> For the complete documentation index, see [llms.txt](https://docs.linuxguard.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.linuxguard.io/audit-and-comply/audit-comply/hipaa.md). # HIPAA > **Note**: This page maps LinuxGuard against **HIPAA 45 CFR §164** (Omnibus Final Rule effective 2013-03-26). Last verified against the framework on 2026-05-31. Canonical framework document: [U.S. HHS Office for Civil Rights — HIPAA Administrative Simplification 45 CFR §164](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164). For the vocabulary contract used here, see [Audit & Comply](/audit-and-comply/audit-comply.md). ## Scope This page maps LinuxGuard's agent and console capabilities against HIPAA 45 CFR §164 (Security Rule). The mapping is scoped to technical safeguards in §164.312 — audit controls, integrity, access control, and person/entity authentication — on Linux systems within the customer's HIPAA scope. Controls in the administrative safeguards of §164.308 (security management program, workforce training, contingency planning, business associate agreements) and the physical safeguards of §164.310 (facility access, workstation security, device and media controls) are largely out of scope for this product and are listed in the mapping table as `Out of scope` or `Supports` (where LinuxGuard provides partial evidence) rather than omitted. The Privacy Rule (§164.500 et seq.) and Breach Notification Rule (§164.400 et seq.) are out of scope for the agent — LinuxGuard does not process Protected Health Information (PHI). This mapping is informational and not a substitute for an independent audit by a qualified assessor. > **Important**: LinuxGuard does NOT process Protected Health Information (PHI). The agent collects operational metadata (hostnames, IPs, usernames, file paths, command-line arguments) from monitored Linux systems. This operational metadata is NOT PHI under HIPAA. Customers running LinuxGuard on systems that ALSO process PHI must implement workforce access controls, log retention, and Business Associate Agreements consistent with their HIPAA program — LinuxGuard is one input to that program, not the program itself. Customers remain responsible for executing Business Associate Agreements with covered entities and downstream business associates, designating a Security Official, conducting the §164.308(a)(1)(ii)(A) risk analysis, implementing workforce security and clearance procedures, administering contingency and disaster recovery plans, and breach notification under §164.400-414. ## Shared responsibility > LinuxGuard is a security monitoring agent and console. Compliance with any framework requires customer-side controls in addition to LinuxGuard's capabilities. This mapping is informational and not a substitute for an independent audit by a qualified assessor. The shared-responsibility framing for HIPAA 45 CFR §164: * **LinuxGuard responsibility.** Produce continuous audit log generation, file-integrity monitoring telemetry, configuration baselines and drift detection, and identity intelligence for Linux systems within the customer's HIPAA scope. Maintain the framework version pin and per-control evidence pointers. Operational metadata captured by the agent is not PHI. * **Customer responsibility.** Designate a Security Official under §164.308(a)(2), conduct and document the risk analysis under §164.308(a)(1)(ii)(A), implement workforce security and training, manage Business Associate Agreements, operate physical safeguards (facility access, workstation security), administer encryption-in-transit and at-rest for PHI, manage cryptographic keys, and execute breach notification timelines under §164.400-414. * **Out-of-scope domains for this framework.** Physical safeguards (§164.310), workforce training and clearance (§164.308(a)(3) and (a)(5)), Business Associate Agreement administration (§164.308(b)), contingency planning (§164.308(a)(7)), encryption-in-transit (§164.312(e)), key management, and the Privacy and Breach Notification Rules. ## Control mapping The Tier column uses one of three labels and only those three: `Satisfies`, `Supports`, `Out of scope`. The Evidence column points to a row of the canonical [Evidence Location](/concepts/concepts/console/compliance-expansion.md#evidence-location) table or to a specific console page. See [Audit & Comply](/audit-and-comply/audit-comply.md) for the three-tier vocabulary contract. | Control ID | Description | Tier | Evidence | Notes | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `§164.308(a)(1)(ii)(D)` | Information system activity review — regular review of audit logs, access reports, security incident tracking | `Supports` | Console Compliance Expansion → History; Console Audit pillar | LinuxGuard provides the system activity log surface for review. Customer responsible for assigning the review workflow, documenting reviewer sign-off, and integrating with the broader information-security program. | | `§164.308(a)(3)(ii)(C)` | Termination procedures — terminate access when workforce member leaves | `Supports` | Console Identity Intelligence → Orphaned Key detection; Console Audit pillar → Authorizations audit | Orphaned SSH key detection and account/group drift surface stale access after termination. Customer responsible for the HR-driven termination workflow and IAM deprovisioning. | | `§164.308(a)(4)(ii)(B)` | Access authorization — implement policies and procedures for granting access to electronic PHI | `Supports` | Console Audit pillar → Authorizations audit | LinuxGuard audits granted access (sudo rules, group membership, SSH access). Customer responsible for the authorization policy and the access-granting workflow itself. | | `§164.308(a)(5)(ii)(C)` | Log-in monitoring — procedures for monitoring log-in attempts and reporting discrepancies | `Satisfies` | Agent log (raw events) with `auth.event` attribute; Console Identity Intelligence → Brute Force Detection | eBPF-based authentication event capture records every login attempt with method, user, source IP, and timestamp. Brute force detection surfaces credential stuffing and targeted attack patterns. | | `§164.308(a)(6)(ii)` | Security incident procedures — identify, respond, and document security incidents | `Supports` | Console Zero Trust Enforcement; Agent log (raw events); Support bundle | Signals, drift events, and support bundles provide the technical evidence base for incident identification and response. Customer responsible for the incident response procedure, documentation, and notification workflow. | | `§164.308(a)(7)` | Contingency plan — data backup, disaster recovery, emergency mode operation | `Out of scope` | n/a | Contingency planning, data backup, and disaster recovery are not addressed by LinuxGuard. | | `§164.308(a)(8)` | Evaluation — periodic technical and non-technical evaluation against the Security Rule | `Supports` | Console Compliance Expansion → Reports; Console Compliance Expansion → History | LinuxGuard provides the technical evidence packet for the periodic evaluation. Customer responsible for conducting the evaluation, documenting findings, and the broader non-technical evaluation. | | `§164.310(a)` | Facility access controls — physical access to electronic information systems | `Out of scope` | n/a | Physical facility access controls are not addressed by LinuxGuard. | | `§164.310(b)` | Workstation use — policies for proper workstation use | `Out of scope` | n/a | Workstation use policy is an administrative responsibility not addressed by LinuxGuard. | | `§164.310(c)` | Workstation security — physical safeguards for workstations accessing electronic PHI | `Out of scope` | n/a | Physical workstation security is not addressed by LinuxGuard. | | `§164.310(d)` | Device and media controls — receipt and removal of hardware and electronic media | `Out of scope` | n/a | Device and media physical lifecycle controls are not addressed by LinuxGuard. | | `§164.312(a)(1)` | Access control — technical policies and procedures for systems containing electronic PHI | `Supports` | Console Audit pillar → Authorizations audit; Console Identity Intelligence | LinuxGuard provides authorization audit, account inventory, SUDO rule baselines, and identity intelligence. Customer responsible for the IAM system, role definition, and access-granting policy. | | `§164.312(a)(2)(i)` | Unique user identification — assign a unique name and/or number for identifying and tracking user identity | `Supports` | Agent log (raw events) with `loginUID` attribute; Console Identity Intelligence | `loginUID` capture survives sudo/su escalation for non-repudiation. Customer responsible for the IAM system, account provisioning workflow, and identity governance. | | `§164.312(a)(2)(iii)` | Automatic logoff — terminate an electronic session after a predetermined time of inactivity | `Out of scope` | n/a | Session timeout enforcement at the application or PAM layer is not addressed by LinuxGuard. | | `§164.312(a)(2)(iv)` | Encryption and decryption — encrypt and decrypt electronic PHI | `Out of scope` | n/a | Encryption-at-rest and key management for PHI are not addressed by LinuxGuard. | | `§164.312(b)` | Audit controls — implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing electronic PHI | `Satisfies` | Agent log (raw events) at `/var/log/linuxguard/agent.log`; Console Audit pillar; Support bundle | The agent generates structured audit logs continuously on every enrolled Linux host. Authentication events, file integrity events, SUDO execution events, and configuration drift events are recorded. See [Log Management](/operate/operate/log-management.md). | | `§164.312(c)(1)` | Integrity — protect electronic PHI from improper alteration or destruction | `Satisfies` | Agent log (raw events); Console Zero Trust Enforcement → Config Drift | File monitoring with eBPF tracks writes to sudoers, sshd\_config, passwd, shadow, authorized\_keys, and operator-configured paths. Drift detection surfaces unauthorized modification of the configuration files that protect electronic PHI access. | | `§164.312(c)(2)` | Mechanism to authenticate electronic PHI — confirm that electronic PHI has not been altered or destroyed in an unauthorized manner | `Satisfies` | Agent log (raw events); Console Zero Trust Enforcement → Config Drift | File baseline integrity verification via hash, permission, and ownership comparison surfaces unauthorized modification. | | `§164.312(d)` | Person or entity authentication — verify that a person or entity seeking access to electronic PHI is the one claimed | `Supports` | Agent log (raw events); Console Identity Intelligence | LinuxGuard captures authentication events including method (password, publickey, keyboard-interactive). Customer responsible for the IAM platform, password policy, MFA enforcement, and identity verification workflow. | | `§164.312(e)(1)` | Transmission security — guard against unauthorized access to electronic PHI being transmitted over an electronic communications network | `Out of scope` | n/a | Encryption-in-transit and transmission integrity for PHI are not addressed by LinuxGuard. | | `§164.400-414` | Breach Notification Rule | `Out of scope` | n/a | Breach notification timeline and notification workflow are not addressed by LinuxGuard. Agent log evidence may be useful as supporting material for incident investigation under the customer's breach notification procedure. | | `§164.500 et seq.` | Privacy Rule | `Out of scope` | n/a | Privacy Rule controls (uses and disclosures, individual rights, minimum necessary) are not addressed by LinuxGuard — the agent does not process PHI. | > **Important**: Every Satisfies claim cites a specific agent feature and a specific evidence pointer. Every Supports claim states what the customer must implement to achieve full satisfaction. Every Out-of-scope row carries a one-line note explaining why — silence is interpreted as an implicit Satisfies claim. ## How to share with auditor Three export paths are available, depending on the auditor's evidence preference: * **Console Compliance Expansion reports.** Console pillar → Compliance Expansion → Reports produces dated, signed, auditor-shareable evidence packages (PDF / CSV / JSON) per [Compliance Expansion](/concepts/concepts/console/compliance-expansion.md#reports). Each report includes the framework version (HIPAA 45 CFR §164), last-verified date, per-control coverage, per-server pass / fail breakdown, suppressions in effect, and a manifest with SHA-256 verification. * **Support bundles for host-level evidence.** `support-bundle collect` on each host produces a tar.zst archive with agent logs, redacted configuration, and a bundle manifest — see [Support Bundles](/operate/operate/support-bundles.md). Bundles are useful when the auditor wants raw host-level telemetry rather than a console-rendered report. * **Console CSV / JSON export per control.** Compliance Expansion → HIPAA → control detail → Evidence tab exports per-control evidence in machine-readable form for auditors who want to ingest evidence into their own GRC tooling. > **Security Note**: Support bundles include the raw `agent.log` and rotated segments. Attribute-key redaction (api\_key / \*\_token / \*\_secret) is applied; PII (hostnames, IPs, usernames, paths, command args) is NOT additionally redacted. Although LinuxGuard does not capture PHI, hostnames and file paths from systems that process PHI may be considered sensitive within the customer's HIPAA program. Review every evidence package before sharing externally. See [Support Bundles](/operate/operate/support-bundles.md) for the per-file redaction status table. ## Cross-references * [**Audit & Comply**](/audit-and-comply/audit-comply.md) — vocabulary contract, framework version pin reference, forbidden-words list, scope statement template. * [**Compliance Expansion**](/concepts/concepts/console/compliance-expansion.md) — console pillar; canonical Evidence Location pointer set. * [**Audit**](/concepts/concepts/console/audit.md) — authorizations and SUDO execution audit feeding compliance evidence. * [**Support Bundles**](/operate/operate/support-bundles.md) — per-file redaction status table; pre-share PII warning. * [**Log Management**](/operate/operate/log-management.md) — log retention and rotation relevant to audit-period evidence. * [**Glossary**](/reference/reference/glossary.md) — framework acronyms and compliance vocabulary definitions. *** *Last reviewed: 2026-05-31 against HIPAA 45 CFR §164 (Omnibus Final Rule) published 2013-03-26.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.linuxguard.io/audit-and-comply/audit-comply/hipaa.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.