Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Version: 1.0.0
Last Updated: 2026-02-27
Status: Active
Module: IT (IT & Security)
Cross-References:
Overview
This document tracks information security and IT compliance obligations for Encore Health OS as a healthcare technology platform processing ePHI. The IT module covers HIPAA Security Rule safeguards, HITECH breach notification, cybersecurity frameworks (NIST CSF, CIS Controls), state data breach notification, and related standards (SOC 2, PCI DSS).
1. HIPAA Security Rule (45 CFR 164 Subpart C)
1.1 Administrative Safeguards (§164.308)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| HS-A01 | Risk analysis — Conduct accurate and thorough assessment of risks to ePHI | IT-05 | ⏳ Not Started | Annual risk analysis; document findings and remediation |
| HS-A02 | Risk management — Implement measures sufficient to reduce risks to reasonable and appropriate level | IT-05 | ⏳ Not Started | Risk treatment plan; track mitigation actions |
| HS-A03 | Workforce security — Ensure appropriate access to ePHI; prevent unauthorized access | PF-30 (permissions), HR-01 | 🟡 Partial | Role-based access in PF-30; authorization/supervision procedures needed |
| HS-A04 | Information access management — Authorize access to ePHI consistent with access policies | PF-30 | 🟡 Partial | Permission system implemented; access review procedures needed |
| HS-A05 | Security awareness training — Security training program for all workforce members | IT-05, HR-04 | ⏳ Not Started | Training tracking in HR-04; security-specific curriculum needed |
| HS-A06 | Security incident procedures — Identify, respond to, and mitigate security incidents | IT-05 | ⏳ Not Started | Incident response plan; SIEM integration |
| HS-A07 | Contingency plan — Establish data backup, disaster recovery, and emergency operations plans | IT-05 | ⏳ Not Started | Backup strategy (Supabase); RTO/RPO documentation |
| HS-A08 | Business associate agreements — Written agreements with all business associates handling ePHI | PF-44 | 🟡 Partial | BAA with Supabase; BAA tracking for all vendors needed |
1.2 Physical Safeguards (§164.310)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| HS-P01 | Facility access controls — Limit physical access to systems containing ePHI | IT-05 | 📋 Cloud | Cloud-hosted (Supabase/Vercel); data center physical security managed by providers |
| HS-P02 | Workstation use and security — Policies for workstation access and physical safeguards | IT-05 | ⏳ Not Started | Endpoint security policies needed |
| HS-P03 | Device and media controls — Procedures for disposal, re-use, and transfer of ePHI media | IT-05 | ⏳ Not Started | Data disposal procedures; encryption at rest |
1.3 Technical Safeguards (§164.312)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| HS-T01 | Access control — Unique user identification, emergency access, automatic logoff, encryption | PF-30, PF-01 | 🟡 Partial | Supabase Auth (PF-01); RBAC (PF-30); session timeout and emergency access procedures needed |
| HS-T02 | Audit controls — Hardware, software, and procedural mechanisms to record and examine ePHI access | PF-40 (audit logging) | 🟡 Partial | Audit logging implemented; log review and retention procedures needed |
| HS-T03 | Integrity controls — Protect ePHI from improper alteration or destruction | PF, RLS | 🟡 Partial | RLS policies enforce data integrity; additional integrity verification needed |
| HS-T04 | Person or entity authentication — Verify identity of person/entity seeking ePHI access | PF-01 | ✅ Compliant | Supabase Auth with MFA support |
| HS-T05 | Transmission security — Encrypt ePHI in transit (TLS/SSL) | PF, Supabase | ✅ Compliant | All Supabase connections use TLS; Vercel serves HTTPS |
1.4 Encryption at Rest and Key Management (Module-Specific)
| # | Spec / Module | Requirement | Status | Notes |
|---|
| KM-01 | PM-33 (Capitation) | member_id_external (MCO-assigned member ID) encrypted at rest via pgcrypto pgp_sym_encrypt; keys stored in Supabase Vault. Key rotation: Privacy Officer and Security Officer agree on rotation cadence during PM-33 sign-off (e.g. annual per FA-SECURITY-CONSIDERATIONS or 90-day service key). Agreed cadence must be recorded in this tracker and in PM-33-COMPLIANCE-SIGNOFF.md. | 📋 Pending sign-off | Rotation plan documented upon PM-33 compliance sign-off |
2. HITECH Act
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| HT-01 | Breach notification — individuals — Notify affected individuals without unreasonable delay (within 60 days) | IT-05, PF-44 | ⏳ Not Started | Breach notification workflow; template letters |
| HT-02 | Breach notification — HHS — Report breaches of 500+ individuals to HHS and media | IT-05 | ⏳ Not Started | HHS breach reporting portal integration or manual process |
| HT-03 | Breach notification — small breaches — Annual report to HHS for breaches < 500 individuals | IT-05 | ⏳ Not Started | Breach log; annual compilation and submission |
| HT-04 | Risk assessment for breach determination — Assess probability that PHI was compromised | IT-05 | ⏳ Not Started | Risk assessment methodology per HITECH 4-factor test |
| HT-05 | Business associate obligations — BAs directly liable for HIPAA Security Rule compliance | PF-44, IT-05 | 🟡 Partial | BAA tracking; vendor security assessments needed |
| HT-06 | Encryption safe harbor — Encrypted/destroyed data exempt from breach notification | IT-05 | 🟡 Partial | Supabase encryption at rest; application-level encryption review needed |
3. Cybersecurity Frameworks
3.1 NIST Cybersecurity Framework (CSF 2.0)
| # | Function | Responsible Spec | Status | Notes |
|---|
| NIST-01 | Identify — Asset management, risk assessment, governance | IT-05 | ⏳ Not Started | Asset inventory; risk register; governance framework |
| NIST-02 | Protect — Access control, awareness training, data security, maintenance | IT-05, PF-30 | 🟡 Partial | Access control via PF-30; training and maintenance procedures needed |
| NIST-03 | Detect — Anomalies and events, continuous monitoring, detection processes | IT-05 | ⏳ Not Started | SIEM/monitoring; alerting; log analysis |
| NIST-04 | Respond — Response planning, communications, analysis, mitigation, improvements | IT-05 | ⏳ Not Started | Incident response plan; communication templates |
| NIST-05 | Recover — Recovery planning, improvements, communications | IT-05 | ⏳ Not Started | Disaster recovery plan; business continuity |
| NIST-06 | Govern (CSF 2.0 new) — Organizational context, risk management strategy, supply chain risk | IT-05 | ⏳ Not Started | Cybersecurity governance framework |
3.2 CIS Critical Security Controls v8
| # | Control | Responsible Spec | Status | Notes |
|---|
| CIS-01 | Inventory and control of enterprise assets | IT-05 | ⏳ Not Started | Asset inventory system |
| CIS-02 | Inventory and control of software assets | IT-05 | 🟡 Partial | package.json/lock files track dependencies; formal software inventory needed |
| CIS-03 | Data protection — Classify and protect sensitive data | IT-05, PF-44 | 🟡 Partial | PHI_CLASSIFICATION.md exists; data loss prevention needed |
| CIS-04 | Secure configuration — Establish and maintain secure configurations | IT-05 | 🟡 Partial | Infrastructure-as-code partially; CIS benchmarks audit needed |
| CIS-05 | Account management — Manage lifecycle of accounts | PF-30, PF-01 | 🟡 Partial | Auth and RBAC in place; formal lifecycle (provisioning/deprovisioning) review needed |
| CIS-06 | Access control management — Create, assign, manage, and revoke access | PF-30 | 🟡 Partial | Permission system; periodic access review procedures needed |
| CIS-07 | Continuous vulnerability management — Identify, prioritize, remediate vulnerabilities | IT-05 | ⏳ Not Started | Dependabot/Snyk scanning; vulnerability management process |
4. Arizona Data Breach Notification (ARS 18-552)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| AZ-B01 | Investigation requirement — Investigate security incidents to determine if breach occurred | IT-05 | ⏳ Not Started | Incident investigation procedures |
| AZ-B02 | 45-day notification — Notify affected individuals within 45 days of breach determination | IT-05 | ⏳ Not Started | Notification workflow; template letters |
| AZ-B03 | 1,000+ threshold reporting — Notify AG, DHS, and CRAs for breaches of 1,000+ individuals | IT-05 | ⏳ Not Started | AG notification form; CRA contact procedures |
| AZ-B04 | HIPAA exemption — HIPAA-covered entities following HIPAA breach notification are exempt from ARS 18-552 | IT-05 | 📋 Awareness | Encore Health OS as HIPAA CE follows HIPAA rules; ARS 18-552 exemption applies to PHI breaches |
5. SOC 2 (Service Organization Control)
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| SOC-01 | SOC 2 Type II readiness — Trust service criteria: security, availability, processing integrity, confidentiality, privacy | IT-05 | ⏳ Not Started | Evaluate need based on customer/payer requirements; Supabase has SOC 2 |
| SOC-02 | Control documentation — Document and test controls per trust service criteria | IT-05 | ⏳ Not Started | If pursuing SOC 2: map controls to criteria; engage auditor |
| SOC-03 | Vendor SOC reports — Obtain and review SOC reports from subservice organizations (Supabase, Vercel, Stripe) | IT-05 | ⏳ Not Started | Annual vendor SOC report review |
6. PCI DSS
| # | Requirement | Responsible Spec | Status | Notes |
|---|
| PCI-01 | PCI DSS applicability assessment — Determine if cardholder data is stored/processed/transmitted | IT-05 | 📋 Assessment needed | If Stripe tokenization is used exclusively, PCI scope is minimal (SAQ-A eligible) |
| PCI-02 | SAQ-A compliance (if applicable) — Self-Assessment Questionnaire A for merchants who outsource all cardholder data | IT-05 | ⏳ Not Started | Complete SAQ-A annually if payment processing is in scope |
7. Authoritative External References
8. Periodic Review Schedule
| Review | Frequency | Next Due | Owner |
|---|
| HIPAA Security risk analysis | Annually | YYYY-MM-DD | CISO / Security Officer |
| NIST CSF maturity assessment | Annually | YYYY-MM-DD | CISO / Security Officer |
| Vulnerability scanning | Monthly (or continuous) | YYYY-MM-DD | Engineering / DevOps |
| Penetration testing | Annually | YYYY-MM-DD | External vendor |
| Incident response plan test | Annually | YYYY-MM-DD | CISO / Security Officer |
| BAA inventory review | Annually | YYYY-MM-DD | Privacy Officer |
| Vendor SOC report review | Annually | YYYY-MM-DD | CISO / Security Officer |
| Backup and recovery test | Semi-annually | YYYY-MM-DD | DevOps |
| PCI SAQ-A (if applicable) | Annually | YYYY-MM-DD | Finance / IT |
Version History
1.0.0 (2026-02-27)
- Initial comprehensive IT security compliance document
- Covers HIPAA Security Rule (admin/physical/technical safeguards), HITECH, NIST CSF 2.0, CIS Controls v8, Arizona breach notification, SOC 2, PCI DSS
- 40+ compliance requirements tracked across 6 categories
Last Updated: 2026-02-27
Next Review: 2026-05-27
