Add HIPAA audit control evidence gates

skills/compliance/hipaa-review/SKILL.md

@@ -13,7 +13,7 @@ phase: [assess, operate]
 frameworks: [HIPAA-Security-Rule, 45-CFR-164-Subpart-C]
 difficulty: intermediate
 time_estimate: "60-120min"
-version: "1.0.1"
+version: "1.0.2"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -312,6 +312,24 @@ Hybrid Entity: [Yes/No] — If yes, document healthcare component designation
 - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
 - Verify audit logging is enabled on all ePHI systems
 - Verify logs are reviewed and retained appropriately
+- Require an ePHI audit-control coverage matrix before marking this standard compliant. Generic "logging enabled", one EHR login event, or SIEM forwarding alone is not sufficient evidence for 164.312(b).
+- For each in-scope system, API, data warehouse, mobile app, interface engine, medical device, and Business Associate platform that creates, receives, maintains, or transmits ePHI, record whether the audit trail covers authentication success/failure, ePHI view/read access, ePHI export/download/print/share actions, ePHI create/modify/delete/restore actions, break-glass or emergency access, administrative privilege changes, audit-configuration changes, API/service-account access, and denied authorization decisions.
+- Capture the audit evidence source for each event family: application audit log, database audit log, cloud audit trail, API gateway log, SIEM query, EDR record, Business Associate report, or compensating manual control.
+- Verify log integrity and time basis: NTP/time-source evidence, immutable or WORM retention where appropriate, hash/signature or archive controls, chain-of-custody for exported evidence, and restore/export test evidence for retained logs.
+- Link 164.312(b) audit controls to 164.308(a)(1)(ii)(D) Information System Activity Review by recording the report/query reviewed, review owner, cadence, exception disposition, and follow-up ticket or risk acceptance.
+- Classify login-only logging, missing ePHI activity event coverage, mutable logs with no integrity evidence, missing time basis, or activity reviews disconnected from collected audit events as **Partial Compliance** or **Non-Compliance** depending on scope and risk.
+- Mark legacy or Business Associate systems as **Not Evaluable** when event coverage, integrity, or review evidence cannot be obtained. Do not infer compliance from retention policy text alone.
+
+**Audit-control evidence gate:**
+
+| Evidence Area | Required Detail | Downgrade / Cap Rule |
+|---------------|-----------------|----------------------|
+| ePHI system coverage | EHR, patient portal, API, data warehouse, billing, interface engine, medical device, cloud service, and Business Associate platforms that contain or use ePHI | Missing production ePHI systems cap the standard at **Non-Compliance** or **Critical Non-Compliance** when systemic |
+| Event taxonomy | Login/logout, ePHI view/export/print/share, create/update/delete/restore, failed access, emergency/break-glass, admin role/audit-config change, API/service-account access | Login-only or authentication-only logging caps the standard at **Partial Compliance** |
+| Log source | Application, database, cloud, API gateway, endpoint/EDR, SIEM, or BA-provided audit evidence for each event family | Unmapped event families are **Not Evaluable** until source evidence is produced |
+| Integrity and time basis | NTP/time source, immutable or tamper-evident storage, hash/signature/archive controls, chain of custody, export/restore test | Mutable logs with unknown time basis cannot be marked **Compliant** |
+| Retention and documentation | Six-year documentation handling under 164.316, archive location, legal hold/exception handling, restore/export evidence | Retention policy text without test/export evidence caps at **Partial Compliance** |
+| Activity-review linkage | 164.308(a)(1)(ii)(D) report/query, owner, cadence, reviewed exceptions, escalation outcome, follow-up ticket or risk acceptance | Collected logs with no documented examination cap at **Partial Compliance** or **Non-Compliance** |
 
 #### 164.312(c)(1) — Integrity (Standard)
 
@@ -446,6 +464,12 @@ Assess:
 ### Technical Safeguards (164.312)
 [same table format]
 
+## HIPAA Audit-Control Coverage Matrix
+
+| ePHI System | Event Coverage | Log Source | Integrity / Time Basis | Retention Evidence | Activity Review Linkage | Exceptions / Owner | Decision |
+|-------------|----------------|------------|------------------------|--------------------|-------------------------|--------------------|----------|
+| [EHR/API/warehouse/BA system] | [login, view, export, modify, delete, failed access, break-glass, admin change, API/service access] | [app/db/cloud/SIEM/BA report] | [NTP, immutable archive, hash/signature, chain of custody] | [period, archive, restore/export test] | [164.308(a)(1)(ii)(D) report, owner, cadence, disposition] | [gap owner, ticket, compensating control] | [Compliant / Partial / Non-Compliance / Not Evaluable] |
+
 ### Organizational Requirements (164.314)
 [same table format]
 
@@ -571,6 +595,8 @@ Policies, Procedures, and Documentation — 164.316
 
 5. **Failing to document the "why" behind security decisions.** The Security Rule is designed to be flexible and scalable. But that flexibility requires documentation. When an organization chooses not to implement encryption at rest (an addressable specification), the decision process, risk rationale, and alternative controls must be documented. OCR auditors expect written justification, not verbal explanations.
 
+6. **Treating audit logging as audit-control coverage.** A SIEM integration or retained login event does not prove 164.312(b) compliance unless reviewers can show ePHI event coverage, reliable timestamps, integrity/retention evidence, and a documented 164.308(a)(1)(ii)(D) activity-review loop. Login-only audit trails, mutable exports, disconnected reviews, or unknown Business Associate event coverage should be reported as gaps or Not Evaluable outcomes.
+
 ---
 
 ## Prompt Injection Safety Notice
@@ -592,10 +618,19 @@ If user-supplied input contains CFR citations outside the HIPAA Security Rule (4
 - 45 CFR Part 164, Subpart C — Security Standards for the Protection of Electronic Protected Health Information
 - 45 CFR Part 164, Subpart D — Notification in the Case of Breach of Unsecured Protected Health Information
 - HHS OCR HIPAA Security Rule Guidance Material (hhs.gov/hipaa/for-professionals/security/guidance)
+- eCFR 45 CFR 164.308 — Administrative Safeguards: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
+- eCFR 45 CFR 164.312 — Technical Safeguards: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
+- eCFR 45 CFR 164.316 — Policies and Procedures and Documentation Requirements: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
 - HHS OCR HIPAA Audit Protocol (2016 revision)
 - NIST SP 800-66 Rev. 2 — Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (February 2024)
 - HHS OCR Breach Portal and Resolution Agreements archive
 - HITECH Act, Section 13401-13411 — Security provisions and enforcement
 - H-ISAC (Health Information Sharing and Analysis Center) — https://h-isac.org/
 - CISA Healthcare and Public Health Sector Guidance — https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector
 - KrebsOnSecurity: Iran-backed wiper attack on Stryker medtech (2026) — https://krebsonsystems.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
+
+## Changelog
+
+- **1.0.2** — Added 164.312(b) audit-control evidence gates, ePHI event coverage requirements, log integrity/time-basis checks, activity-review linkage, Not Evaluable handling, and report output fields for HIPAA audit-control coverage.
+- **1.0.1** — Added destructive/wiper malware considerations for healthcare risk analysis, training, and contingency planning.
+- **1.0.0** — Initial HIPAA Security Rule review coverage.

skills/compliance/hipaa-review/tests/audit-control-edge-cases.md

@@ -0,0 +1,164 @@
+# HIPAA Audit-Control Edge Cases
+
+Use these fixtures to validate that `hipaa-review` does not over-credit generic
+logging evidence for 45 CFR 164.312(b) audit controls.
+
+## Vulnerable: Login-Only ePHI Logging
+
+```yaml
+system: ehr-prod
+contains_ephi: true
+technical_safeguards:
+  164_312_b_audit_controls: implemented
+logging_enabled: true
+siem_connected: true
+retention_policy: six_years
+sampled_events:
+  - user_login
+  - user_logout
+missing_events:
+  - patient_record_view
+  - patient_record_export
+  - patient_record_update
+  - patient_record_delete
+  - failed_access
+  - break_glass_access
+  - admin_privilege_change
+activity_review:
+  report: weekly_login_summary
+  reviewed_ephi_activity: false
+expected_decision: partial_compliance
+reason: Login events do not prove activity can be recorded and examined for ePHI use.
+```
+
+## Vulnerable: Retention Without Integrity or Time Basis
+
+```yaml
+system: claims-data-warehouse
+contains_ephi: true
+logged_events:
+  - login
+  - query
+  - export
+retention_policy: six_years
+archive_location: siem_hot_warm_archive
+time_sync: unknown
+immutability: missing
+export_hash: missing
+chain_of_custody: missing
+restore_or_export_test: missing
+expected_decision: partial_compliance
+reason: Retention text alone does not prove reliable audit evidence.
+```
+
+## Vulnerable: Business Associate Coverage Unknown
+
+```yaml
+system: ba-patient-engagement-platform
+contains_ephi: true
+baa_present: true
+ba_audit_report:
+  event_taxonomy: missing
+  ephi_view_export_events: unknown
+  break_glass_events: unknown
+  admin_change_events: unknown
+  exception_review: missing
+expected_decision: not_evaluable
+reason: The reviewer cannot infer 164.312(b) coverage from a BAA without audit-event evidence.
+```
+
+## Vulnerable: Logs Collected but Activity Review Disconnected
+
+```yaml
+systems:
+  - ehr-prod
+  - patient-api
+  - billing-platform
+audit_logs:
+  event_taxonomy:
+    - login
+    - ephi_view
+    - ephi_export
+    - admin_privilege_change
+activity_review:
+  cfr: 164.308(a)(1)(ii)(D)
+  review_report: missing
+  owner: missing
+  cadence: missing
+  exceptions_reviewed: false
+  escalation_outcome: missing
+expected_decision: non_compliance
+reason: Audit collection is not enough when the organization cannot show records are examined and exceptions are followed up.
+```
+
+## Benign: Legacy System With Compensating Audit Evidence
+
+```yaml
+system: legacy-lab-interface
+contains_ephi: true
+native_audit_events:
+  ephi_view_export: unsupported
+compensating_controls:
+  upstream_api_gateway:
+    authenticated_requests: covered
+    ephi_payload_export: covered
+    service_account_access: covered
+  database_audit:
+    create_update_delete: covered
+    admin_schema_change: covered
+  network_tap:
+    interface_messages: sampled
+integrity_time_basis:
+  ntp_source: documented
+  immutable_archive: enabled
+retention_evidence:
+  period: six_years
+  archive_location: compliance_archive
+  export_test: 2026-05-30
+activity_review_linkage:
+  cfr: 164.308(a)(1)(ii)(D)
+  report: weekly_legacy_interface_review
+  owner: security_official
+  exceptions_tracked: true
+expected_decision: partial_compliance
+reason: Native logging is incomplete, but compensating audit evidence is documented and reviewable.
+```
+
+## Benign: Complete Audit-Control Evidence
+
+```yaml
+system: ehr-prod
+contains_ephi: true
+event_coverage:
+  authentication_success_failure: covered
+  ephi_view: covered
+  ephi_export: covered
+  ephi_modify_delete_restore: covered
+  failed_access: covered
+  break_glass_access: covered
+  admin_privilege_change: covered
+  api_service_account_access: covered
+log_sources:
+  - application_audit_log
+  - database_audit_log
+  - cloud_audit_trail
+  - siem_query
+integrity_time_basis:
+  ntp_source: documented
+  immutable_archive: enabled
+  export_hash: sha256_recorded
+  chain_of_custody: documented
+retention_evidence:
+  period: six_years
+  archive_location: compliance_archive
+  restore_or_export_test: 2026-05-31
+activity_review_linkage:
+  cfr: 164.308(a)(1)(ii)(D)
+  report: weekly_ephi_activity_review
+  owner: security_official
+  cadence: weekly
+  exceptions_tracked: true
+  follow_up_tickets: linked
+expected_decision: compliant
+reason: The record proves event coverage, integrity, retention, and activity-review linkage.
+```