nxthreat

Compliance artifact

HIPAA Security Rule mapping.

Control-by-control coverage for the 2025 proposed amendments as they apply to AI agents handling PHI, from nxthreat, a Tampa Dynamics product.

HHS OCR published proposed Security Rule modifications on January 6, 2025. The proposal raises expectations for technology asset inventories, risk analysis, encryption, MFA, vulnerability management, and documentation. AI systems that create, receive, maintain, or transmit ePHI belong in that scope.

A BAA names obligations between parties. It does not prove what an agent did at runtime. Existing EHR audit logs, SIEM events, and endpoint controls rarely capture tool schema integrity, indirect prompt injection, FHIR-aware scope, and signed agent-level decisions in one artifact.

The mapping table

Control

§164.312(a)(1) Access Control

AI-specific requirement

AI systems that touch ePHI need unique access boundaries, not borrowed user tokens or shared service credentials.

nxthreat coverage

mapped control

Identity broker issues agent workload identity. Policy engine scopes every tool call to operation, FHIR resource, patient context, and purpose. Product detail

Control

§164.312(b) Audit Controls

AI-specific requirement

Covered entities need hardware, software, or procedures that record and examine activity in systems containing ePHI.

nxthreat coverage

mapped control

Append-only receipt ledger using S3 Object Lock and KMS signatures records agent ID, tenant, action, FHIR scope, decision, and timestamp. Evidence packs include a zero-dependency verifier CLI so the audit chain is verifiable without trusting nxthreat as a third party. Product detail

Control

§164.312(c)(1) Integrity

AI-specific requirement

AI tool definitions and outputs must not be altered without detection when they influence ePHI access or modification.

nxthreat coverage

mapped control

Content-hash-pinned schema registry uses SHA-256 over canonical JSON; drift is detected and the request is rejected. Injection guard inspects tool outputs for indirect prompt injection before the agent acts on them. Product detail

Control

§164.312(e)(1) Transmission Security

AI-specific requirement

ePHI moving between agents, tools, and FHIR endpoints needs protected transport and tamper-evident records.

nxthreat coverage

mapped control

nxthreat sits in the runtime path, enforces TLS-only upstream and downstream connections, and records each transmission decision in signed receipts. Product detail

Control

§164.308(a)(1)(ii)(A) Risk Analysis

AI-specific requirement

Risk analysis must include AI systems that create, receive, maintain, or transmit ePHI, including tool chains and data flows.

nxthreat coverage

mapped control

Evidence packs expose agent inventory, FHIR resources touched, tool calls, rejected requests, and policy decisions for risk reviews. Product detail

Control

Encryption at rest

AI-specific requirement

The proposed Security Rule baseline makes encryption of ePHI at rest a default expectation unless an exception is documented.

nxthreat coverage

mapped control

Receipt ledger stores evidence in encrypted object storage with tenant-scoped keys and retention controls aligned to the customer's evidence policy. Product detail

Control

Encryption in transit

AI-specific requirement

AI agents and MCP servers must not move ePHI over cleartext links or unauthenticated channels.

nxthreat coverage

mapped control

Runtime proxy requires encrypted transport for client, MCP, FHIR, webhook, and ledger connections. Rejected transport attempts produce receipts. Product detail

Control

Multi-factor authentication

AI-specific requirement

Human access to administrative systems that affect ePHI requires strong authentication and auditable administrative actions.

nxthreat coverage

mapped control

nxthreat does not replace the customer IdP. It relies on the customer's SSO/MFA controls for administrator access and binds agent credentials to approved administrators. Product detail

Control

Network segmentation

AI-specific requirement

AI runtime components that can reach ePHI should be isolated from general application traffic and public tool surfaces.

nxthreat coverage

mapped control

Deployment pattern places nxthreat between agent clients and PHI-bearing systems, allowing MCP and FHIR access to be segmented behind the proxy. Product detail

Control

BAA scope

AI-specific requirement

Vendors that create, receive, maintain, or transmit PHI need clear business associate obligations and documented handling boundaries.

nxthreat coverage

mapped control

nxthreat is designed for deployment under a Business Associate Agreement. BAA language is handled during design-partner contracting, with broader template availability expected alongside Phase 2 commercial launch. AWS is currently the sole product subprocessor; per-tenant key isolation details are available on request. Product detail

Control

Minimum-necessary

AI-specific requirement

AI agents should receive only the PHI needed for the specific task, not broad role-level access.

nxthreat coverage

mapped control

FHIR-aware policy enforces resource, operation, encounter, and patient-list predicates per call. The receipt records the exact admitted scope. Product detail

Control

§164.312(d) Person or Entity Authentication

AI-specific requirement

Systems must verify that the person or entity requesting ePHI is who it claims to be. Agent identity needs the same discipline.

nxthreat coverage

mapped control

Identity broker gives each agent a workload identity and rejects calls from unknown agents, stale credentials, or mismatched tool bindings. Product detail

What nxthreat does not cover

nxthreat is not a complete HIPAA program. It does not cover physical safeguards, workforce training, contingency planning, sanction policies, or every administrative safeguard. It is the runtime layer for AI agents, one piece of a complete compliance picture.

Download as PDF

Generate a tenant-branded copy of this mapping for an internal compliance review. HubSpot captures the request server-side. The PDF route renders from the same source data as this page.

Book a 30-minute compliance walkthrough.

Bring the controls your compliance officer cares about. We will map them to runtime evidence.

Book a demo