Skip to main content
Cross-References:
  • REGULATORY_COMPLIANCE_TRACKER.md — Master compliance tracker
  • ONC_CERTIFICATION_ROADMAP.md — ONC certification (related)
  • PHI_CLASSIFICATION.md — PHI data classification
  • docs/compliance/AUTHORITATIVE_REFERENCES.md — Authoritative External References — IT and Security

Overview

This document tracks information security and IT compliance obligations for Encore OS as a healthcare technology platform processing ePHI. The IT module covers HIPAA Security Rule safeguards, HITECH breach notification, cybersecurity frameworks (NIST CSF, CIS Controls), state data breach notification, and related standards (SOC 2, PCI DSS).

1. HIPAA Security Rule (45 CFR 164 Subpart C)

1.1 Administrative Safeguards (§164.308)

1.2 Physical Safeguards (§164.310)

1.3 Technical Safeguards (§164.312)

1.4 Encryption at Rest and Key Management (Module-Specific)


2. HITECH Act


3. Cybersecurity Frameworks

3.1 NIST Cybersecurity Framework (CSF 2.0)

3.2 CIS Critical Security Controls v8


4. Arizona Data Breach Notification (ARS 18-552)


5. SOC 2 (Service Organization Control)


6. PCI DSS


7. Authoritative External References


8. Periodic Review Schedule


Version History

1.0.0 (2026-02-27)

  • Initial comprehensive IT security compliance document
  • Covers HIPAA Security Rule (admin/physical/technical safeguards), HITECH, NIST CSF 2.0, CIS Controls v8, Arizona breach notification, SOC 2, PCI DSS
  • 40+ compliance requirements tracked across 6 categories

Last Updated: 2026-02-27 Next Review: 2026-05-27