claudetools/clients/cascades-tucson/docs/security/hipaa-review-2026-04-22.md

# HIPAA Compliance Review — 2026-04-22 User Account Rollout

**Reviewed by:** Howard Enos (Computer Guru)
**Scope:** Decisions captured in `docs/cloud/user-account-rollout-plan.md` as of 2026-04-22
**Trigger:** Client request for a pre-execution compliance check before creating / disabling accounts
**Primary references:** 45 CFR Part 164 Subpart C (HIPAA Security Rule), NIST SP 800-66 Rev 2 (Feb 2024), HHS OCR guidance

---

## Findings classified ACTIVE ONGOING VIOLATION — present-tense gap

### A1. Synology role-based shared-login accounts with PHI access

**Rule:** 45 CFR §164.312(a)(2)(i) Unique User Identification (Required).

**Current state:** The Synology NAS `cascadesds` (192.168.0.120) hosts 7 role-based shared-credential local accounts that multiple humans sign into. Several of these accounts have access to shares containing PHI (`homes`, `Management`, `pacs`). Per `docs/migration/synology-permission-inventory.md` these accounts are:

- `Accounting`
- `Dining Manager`
- `Front Desk`
- `mcnurse`
- `Memcare Receptionist`
- `memcarenurse`
- `Nurse Tower`

**Gap:** These are NOT scheduled for remediation until Phase 4 (Synology retirement + CS-SERVER file-share cutover), which will be weeks away at best. **Every day until Phase 4, these shared credentials are an active Required-spec violation if any of them access PHI shares.** The `pacs` share (likely medical imaging) and `Management` (clinical admin docs) are the highest-risk.

**Options:**
1. **Accelerate disable.** Immediately disable shared logins on Synology + force users onto their personal AD-synced accounts. Risk: breaks known workflows, disrupts front-desk / nursing stations that rely on shared logins today.
2. **Documented risk-acceptance in Risk Analysis.** Capture the exception explicitly: "7 Synology shared-login accounts remain operational until Phase 4 cutover, target [date]. Compensating controls: physical access restricted to Cascades building, shift-based sign-in sheets on each shared workstation, monthly SMB access-log review by Howard." Meredith signs the residual-risk acknowledgment.
3. **Hybrid.** Disable the highest-sensitivity shared accounts immediately (`mcnurse`, `memcarenurse`, `Nurse Tower` if they touch `pacs`), accept risk on the less-sensitive ones (`Accounting`, `Front Desk`).

**Decision required:** Which option does Meredith prefer? Option 2 is most common but the residual-risk paperwork has to be real, not just assumed.

**Detection:** Monthly sample of Synology SMB access logs for those accounts, mapped against shift schedules.

**Target resolution:** Phase 4 (Synology retirement) OR explicit immediate-disable event. Whichever comes first.

---

## Findings classified CRITICAL — must fix before rollout

### C1. Shared agency logins would violate §164.312(a)(2)(i) — Unique User Identification

Original plan: create `reliable1@cascadestucson.com` and `reliable2@cascadestucson.com` as shared accounts for rotating Reliable Agency caregivers.

**Rule:** §164.312(a)(2)(i) Unique User Identification is a **Required** implementation spec (not Addressable). HHS has explicitly answered this in public FAQ: covered entities may not assign the same log-on ID to multiple employees. There is no compensating-control carve-out because Required specs don't permit alternatives. NIST SP 800-66 Rev 2 maps this to SP 800-53 IA-2 (Identification and Authentication) and AC-2 (Account Management), which likewise require individual accounts.

**Decision 2026-04-22:** Drop `reliable1` / `reliable2`. Require Reliable Agency to supply individual caregiver names before any shift where PHI access is needed. Per-person accounts only. If the agency won't commit, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in — no independent PHI access.

**Docs updated:** `user-account-rollout-plan.md` §6 and Wave 1; `cascades-staff-working-list-2026-04-22.md`; `cascades-staff-editor-2026-04-22.html`; `p2-staff-candidates.md`; `caregiver-m365-p2-rollout.md`; `cascades-staff-followup-2026-04-22.md`.

---

### C2. Britney Thompson mailbox must be placed on Litigation Hold before disable + mailbox conversion

**Rule:** §164.308(a)(3)(ii)(C) Termination Procedures + §164.316(b)(2)(i) 6-year documentation retention.

**Issue:** Business Standard doesn't include unlimited archive/hold. Converting a licensed mailbox to shared can trim content based on default retention settings, potentially purging PHI subject to state medical-records retention (AZ = 7 years post-last-encounter) or subpoena.

**Decision:** Before disabling `britney.thompson`:
1. Place mailbox on Litigation Hold (verify Business Standard has Exchange Online Plan 2 features; if not, temporarily assign an EOA or E3 before harvest)
2. Designate a named custodian (recommended: Meredith Kuhn as Executive Director, or Lois Lane as Health Services Director)
3. Then disable sign-in, revoke tokens
4. Then convert to shared and harvest user license

Documentation of the termination action retained ≥6 years per §164.316(b)(2).

---

### C3. Microsoft M365 BAA not yet signed

**Rule:** §164.308(b)(1) Business Associate contracts.

**Issue:** `docs/cloud/m365.md` line 12 and `docs/security/hipaa.md` gap #13 note that no Microsoft HIPAA BAA has been signed. Every day Cascades uses M365 for PHI without a BAA is a continuing Security Rule violation. Every new account we provision expands that exposure.

**Decision:** Sign the Microsoft BAA **before Wave 1** — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA. Free, 5 minutes.

Parallel: verify or secure an ALIS BAA (go-alis.com) before any new caregiver accesses ALIS.

---

### C4. No formal Risk Analysis on file (§164.308(a)(1)(ii)(A) — Required)

**Rule:** A formal risk analysis covering scope, threats, likelihood, impact, and control effectiveness is Required (not Addressable).

**Issue:** Cross-doc sweep confirmed no standalone risk analysis document exists. The existing `hipaa.md` gap list is a useful inventory but does not meet the Security Rule's definition.

**Decision:** Produce `docs/security/risk-analysis-2026-04.md` following the NIST 800-66 Rev 2 §3 framework before Wave 2. Reference it in every Addressable-spec decision.

---

## Findings classified HIGH — fix in Wave 1 or before

### H1. M365 audit log retention default (1 year) is insufficient

**Rule:** §164.312(b) Audit Controls + §164.316(b)(2) 6-year documentation retention. OCR enforcement posture treats audit logs as documentation subject to the 6-year clock.

**Decision:** Purchase Microsoft Purview Audit (Premium) add-on (10-year retention) OR configure a retention policy for 7 years via E5 Compliance OR monthly export to immutable Azure Blob. Decision documented in Security Rule Implementation Register (see M2 below).

---

### H2. No documented break-glass emergency access account (§164.312(a)(2)(ii) — Required)

**Decision:** Create `breakglass@cascadestucson.com` — cloud-only (not AD-synced), excluded from all CA policies, protected by FIDO2 security key + unique vaulted password in `clients/cascades-tucson/breakglass.sops.yaml`, sign-in alerted to Howard + Meredith, quarterly test sign-in. Must exist before disabling any other admin accounts.

---

### H3. `\\CS-SERVER\homes` SMB3 encryption not enabled; folder redirection routes PHI to that share

**Rule:** §164.312(a)(2)(iv) Encryption/Decryption + §164.312(e)(2)(ii) Transmission Encryption (both Addressable).

**Issue:** `CONTEXT.md` notes `EncryptData=false` on the homes share. Folder redirection GPO pushes Documents / Desktop / Downloads — including staff-generated PHI — to that share. In-transit encryption is off; at-rest encryption status on CS-SERVER's D: drive is not documented.

**Decision:** Before Alma / Kyla folder redirection goes live:
- `Set-SmbShare -Name homes -EncryptData $true` (immediate, free)
- Verify / enable BitLocker on CS-SERVER D: drive
- Document both decisions in Implementation Register

---

### H4. Drivers need Privacy Rule training + signed sanctions acknowledgment (workforce, not IT)

**Rule:** §164.530(b)(1) Privacy training for workforce; §164.530(e) sanctions apply to all workforce; §160.103 defines workforce inclusive of workers with no electronic system access.

**Issue:** Decision that drivers don't need IT access is correct; however, drivers encounter PHI on pickup sheets (rider names, appointment context).

**Decision (not an IT deliverable):** Flag to Meredith. Drivers need annual short-form Privacy training, signed confidentiality / sanctions acknowledgment, and documented pickup-sheet handling procedures. If dispatch uses personal phones for texts with rider names, those phones now trigger mobile-device safeguards (§164.312(a)(1) + (e)) — consider moving dispatch to a controlled channel.

---

## Findings classified MEDIUM — address before Wave 3 (caregiver bulk)

### M1. Automatic-logoff duration not codified for shared front-desk PCs and MSDM sign-out

**Rule:** §164.312(a)(2)(iii) Automatic Logoff (Addressable).

**Decision:**
- GPO `CSC - Shared Workstation`: screen lock at 10 min idle, sign-out at 30 min idle, disable Fast User Switching
- MSDM global sign-out timer: 15 min idle
- Both documented in Implementation Register as the Addressable-spec implementation

---

### M2. No Security Rule Implementation Register

**Rule:** §164.306(d)(3) Addressable spec decisions; §164.316(b)(1)-(2) documentation retention.

**Decision:** Create `docs/security/implementation-register.md` — one row per Addressable spec (encryption at rest, encryption in transit, automatic logoff, emergency access mode, integrity controls) with: decision, rationale tied to risk analysis, alternative measure if applicable, owner, next review date. This is the artifact OCR asks for in an audit.

---

### M3. Reliable Agency — Business Associate status not determined

**Decision:** Ask Meredith for the Reliable Agency staffing contract. Confirm direct-control language (workforce) vs. agency-directed (Business Associate). If no workforce-control language, either secure an addendum OR sign a BAA with Reliable. No individual agency-caregiver accounts created until this is sorted.

---

### M4. Christine Nyanzunda's single-account dual-role access scoping

**Rule:** §164.308(a)(4)(ii)(B) Access Authorization (Addressable — minimum necessary).

**Decision:** Single account retained (MC Admin + part-time MedTech). Document in Implementation Register that operational simplicity was weighed against strict minimum-necessary. Mitigation: rely on ALIS's internal role-based access controls to scope her view based on shift / context if supported.

---

## Findings classified GOOD — HIPAA-aligned decisions being kept

- **Building-only CA default + allow-list for outside sign-in** — defensible implementation of §164.312(a)(1) Access Control, stronger than baseline
- **Shared front-desk PCs with individual M365 accounts** — fully compliant (identity is per-person; hardware sharing is fine)
- **MSDM shared phones with per-user Entra sign-in** — satisfies unique-ID + automatic-logoff on the mobile tier
- **Drivers with no electronic PHI access** — correct minimum-necessary scoping on the IT side
- **Same-day account disable on termination** — meets termination-procedure timing
- **Business Premium tenant-wide recommendation** — provides the P1 + Defender + DLP + Intune baseline the rest of the design relies on
- **Decline to reinstate Sandra Fish admin** — correct; 2026-04-14 revocation stands

---

## Open questions unresolved at review time

| # | Question | Owner |
|---|---|---|
| 1 | Does Business Standard (current SKU for 23 users) include Exchange Online Plan 2 features needed for Litigation Hold? If not, what's the cheapest path to EOA on Britney's mailbox before harvest? | Howard (verify in M365 Admin Center) |
| 2 | Reliable Agency staffing contract — direct-control language or not? | Meredith |
| 3 | Audit retention path chosen (Purview Premium add-on vs. E5 Compliance vs. export to immutable storage)? | Meredith (budget) + Howard (design) |
| 4 | BitLocker state on CS-SERVER D: drive — enabled, encrypted-no-protectors, or off? | Howard (verify onsite or via SSH) |

---

## Source material cited

- [45 CFR §164.312 — Technical safeguards (eCFR)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312)
- [45 CFR §164.316 — Policies, procedures, documentation (eCFR)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316)
- [45 CFR §164.308 — Administrative safeguards (eCFR)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308)
- [HHS FAQ — shared log-on IDs not permitted](https://www.hhs.gov/hipaa/for-professionals/faq/2018/does-the-security-rule-permit-a-covered-entity-to-assign-the-same-log-on-id-to-multiple-employees/index.html)
- [HHS FAQ — Addressable vs Required implementation specs](https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html)
- [HHS — Business Associates guidance](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html)
- [NIST SP 800-66 Rev 2 — Implementing the HIPAA Security Rule (Feb 2024)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf)
- [Microsoft Learn — Entra HIPAA access control safeguards](https://learn.microsoft.com/en-us/entra/standards/hipaa-access-controls)
- [Microsoft Learn — Shared device mode overview](https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices)