US Regulations & Programs

IAM Maturity Assessment for HIPAA

The HIPAA Security Rule (45 CFR 164.312) requires covered entities and business associates in US healthcare to implement technical safeguards for electronic protected health information, including access control, audit controls, and person or entity authentication.

Maturity threshold
2.0 / 4.0
Mapped questions
8
IAM domains
6
Assessment scope
All scopes
Identity Expectations

What HIPAA Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to HIPAA citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Access governance over systems holding health information: lifecycle management, access requests, and access reviews
  • Protection of privileged access to health data and authentication of workforce users
  • Identity threat detection and audit visibility into who accessed what
  • Defined ownership of identity data and visibility into access-to-data paths
Question Mapping

AXIS Questions Mapped to HIPAA

8 of the 37 questions in the AXIS bank carry HIPAA citations, including 5 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to HIPAA, with domain, capability, and framework references
QuestionDomainCapabilityHIPAA references
IGA-01
Domino
IGALifecycle Management (Joiner / Mover / Leaver)HIPAA 164.312(a)(1) (access control)
IGA-02IGAAccess Requests & ApprovalsHIPAA Minimum Necessary
IGA-03IGAAccess Reviews & RecertificationHIPAA 164.312(a)(1) (access review)
PAM-01
Domino
PAMAdmin Credential ProtectionHIPAA 164.312 (audit controls); HIPAA 164.312(a)(1) (privileged access to PHI)
AUTH-01
Domino
Auth/SSOAdaptive MFAHIPAA 164.312(d) (authentication)
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)HIPAA 164.312(b) (audit controls)
GOV-01
Domino
GovernanceIdentity Data OwnershipHIPAA 164.312(a)(1) (access governance)
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlHIPAA Breach Notification Rule
Scoring Model

How AXIS Scores HIPAA Alignment

A threshold model: each mapped control either meets the HIPAA maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.0 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For HIPAA, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for HIPAA in a given assessment reflects the answers selected. The table above lists every question whose answer options carry HIPAA citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

HIPAA appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown when the assessed organization operates in: Healthcare. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to HIPAA Security Rule. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how HIPAA applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against HIPAA

Run the AXIS assessment and get your maturity score, HIPAA alignment, and a prioritized roadmap in one pass. No signup required to start.