The HIPAA Security Rule's administrative, physical, and technical safeguards seed directly as control objectives. The Privacy Rule and Breach Notification Rule round out the privacy side.
NIST CSF 2.0 cross-mapping means a single Controls Maturity assessment establishes both HIPAA Security Rule posture and CSF posture simultaneously. No re-keying when the OCR audit notice arrives.
Business associates run through the standard TPRM workflow with HIPAA-specific question templates seeded. BAA tracking, sub-processor management, breach notification SLA tracking — all native.
The data discovery engine recognizes PHI categories — Health Insurance Information, Genetic, Biometric — and surfaces them with HIPAA classification automatically. The 241-attribute master schema includes the full PHI taxonomy out of the box.
HIPAA breach notification timeline tracked from incident detection through reportable assessment, OCR notification, and individual notification. Audit log captures every state transition and decision rationale.