SAMPLE

Demonstration Only — All data is fictional and pre-populated for enterprise evaluation. Not real audit evidence.

HIPAA Security Rule Safeguards covered in this package:
§164.308(a)(1) §164.312(a)(1) §164.312(a)(2)(i) §164.312(b) §164.312(d) §164.312(e)(1)
HIPAA Evidence Package

What Your Compliance Officer
Receives for Every PHI Access

ThetaZero maps every AI agent's PHI access to HIPAA Security Rule safeguards automatically. This is the evidence package your compliance team and Business Associate auditor receives.

See how this maps to your workflows → View Generic Evidence

SAMPLE — Demonstration Only · All data is fictional · PHI identifiers are synthetic placeholders

🏥
HIPAA Security Rule — What Compliance Officers Need to See
45 CFR Part 164 · Administrative, Physical & Technical Safeguards

HIPAA compliance requires demonstrable evidence that every access to Protected Health Information (PHI) was authorized, logged, and transmitted securely. Under §164.312(b), covered entities must implement hardware, software, and procedural mechanisms that record and examine activity in systems that contain or use ePHI.

ThetaZero produces this evidence automatically for every agent execution that touches PHI. The package below shows a PHI Access Audit Agent run — the scenario most HIPAA compliance officers focus on for §164.312(b) Audit Controls and §164.312(a)(1) Access Control safeguards. Every PHI record access is logged, policy-checked, TEE-attested, and mapped to the relevant HIPAA section.

📃
Business Associate Agreement (BAA) Artifact
This evidence package includes BAA-relevant artifacts: which agent (business associate) accessed which PHI records, under which policy, when, and via what authentication. If ThetaZero acts as a Business Associate processing ePHI on your behalf, this package supports your BAA documentation requirements. The TEE attestation ID provides cryptographic proof that the access occurred under the policy stated in the BAA.
6
HIPAA Safeguards Addressed
7
PHI Access Events Logged
0
Unauthorized Access Events
100%
ePHI Encrypted In-Transit
📋
Section 1 — Agent Execution Report
SAMPLE
Agent Name
PHI Access Audit Agent
Agent Purpose
Reviews PHI access events, validates authorization policy, and produces HIPAA §164.312(b) audit log
Execution ID
TZ-EXEC-20260411-011482
Timestamp (UTC)
2026-04-11T07:02:14.617Z
Status
COMPLETED
Duration / Tokens
5,841 ms · 2,793 tokens
Model Version
claude-3-7-sonnet-20250219
Compute Source
TZ-EC-4c8f1d · us-east-1
TEE Attestation
HMAC-SHA256 Signed
Input Task / Prompt

For Clearwater Health Partners, review all ePHI access events on 2026-04-10. For each access: (1) verify the accessing user is credentialed and authorized under the current HIPAA access control policy, (2) confirm the access occurred over an encrypted channel (TLS 1.3), (3) check no PHI was written to unauthorized sinks. Produce a §164.312(b) audit log and §164.312(a)(1) access evidence artifact. Flag any unauthorized access for immediate escalation.

Execution Log
Execution Trace · 12 actions · 0 unauthorized access events · 7 PHI records reviewed
TZ-EXEC-20260411-011482
07:02:14.617INFOExecution initialized · agent=phi-access-audit · model=claude-3-7-sonnet-20250219
07:02:14.804ACTIONREAD ehr_access_log · date=2026-04-10 · scope=phi_access_events · input_hash=c9d3f7a1…
07:02:15.219CHECKPermission granted: ehr_access_log.read · credential=svc-phi-audit · scope=audit_only (no write)
07:02:15.614ACTIONQUERY ehr_access_log · 7 PHI access events found on 2026-04-10 · output_hash=5e7b9d2f…
07:02:15.903ACTIONREAD hipaa_policy/access_control_matrix · loading authorized roles for PHI access validation
07:02:16.341CHECKPHI EHR-PT-29847: r.chen (attending physician) · ✓ AUTHORIZED · role=physician · policy=clinical_care · TLS 1.3 confirmed
07:02:16.784CHECKPHI EHR-PT-29847: b.okafor (RN) · ✓ AUTHORIZED · role=nursing · policy=care_team_access · TLS 1.3 confirmed
07:02:17.209CHECKPHI EHR-PT-34210: a.rodriguez (billing coder) · ✓ AUTHORIZED · role=billing · policy=minimum_necessary · TLS 1.3 confirmed
07:02:17.632CHECKPHI EHR-PT-41097: r.chen (attending physician) · ✓ AUTHORIZED · role=physician · policy=clinical_care · TLS 1.3 confirmed
07:02:18.077CHECKPHI EHR-PT-52341: j.martinez (PA) · ✓ AUTHORIZED · role=physician_assistant · policy=clinical_care · TLS 1.3 confirmed
07:02:18.491ACTIONWRITE hipaa_audit_log · §164.312(b) record · events=7 · unauthorized=0 · tee_attested=true
07:02:19.058DONEExecution complete · 7 events AUTHORIZED · 0 violations · ePHI encryption confirmed 100%
✓ Agent Determination

ALL AUTHORIZED — 7 PHI access events reviewed. All 7 performed by credentialed, policy-authorized users. Zero unauthorized access events. All transmissions confirmed over TLS 1.3. Minimum Necessary rule applied: billing coder (a.rodriguez) accessed only billing-relevant fields — clinical notes and diagnosis codes outside billing scope were not accessed. §164.312(b) audit log written with TEE attestation. §164.312(a)(1) access control evidence generated.

Permission Boundary (Enforced at Runtime)
✓ Allowed Scopes (4)
✓ ehr_access_log.read
✓ hipaa_policy.read
✓ user_credentials.verify
✓ hipaa_audit_log.write
✗ Blocked Scopes (4)
✗ patient_records.write
✗ phi_export (no-export policy)
✗ clinical_notes.read (audit agent)
✗ external_api.call
👤
Section 1b — PHI Access Summary (BAA Artifact)
SAMPLE
This table answers the key BAA question: who accessed what PHI, when, under which policy, and how. Every row is TEE-attested.
User / Role PHI Record Access Time (UTC) Governing Policy Channel / Encryption Authorization
r.chen
Attending Physician
 EHR-PT-29847 07:14:38Z clinical_care (treatment) TLS 1.3 ✓ AUTHORIZED
b.okafor
Registered Nurse
 EHR-PT-29847 08:52:17Z care_team_access (treatment) TLS 1.3 ✓ AUTHORIZED
a.rodriguez
Billing Coder
 EHR-PT-34210 09:37:04Z minimum_necessary (payment) TLS 1.3 ✓ AUTHORIZED
r.chen
Attending Physician
 EHR-PT-41097 10:18:52Z clinical_care (treatment) TLS 1.3 ✓ AUTHORIZED
j.martinez
Physician Assistant
 EHR-PT-52341 11:44:29Z clinical_care (treatment) TLS 1.3 ✓ AUTHORIZED
All rows TEE-attested · No PHI values stored in this audit record — only record IDs · Full SHA-256 hashes in audit_trail.json
🗺️
Section 2 — HIPAA Security Rule Control Mapping
SAMPLE
Each row maps a HIPAA Security Rule section to the evidence artifact produced in this execution. This is what your compliance officer and BAA counterpart receives.
HIPAA Section Safeguard Description Evidence Type Evidence Artifact Status
§164.308(a)(1)
Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations. Includes risk analysis and risk management.
 policy_document Risk management policy documented in ThetaZero Trust Pack §2. Agent policy boundaries define allowed/denied scopes — risk boundary enforced at runtime and logged. 0 policy violations in this run. ◎ MAPPED
§164.312(a)(1)
Access Control
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.
 execution_artifact All 7 PHI access events validated against HIPAA access control matrix (role + policy). Agent credential svc-phi-audit only holds audit scope — no clinical write access. Permission boundary enforced in TEE. ✓ EVIDENCE GENERATED
§164.312(a)(2)(i)
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity. Each user's PHI access is traceable to a unique individual.
 execution_artifact Each access event in audit_trail.json includes a unique user identifier (r.chen, b.okafor, a.rodriguez, j.martinez). No shared credentials. Each user's access is independently traceable and TEE-attested. ✓ EVIDENCE GENERATED
§164.312(b)
Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
 execution_artifact Full audit log produced in audit_trail.json. Each PHI access event includes: user ID, record ID, timestamp, governing policy, encryption channel, authorization result, SHA-256 hashes, TEE attestation ID. Logs cannot be retroactively modified. ✓ EVIDENCE GENERATED
§164.312(d)
Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
 execution_artifact Agent verified each user's identity against user_credentials service before recording access as authorized. Credential verification performed under TEE attestation. Results logged in audit_trail.json record type VERIFY. ✓ EVIDENCE GENERATED
§164.312(e)(1)
Transmission Security
Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
 execution_artifact All 7 PHI access events confirmed over TLS 1.3. Channel encryption verified for each access event and logged in audit_trail.json. No plaintext ePHI transmission detected. TLS downgrade blocked by agent policy. ✓ EVIDENCE GENERATED
✓ EVIDENCE GENERATED Artifact produced in this specific execution run
◎ MAPPED Control addressed by platform configuration or Trust Pack policy
◑ DOCUMENTED Control documented in policy
🔗
Section 3 — Cryptographic Audit Trail (§164.312(b))
SAMPLE

Every PHI access event, policy check, and audit record write is logged here. SHA-256 hashes of inputs and outputs are computed within the TEE at time of recording — they cannot be retroactively modified. No PHI values are stored in this trail; only record IDs and cryptographic hashes.

07:02:14.804
READ · ehr_access_log · date=2026-04-10 · scope=phi_access_events
Credential: svc-phi-audit · Permission: granted · Scope: ehr_access_log.read · Records returned: 7
input_hash: c9d3f7a1b4e6c8d0f2a4b6d8e0f2a4b6d8e0f2a4 · output_hash: 5e7b9d2f4a6c8e0b2d4f6a8c0e2b4d6f8a0c2e4b
TEE ✓ AUD-91001
07:02:16.341
VERIFY · user:r.chen · PHI Record: EHR-PT-29847 · Policy: clinical_care
Credential verified: role=physician · Policy match: clinical_care (treatment) · TLS 1.3 confirmed · Authorization: GRANTED
output_hash: 8a0c4e2f6b8d0a2c4e6f8b0d2e4f6a8b0d2e4f6a · record_hash: d2f4a6c8e0b2d4f6a8c0e2b4d6f8a0c2e4b6d8e0
TEE ✓ AUD-91002
07:02:16.784
VERIFY · user:b.okafor · PHI Record: EHR-PT-29847 · Policy: care_team_access
Credential verified: role=nursing · Policy match: care_team_access (treatment) · TLS 1.3 confirmed · Authorization: GRANTED
output_hash: 2e4f8a0c6e2b4d6f8a0c2e4b6d8e0f2a4b6d8e0f · record_hash: f8a0c2e4b6d8e0f2a4b6d8e0f2a4b6d8e0f2a4b6
TEE ✓ AUD-91003
07:02:17.209
VERIFY · user:a.rodriguez · PHI Record: EHR-PT-34210 · Policy: minimum_necessary
Credential verified: role=billing · Policy match: minimum_necessary (payment) · TLS 1.3 confirmed · Clinical notes access: BLOCKED (outside billing scope) · Authorization: GRANTED (billing fields only)
output_hash: 6b0d4f8a2c6e0b4d8f2a6c0d4e8f2a6b0d4e8f2a · record_hash: a4c8d2f6e0b4c8d2f6e0b4c8d2f6e0b4c8d2f6e0
TEE ✓ AUD-91004
07:02:18.491
WRITE · hipaa_audit_log/phi_access_review_20260410
Credential: svc-phi-audit · Permission: granted · Scope: hipaa_audit_log.write · §164.312(b) record · events=7 · unauthorized=0 · tls_confirmed=7
output_hash: e0f4a8b2c6d0e4f8a2c6d0e4f8a2c6d0e4f8a2c6 · record_hash: c6d0e4f8a2c6d0e4f8a2c6d0e4f8a2c6d0e4f8a2
TEE ✓ AUD-91008
TEE Attestation Summary
Compute Node: TZ-EC-4c8f1d · us-east-1
Attestation Method: HMAC-SHA256 platform attestation
Records Attested: 7 / 7 (100%)
Unauthorized Access Events: 0
ePHI Encrypted In-Transit: 100% (TLS 1.3, 7/7 events)
Execution Hash: tz_tee_v1:011482:c9d3f7a1:2026-04-11T07:02:14.617Z
manifest.json — Integrity Checksums
execution_logs.json · sha256: 8f2a6c0d4e8f2a6b0d4e8f2a6c0d4e8f2a6b0d4e… · 8,917 bytes
hipaa_control_mapping.json · sha256: 0d4e8f2a6c0d4e8f2a6b0d4e8f2a6c0d4e8f2a6b… · 3,844 bytes
phi_access_summary.json · sha256: 2a6b0d4e8f2a6c0d4e8f2a6b0d4e8f2a6c0d4e8f… · 5,201 bytes
audit_trail.json · sha256: 4e8f2a6b0d4e8f2a6c0d4e8f2a6b0d4e8f2a6c0d… · 14,332 bytes
tee_attestation.json · sha256: 6c0d4e8f2a6b0d4e8f2a6c0d4e8f2a6b0d4e8f2a… · 4,612 bytes
README.txt · sha256: 8a6b0d4e8f2a6c0d4e8f2a6b0d4e8f2a6c0d4e8f… · 1,491 bytes
6 HIPAA safeguards addressed
·
🔐
100% ePHI encrypted in-transit
·
0
Unauthorized access events
·
📃
BAA-relevant artifacts included
·
Generated automatically per execution
Other Framework Evidence Templates
🏥
HIPAA
§164.312 access · audit · transmission — You are here
🔐
SOC 2
CC6.1 · CC7.2 · CC8.1
📋
Generic (KYC)
EU AI Act · SOC 2 · GDPR

See How This Maps to Your Workflows

A 1-hour Governance Review shows exactly which of your AI agent workflows that touch PHI would produce this evidence package — and what gaps exist today.

Book a Governance Review → View Trust Pack

$4,900 fixed fee · Deliverables you own · No vendor lock-in