over an electronic communications network
Out of scope
n/a
Encryption-in-transit and transmission integrity for PHI are not addressed by LinuxGuard.
§164.400-414
Breach Notification Rule
Out of scope
n/a
Breach notification timeline and notification workflow are not addressed by LinuxGuard. Agent log evidence may be useful as supporting material for incident investigation under the customer's breach notification procedure.
§164.500 et seq.
Privacy Rule
Out of scope
n/a
Privacy Rule controls (uses and disclosures, individual rights, minimum necessary) are not addressed by LinuxGuard — the agent does not process PHI.
Important: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim.
How to share with auditor
Three export paths are available, depending on the auditor's evidence preference:
Console Compliance Expansion reports. Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per Compliance Expansion. Each report includes the framework version (HIPAA 45 CFR §164), last-verified date, per-control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification.
Support bundles for host-level evidence.
support-bundle collecton each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see Support Bundles. Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report.Console CSV / JSON export per control. Compliance Expansion → HIPAA → control detail → Evidence tab exports per-control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling.
Security Note: Support bundles include the raw
agent.logand rotated segments. Attribute-key redaction (api_key / *_token / *_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Although LinuxGuard does not capture PHI, hostnames and file paths from systems that process PHI may be considered sensitive within the customer's HIPAA program. Review every evidence package before sharing externally. See Support Bundles for the per-file redaction status table.
Cross-references
Audit & Comply — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template.
Compliance Expansion — console pillar; canonical Evidence Location pointer set.
Audit — authorizations and SUDO execution audit feeding compliance evidence.
Support Bundles — per-file redaction status table; pre-share PII warning.
Log Management — log retention and rotation relevant to audit-period evidence.
Glossary — framework acronyms and compliance vocabulary definitions.
Last reviewed: 2026-05-31 against HIPAA 45 CFR §164 (Omnibus Final Rule) published 2013-03-26.
Last updated
Was this helpful?