This crosswalk maps HATS capabilities to the HIPAA Security Rule technical safeguards (45 CFR 164.312), administrative safeguards (45 CFR 164.308), and selected organizational requirements. The Security Rule establishes national standards for the protection of electronic protected health information (ePHI).
HATS capabilities are particularly relevant to HIPAA compliance when ePHI is processed under fully homomorphic encryption (FHE), where data remains encrypted during computation. This directly addresses the Security Rule's encryption and access control requirements.
This crosswalk is a technical mapping. It does not constitute a HIPAA compliance certification or replace the risk analysis required by 45 CFR 164.308(a)(1)(ii)(A).
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.312(a)(1) Unique user identification (R) | Continuous Attestation | Per-access attestation receipts binding unique user identity to each ePHI access event | Verify each access receipt contains a unique, authenticated identity; confirm no shared credentials in receipt stream |
164.312(a)(2)(i) Emergency access procedure (R) | Governance Replay | Emergency access decision attestation receipts with governance binding | Replay emergency access decisions; verify they followed documented emergency procedures |
164.312(a)(2)(ii) Automatic logoff (A) | Continuous Attestation | Session termination attestation receipts with timestamp | Verify session termination receipts occur within configured timeout; confirm no orphaned sessions |
164.312(a)(2)(iv) Encryption and decryption (A) | Encrypted Computation | FHE computation attestation receipts demonstrating ePHI processed without decryption | Verify computation_type field indicates FHE operation; confirm ePHI never appears in plaintext in any receipt |
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.312(b) Record and examine activity in systems containing ePHI (R) | Continuous Attestation + Evidence Chains | Tamper-evident attestation receipt chain recording all ePHI system activity | Traverse evidence chain to verify complete activity record; verify chain integrity via predecessor hashes; confirm three PQ signatures on each receipt |
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.312(c)(1) Protect ePHI from improper alteration or destruction (R) | Evidence Chains | Cryptographically linked evidence chain with SHA3-256 predecessor hashes | Verify chain integrity; any modification, insertion, or deletion of receipts breaks the hash chain |
164.312(c)(2) Authentication of ePHI (A) | Continuous Attestation | ePHI integrity attestation receipts recording hash of protected data at access time | Compare ePHI hashes across successive attestation receipts to detect unauthorized modification |
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.312(d) Verify identity of person or entity seeking access to ePHI (R) | Agent Attestation + Continuous Attestation | Authentication event attestation receipts binding verified identity to each ePHI access | Verify authentication receipts precede every ePHI access receipt; confirm identity verification method is attested |
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.312(e)(1) Guard against unauthorized access during transmission (R) | Encrypted Computation | Transmission encryption attestation receipts; ML-KEM-1024 key establishment receipts | Verify key establishment receipts use post-quantum key encapsulation; confirm all transmission events are attested |
164.312(e)(2)(ii) Encryption (A) | Encrypted Computation | Per-transmission encryption attestation receipts | Verify encryption attestation exists for each ePHI transmission; confirm PQ key encapsulation was used |
| Requirement | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
164.308(a)(1)(ii)(D) Information system activity review (R) | Evidence Chains + Governance Replay | Activity review decision attestation receipts with governance binding | Replay activity review decisions; verify reviews covered the complete evidence chain for the review period |
164.308(a)(3)(ii)(A) Authorization and/or supervision (A) | Agent Attestation | Workforce authorization attestation receipts | Verify authorization receipts precede workforce ePHI access; confirm supervisor identity is attested |
164.308(a)(4) Information access management (R) | Continuous Attestation + Governance Replay | Access management decision attestation receipts | Replay access management decisions; verify each access change was governed and attested |
164.308(a)(5)(ii)(C) Log-in monitoring (A) | Continuous Attestation | Authentication attempt attestation receipts including failures | Verify all authentication attempts (success and failure) are attested; analyze failure patterns in evidence chain |
164.308(a)(6) Security incident procedures (R) | Evidence Chains + Governance Replay | Incident response evidence chain with governance decision attestation | Traverse incident response chain; replay response decisions; verify response followed documented procedures |
When ePHI is processed under FHE, the data remains encrypted during computation. The computation output is attested in its encrypted form. At no point in the processing pipeline does ePHI exist in plaintext outside the client's decryption boundary. This architecture directly satisfies the encryption requirements of 164.312(a)(2)(iv) and 164.312(e)(2)(ii).
HATS attestation receipts for FHE computations record the computation_type as FHE_COMPUTE (0x05) in the H33-74 primitive. The receipt does not contain ePHI. It contains a cryptographic commitment (SHA3-256 digest) that binds the computation result to the attestation without revealing the data.
This separation between the attestation layer and the data layer ensures that the evidence chain itself does not constitute ePHI, which simplifies the compliance posture of the attestation infrastructure.
HATS addresses all four technical safeguard categories (Access Control, Audit Controls, Integrity, Transmission Security) and the person/entity authentication standard. Administrative safeguard coverage is partial; HATS provides technical evidence to support administrative controls but does not replace organizational policies, workforce training, or physical safeguards.
The following HIPAA requirements are outside the scope of HATS: physical safeguards (164.310), Business Associate Agreement terms (164.314), policies and procedures documentation (164.316), and breach notification (164.400-164.414). R = Required, A = Addressable.