WorkSwarm
Trust Center - Confidential
Version 1.0
Updated 2026-05-08
Compliancev1.0 · Updated 2026-05-08 · 10 pages
HIPAA Security Rule Control Map
Mapping of WorkSwarm's controls to the HIPAA Security Rule administrative, physical, and technical safeguards (45 CFR § 164.302–164.318).
Prepared by Chief Information Security Officer, WorkSwarm, Inc.
Contents
About This Document
This document maps WorkSwarm's security controls to the HIPAA Security Rule safeguards. It is intended for covered entities and business associates evaluating WorkSwarm for use with electronic Protected Health Information (ePHI).
WorkSwarm offers a HIPAA-compliant deployment tier. A signed Business Associate Agreement (BAA) is available for eligible customers. This control map demonstrates how WorkSwarm's architecture satisfies each required and addressable implementation specification.
1. Administrative Safeguards (§ 164.308)
Administrative safeguards are the policies and procedures that manage the selection, development, implementation, and maintenance of security measures.
| Standard | Implementation Specification | WorkSwarm Control |
|---|---|---|
| Security Management Process (a)(1) | Risk Analysis (R) | Quarterly risk assessments using NIST SP 800-30. Risk register maintained by CISO. ePHI-specific risk analysis for healthcare customers. |
| Security Management Process (a)(1) | Risk Management (R) | Risk treatment plans with named owners and deadlines. Board-level reporting. Residual risk acceptance requires CISO sign-off. |
| Security Management Process (a)(1) | Sanction Policy (R) | Documented sanction policy for workforce members who violate security policies. Enforced through HR processes. |
| Security Management Process (a)(1) | Information System Activity Review (R) | Automated audit log review. Anomaly detection on ePHI access patterns. Weekly manual review of privileged access. |
| Assigned Security Responsibility (a)(2) | Assigned Security Responsibility (R) | CISO designated as security officer. Healthcare-specific compliance managed by DPO with HIPAA expertise. |
| Workforce Security (a)(3) | Authorization and Supervision (A) | RBAC with healthcare-specific roles. ePHI access restricted to authorized personnel. Quarterly access reviews. |
| Workforce Security (a)(3) | Workforce Clearance (A) | Background checks for employees with ePHI access. Annual HIPAA training. Competency verification. |
| Workforce Security (a)(3) | Termination Procedures (A) | Automated de-provisioning via SCIM. Access revoked within 1 hour of termination notification. |
| Information Access Management (a)(4) | Access Authorization (A) | Role-based ePHI access. Minimum necessary principle enforced. Customer-configurable access policies. |
| Security Awareness Training (a)(5) | Security Reminders (A) | Monthly security awareness communications. Quarterly phishing simulations. HIPAA-specific training modules. |
| Security Awareness Training (a)(5) | Password Management (A) | Password policy: 12+ characters, complexity requirements, 90-day rotation. MFA required for all ePHI access. |
| Security Incident Procedures (a)(6) | Response and Reporting (R) | Documented IRP with HIPAA-specific procedures. Breach notification within 60 days per HIPAA Breach Notification Rule. Customer notification within 4 hours for P0/P1. |
| Contingency Plan (a)(7) | Data Backup Plan (R) | Automated daily backups. Cross-region replication. RPO 15 minutes. Backup encryption with separate key hierarchy. |
| Contingency Plan (a)(7) | Disaster Recovery Plan (R) | RTO 4 hours. Multi-AZ deployment. Quarterly DR testing. Documented recovery procedures. |
| Contingency Plan (a)(7) | Emergency Mode Operation (R) | Break-glass procedures for emergency ePHI access. Dual-approval required. Full audit trail. |
| Evaluation (a)(8) | Evaluation (R) | Annual HIPAA compliance evaluation. External assessment by qualified firm. Findings tracked to remediation. |
| BAA (b)(1) | BAA with sub-processors (R) | BAAs executed with all sub-processors handling ePHI. Annual review. Audit rights retained. |
2. Physical Safeguards (§ 164.310)
Physical safeguards protect physical computer systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
| Standard | Implementation Specification | WorkSwarm Control |
|---|---|---|
| Facility Access Controls (a)(1) | Contingency Operations (A) | Cloud infrastructure hosted in AWS/GCP SOC 2 Type II certified data centers. Multi-AZ deployment ensures facility-level redundancy. |
| Facility Access Controls (a)(1) | Facility Security Plan (A) | AWS and GCP physical security controls: biometric access, 24/7 security, video surveillance, mantrap entry. WorkSwarm office: badge access, visitor logs. |
| Workstation Use (b) | Workstation Use (R) | Employee workstation security policy: full-disk encryption, screen lock, endpoint protection (EDR), remote wipe capability. |
| Workstation Security (c) | Workstation Security (R) | MDM enrollment required. CIS benchmark compliance verified weekly. USB storage disabled on corporate devices. |
| Device and Media Controls (d)(1) | Disposal (R) | AWS/GCP handle media destruction per their SOC 2 controls. Cryptographic deletion of data ensures media reuse safety. |
| Device and Media Controls (d)(1) | Media Re-use (R) | Cloud-native architecture eliminates physical media handling. All storage is logically isolated and cryptographically erasable. |
3. Technical Safeguards (§ 164.312)
Technical safeguards are the technology and related policies and procedures that protect ePHI and control access.
| Standard | Implementation Specification | WorkSwarm Control |
|---|---|---|
| Access Control (a)(1) | Unique User Identification (R) | Every user has a unique identifier. No shared accounts. Service accounts have unique IDs with restricted permissions. |
| Access Control (a)(1) | Emergency Access Procedure (R) | Break-glass procedure: dual-approval, time-limited, fully audited. Emergency access revoked after 4 hours unless renewed. |
| Access Control (a)(1) | Automatic Logoff (A) | Configurable session timeout (default 30 minutes inactivity). Forced re-authentication for ePHI operations after timeout. |
| Access Control (a)(1) | Encryption and Decryption (A) | AES-256-GCM at rest. TLS 1.3 in transit. BYOK/HYOK supported. Per-tenant encryption keys. |
| Audit Controls (b) | Audit Controls (R) | Immutable, hash-chained audit logs. All ePHI access logged with user, timestamp, resource, action. 7-year retention. SIEM exportable. |
| Integrity (c)(1) | Mechanism to Authenticate ePHI (A) | Hash verification on all stored ePHI. Integrity checks on backup restoration. Tamper-evident audit trail. |
| Person or Entity Authentication (d) | Authentication (R) | MFA required and enforced at login. SAML/OIDC SSO. Phishing-resistant WebAuthn/FIDO2 passkeys for passwordless login and step-up. Certificate-based authentication for API integrations. |
| Transmission Security (e)(1) | Integrity Controls (A) | TLS 1.3 with AEAD cipher suites. mTLS for internal service communication. Certificate pinning for mobile applications. |
| Transmission Security (e)(1) | Encryption (A) | All ePHI encrypted in transit. No unencrypted transmission paths. Perfect forward secrecy on all TLS connections. |
4. Breach Notification Rule (§ 164.400–414)
WorkSwarm's breach notification procedures comply with the HIPAA Breach Notification Rule.
- •Discovery and assessment: WorkSwarm maintains continuous monitoring to detect potential breaches. Upon discovery, the incident response team assesses whether the event constitutes a breach of unsecured ePHI.
- •Risk assessment: Four-factor risk assessment per HHS guidance: nature and extent of ePHI involved, unauthorized person who used or accessed the ePHI, whether ePHI was actually acquired or viewed, extent of risk mitigation.
- •Customer notification: Covered entity (customer) notified without unreasonable delay and no later than 60 days from discovery. Notification includes: description of breach, types of information involved, steps taken, mitigation measures, contact procedures.
- •Documentation: All breach assessments documented and retained for 6 years per HIPAA requirements.
5. Contact
For HIPAA-specific inquiries, BAA requests, or to schedule a security review:
HIPAA Compliance: hipaa@workswarm.ai
Security Team: security@workswarm.ai
Trust Center: trust@workswarm.ai
Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.
© 2026 WorkSwarm, Inc. · Confidential · workswarm.ai/trust
HIPAA Security Rule Control Map
10 pages · PDF