How does PHIGuard satisfy HIPAA audit control requirements?

PHIGuard maintains an immutable append-only audit log recording every action on every task, satisfying §164.312(b).

HIPAA

Built for covered entities, not adapted for them

Q: What HIPAA rules apply to task management?

The HIPAA Security Rule applies when tasks involve ePHI. Key requirements include access controls, audit logs, encryption, and a signed BAA with your task management vendor.

PHIGuard was designed from the start to satisfy HIPAA requirements. This page explains what HIPAA requires of small clinics and how PHIGuard addresses each obligation.

HIPAA obligations for small medical clinics

If your clinic is a covered entity — and virtually all medical, dental, and behavioral health practices are — you are subject to three primary HIPAA rules. For a broader checklist of the operational obligations that follow, see our guide to HIPAA task management.

Privacy Rule

Governs how PHI may be used and disclosed. Requires written policies, staff training, a designated privacy officer, and patient rights procedures.

Security Rule

Requires administrative, physical, and technical safeguards to protect electronic PHI. Mandates access controls, audit logging, encryption, and regular risk assessments.

Breach Notification Rule

Requires covered entities to notify affected patients, HHS, and in some cases the media following a breach of unsecured PHI. Notification must occur within 60 days of discovery.

How PHIGuard addresses HIPAA requirements

Business Associate Agreement §164.308(b)

Included at every pricing tier. Delivered automatically on account creation. Satisfies 45 CFR §164.308(b) and §164.504(e).

Audit controls §164.312(b)

Immutable append-only audit log records all task activity with user ID, timestamp, and action type. Cannot be modified or deleted.

Access controls §164.312(a)(1)

Role-based access controls limit staff to task categories appropriate for their role. Unique user accounts required. No shared credentials.

Staff training documentation §164.530(b)

Training task templates and tracking let you assign, monitor, and document HIPAA training completion for every staff member.

Risk assessment §164.308(a)(1)

Annual risk assessment task template guides your privacy officer through the required analysis and documents findings.

Incident tracking §164.308(a)(6)

Structured incident log with breach risk assessment documentation, notification tracking, and complete audit record of response.

Encryption §164.312(a)(2)(iv)

AES-256 at rest, TLS 1.2+ in transit. Non-configurable — encryption cannot be disabled.

Automatic session timeout §164.312(a)(2)(iii)

Inactive sessions are terminated after a configurable idle period (default: 30 minutes).

Business Associate Agreement

Under HIPAA, any vendor whose system stores, processes, or transmits PHI on behalf of your clinic must sign a Business Associate Agreement before you use that service for PHI-related purposes. This requirement applies to task management software if you use it for tasks involving patient information.

PHIGuard's BAA is not gated behind an enterprise plan. It is included at Essentials ($99/mo), Clinic ($249/mo), and Group ($499/mo). You can review our BAA on the BAA page before signing up. If you're currently using a generic task tool, our HIPAA-compliant alternatives breakdowns cover the BAA gap vendor by vendor, and per-clinic pricing explains how flat pricing compares to per-seat tools.

HIPAA questions from practice administrators

What is a covered entity under HIPAA?

A covered entity is a health plan, health care clearinghouse, or health care provider that transmits health information in electronic form. Most medical clinics — including dental, primary care, specialty, and behavioral health practices — are covered entities.

What HIPAA rules apply to task management software?

The HIPAA Security Rule applies when tasks involve electronic Protected Health Information (ePHI). If your task management system stores or processes patient names, appointment details, or any information that can identify a patient in connection with their health, it must meet Security Rule requirements: access controls, audit logging, encryption at rest and in transit, and a signed BAA with the vendor.

Does PHIGuard sign a Business Associate Agreement?

Yes. A signed Business Associate Agreement is included at every PHIGuard pricing tier. It is delivered automatically when you create your account.

What is the HIPAA annual risk assessment?

The Security Rule requires covered entities to conduct a periodic risk analysis to identify potential vulnerabilities to ePHI. HHS guidance indicates this should be done at least annually or whenever there is a significant change to your operations or systems. PHIGuard includes a compliance task template to guide you through and document this process.

What are HIPAA's requirements for staff training?

The Privacy Rule requires covered entities to train all workforce members on policies and procedures relevant to PHI. The Security Rule requires security awareness and training. Training must be documented. PHIGuard's staff training tracking feature lets you assign training tasks, record completion, and maintain the documentation required for compliance.

What must a HIPAA-compliant task system do?

At minimum: (1) operate under a signed BAA; (2) maintain an immutable audit trail; (3) enforce role-based access controls; (4) encrypt data at rest and in transit; (5) ensure notifications do not expose PHI; (6) support user-level access revocation during offboarding.

Operational assurance

HIPAA compliance that comes with your subscription

PHIGuard gives your clinic the infrastructure, templates, and legal framework to run a defensible HIPAA compliance program — without a compliance consultant.

Card required to start. We email you 3 days before the first automatic charge.