Skip to main content

MCP Server with LangGraph home page

Support
GitHub
GitHub

GitHub
Community
CHANGELOG

GDPR Compliance

GDPR Compliance
Data Protection Principles
Data Subject Rights
Privacy by Design & Default
Data Protection Impact Assessment (DPIA)
Data Processing Agreement (DPA) Template

HIPAA Compliance

HIPAA Compliance
HIPAA Technical Safeguards
Business Associate Agreement (BAA) Template
HIPAA Compliance Checklist
HIPAA Deployment Architecture
HIPAA Breach Response & FAQs

SOC 2 Compliance

SOC 2 Compliance
SOC 2 Trust Service Criteria
SOC 2 Evidence Collection & Audit
SOC 2 Readiness Checklist

HIPAA Compliance Checklist
Pre-Deployment Checklist
Next Steps

HIPAA Compliance

HIPAA Compliance Checklist

Comprehensive checklist for verifying HIPAA compliance across all requirements

HIPAA Compliance Checklist

Pre-Deployment Checklist

1

Risk Assessment

Complete Security Risk Assessment

Identify all systems that store, process, or transmit ePHI
Document potential threats and vulnerabilities
Assess likelihood and impact of threats
Document existing security measures
Identify gaps and create remediation plan
Assign risk scores to each identified risk
Obtain executive approval for risk acceptance

Documentation: Store in docs/compliance/risk-assessment-YYYY.pdf

2

Technical Safeguards

Implement Required Technical Controls

Enable JWT authentication with MFA
Configure OpenFGA for fine-grained authorization
Enable comprehensive audit logging (7-year retention)
Implement encryption in transit (TLS 1.3)
Enable encryption at rest (database and application-level)
Configure automatic session timeouts (15 min max, 5 min idle)
Enable integrity controls (HMAC-SHA256 hashing)
Implement secure key management (Infisical/Vault)
Deploy network segmentation (Kubernetes NetworkPolicies)
Enable backup encryption and disaster recovery

Verification: Run make hipaa-compliance-check

3

Administrative Safeguards

Establish Policies and Procedures

Designate HIPAA Privacy Officer
Designate HIPAA Security Officer
Create workforce security policies
Implement workforce training program
Establish access authorization procedures
Create incident response plan
Develop breach notification procedures
Implement sanction policy for violations
Create business continuity plan
Establish vendor management procedures

Documentation: Store in docs/compliance/policies/

4

Business Associate Agreements

Obtain Required BAAs

Cloud provider (GCP/AWS/Azure)
LLM provider (Anthropic/Google)
Database provider (if using managed service)
Monitoring/observability provider (LangSmith)
Secret management provider (Infisical)
Any other vendors accessing PHI

Documentation: Store signed BAAs in secure location

5

Testing and Validation

Verify Compliance Controls

Penetration testing completed
Vulnerability scanning completed
Audit log review (sample transactions)
Access control testing (positive and negative cases)
Encryption verification (in transit and at rest)
Backup and recovery testing
Incident response drill
Disaster recovery drill

Documentation: Store test results in docs/compliance/testing/

6

Documentation Review

Prepare for Audit

Security Risk Assessment
Policies and Procedures Manual
BAAs (all vendors)
Workforce Training Records
System Configuration Documentation
Audit Log Samples
Incident Response Plan
Breach Notification Procedures
Disaster Recovery Plan
Penetration Test Results

Organization: Create compliance binder (physical or digital)

Next Steps

Technical Safeguards

Review technical requirements

Breach Response

Prepare incident response plan

Back to Overview

Return to HIPAA overview

Business Associate Agreement (BAA) Template HIPAA Deployment Architecture

⌘I