IAM Maturity Assessment for HIPAA
The HIPAA Security Rule (45 CFR 164.312) requires covered entities and business associates in US healthcare to implement technical safeguards for electronic protected health information, including access control, audit controls, and person or entity authentication.
- Maturity threshold
- 2.0 / 4.0
- Mapped questions
- 8
- IAM domains
- 6
- Assessment scope
- All scopes
What HIPAA Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to HIPAA citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Access governance over systems holding health information: lifecycle management, access requests, and access reviews
- Protection of privileged access to health data and authentication of workforce users
- Identity threat detection and audit visibility into who accessed what
- Defined ownership of identity data and visibility into access-to-data paths
AXIS Questions Mapped to HIPAA
8 of the 37 questions in the AXIS bank carry HIPAA citations, including 5 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | HIPAA references |
|---|---|---|---|
| IGA-01 Domino | IGA | Lifecycle Management (Joiner / Mover / Leaver) | HIPAA 164.312(a)(1) (access control) |
| IGA-02 | IGA | Access Requests & Approvals | HIPAA Minimum Necessary |
| IGA-03 | IGA | Access Reviews & Recertification | HIPAA 164.312(a)(1) (access review) |
| PAM-01 Domino | PAM | Admin Credential Protection | HIPAA 164.312 (audit controls); HIPAA 164.312(a)(1) (privileged access to PHI) |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | HIPAA 164.312(d) (authentication) |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | HIPAA 164.312(b) (audit controls) |
| GOV-01 Domino | Governance | Identity Data Ownership | HIPAA 164.312(a)(1) (access governance) |
| CIAM-DATA-01 | CIAM × Data | Customer Access-to-Data Visibility & Impact Control | HIPAA Breach Notification Rule |
How AXIS Scores HIPAA Alignment
A threshold model: each mapped control either meets the HIPAA maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.0 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For HIPAA, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for HIPAA in a given assessment reflects the answers selected. The table above lists every question whose answer options carry HIPAA citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
HIPAA appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown when the assessed organization operates in: Healthcare. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to HIPAA Security Rule. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how HIPAA applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against HIPAA
Run the AXIS assessment and get your maturity score, HIPAA alignment, and a prioritized roadmap in one pass. No signup required to start.