Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.9.0 to npm — the HIPAA framework cycle. HIPAA Security Rule §164.312 Technical Safeguards now ships as the second supported compliance framework alongside SOC 2, addressing the long-standing “planned” gap on the public roadmap for healthcare-vertical customers.

What ships in the cycle

The core deliverable is data/compliance/hipaa.json with 175 mappings across 10 §164.312 sub-criteria — 7 covered, 3 partial, plus 45 explicit out-of-scope specs (the entire §164.308 Administrative Safeguards + §164.310 Physical Safeguards) with named architectural-limit reasons.

The covered surface includes Access Control via IAM/RBAC findings on AWS, Azure, and GCP plus network-perimeter findings; Unique User Identification via SNMP/FTP/Telnet detection; Encryption/Decryption via S3/RDS/DynamoDB/SQS/SNS/ElastiCache + KMS rotation/policy + Key Vault purge protection; Audit Controls via CloudTrail multi-region/data-events/log-file-validation + S3 access logging + RDS pgAudit + GuardDuty enablement; Person/Entity Authentication via MFA + Secrets Manager rotation + IAM-mediated DB auth; and Transmission Security via TLS deprecated-protocol/weak-cipher/weak-KEX detection + RDS SSL enforcement + SQS/SNS SecureTransport + SES TlsPolicy.

§164.312(c)(1) Integrity ransomware-defense substrate

HHS-OCR has highlighted ransomware-resilient ePHI backups in its 2024 enforcement actions. NSAuditor AI EE’s aws-backup-auditor plugin provides Logically Air-Gapped Backup Vault cross-verification: a four-verifier composite attestation (KMS policy isolation + KMS Grants isolation + multi-region key sanity + VPC-endpoint network isolation) that evidences whether ePHI backups would survive a full source-account compromise. A composite PASS is the strongest substrate evidence available on the AWS layer for this requirement.

HHS Required vs Addressable discipline

HIPAA Security Rule specifications carry one of two HHS-defined classifications. Required (R) specifications MUST be implemented. Addressable (A) specifications MUST be assessed; if reasonable and appropriate, implement; if not, document why AND implement an equivalent alternative. Misrepresenting an Addressable specification as “must implement” or treating Required as Addressable is overclaiming, and auditors test for this discipline. NSAuditor surfaces the classification per control via schema-additive fields (requiredOrAddressable, standardOrSpec, and HHS rule text verbatim) on every rendered compliance report.

Per-framework SLA-citation map

The renderer gains a per-framework citation helper. SOC 2 reports cite AICPA Trust Services Criteria (CC7.1 SLA cadence; CC1.4/CC8.1 governance; CC6.2/CC6.3 identity). HIPAA reports cite §164.312 sub-criteria (§164.312(b) SLA cadence; §164.312(d) Person or Entity Authentication for identity). HIPAA reports no longer leak SOC 2 CC IDs — closes the auditor-detectable cross-framework citation defect.

Dual-framework one-scan workflow

The engine was already framework-agnostic, so no engine or CLI changes were required in 0.9.0. A single scan with --compliance soc2,hipaa produces separate per-framework artifacts (scan_compliance_soc2.{md,html,json} AND scan_compliance_hipaa.{md,html,json}) from the same findings — auditors get two evidence packs from one execution. The CLI’s --compliance flag has accepted CSV since EE 0.3.0.

Zero BAA architecture

The same Zero Data Exfiltration architecture that makes NSAuditor AI EE Zero-BAA for SOC 2 applies to HIPAA: ePHI never leaves customer infrastructure. No Business Associate Agreement is needed under §160.103 because Nsasoft is not a Business Associate — this is a self-hosted scanner, not a SaaS service. Customer credentials, scan results, and ePHI all remain in customer-managed compute.

NSAuditor pairs with HIPAA-focused GRC platforms (Drata HIPAA, Vanta HIPAA, Compliancy Group, Tugboat Logic) on §164.308 + §164.310 surfaces those platforms specialize in — without BAA scope creep on the §164.312 technical evidence layer. Complement, not replacement.

Quality gates

The cycle adds 85 net new HIPAA-specific tests across three new test suites (inheritance-contract anchor-drift defense, engine-end-to-end mapping fixtures, renderer citation correctness). Full regression sits at 5,890/5,890 tests across 928 suites — a 69-session 100% green streak preserved. A two-agent parallel reviewer pass at end of cycle (HIPAA Security Officer + senior code reviewer perspectives) found zero R-CRITICAL findings; six reviewer folds were applied same-session.

Install

npm install -g nsauditor-ai@0.1.69 @nsasoft/nsauditor-ai-ee@0.9.0
npm install nsauditor-ai-agent-skill@0.1.36

The new HIPAA coverage matrix is at nsauditor.com/ai/docs/hipaa/. The SOC 2 coverage matrix is at nsauditor.com/ai/docs/soc2/. Enterprise tier pricing and feature overview at nsauditor.com/ai/enterprise/.