A compliance module for healthcare organizations mapping HIPAA Security Rule requirements to Delinea PAM controls — grounded in the HHS 405(d) HICP framework and the 2024–2026 Security Rule modifications.
Regulatory Basis45 CFR §164.300–.318
FrameworkHHS 405(d) / HICP
Rule Status2024 NPRM → 2026 Final
Modules4 Safeguards + Checklist
⚡ 2024 Security Rule Update — What Changed
HHS OCR's December 2024 NPRM eliminates the "required vs. addressable" distinction — all 18 safeguards become mandatory. New requirements include MFA for all ePHI systems, biannual vulnerability scans, annual penetration testing, and mandatory ePHI restoration within 72 hours of a breach. The HHS 405(d) HICP framework — which already recommended many of these controls — now directly aligns with binding HIPAA requirements, making PAM solutions like Delinea a compliance necessity rather than a best practice.
18
Mandatory Safeguards
All required under 2026 final rule
4
Delinea-Mapped Controls
Covered in this module
72h
ePHI Recovery SLA
Post-breach restoration target
6mo
Risk Assessment Cycle
Biannual requirement
🔑
§164.312(a)(2)(i)
Unique User Identification
Eliminate shared admin accounts. Every privileged session must be attributable to a named individual.
⏱️
§164.312(a)(2)(iii)
Automatic Logoff
Session timeout controls that terminate idle sessions and prevent unauthorized re-use of privileged credentials.
📋
§164.312(b)
Audit Controls
Immutable, tamper-proof audit logs of all access to ePHI systems — the forensic backbone of breach response.
🛡️
§164.312(a)(1)
Access Control via PAM
Role-based access to PHI systems using Privileged Access Management — least privilege, JIT, and workflow approvals.
HHS 405(d) HICP Alignment
HICP Practice 3: Access Management → MFA & RBAC
HICP Practice 2: Endpoint Protection → Session controls
HICP Practice 8: Incident Response → Audit trail integrity
HICP Practice 10: Cybersecurity Policies → PAM governance
Delinea Product Coverage
Secret Server — Vault & credential management
Privilege Manager — Endpoint least-privilege
Connection Manager — Session recording & proxy
DevOps Secrets Vault — CI/CD & automation secrets
HIPAA Security Rule Timeline
1996
HIPAA enacted. National standards for healthcare data privacy established.
2003
Security Rule finalized. Administrative, physical, and technical safeguards codified. "Required vs. Addressable" distinction introduced.
2015
Cybersecurity Act §405(d). HHS mandated to develop HICP — the voluntary healthcare cybersecurity framework that prefigured today's HIPAA updates.
ℹ️HIPAA Requirement: Covered entities must assign a unique name and/or number to identify and track user identity. Under the 2024 NPRM, elimination of shared credentials for privileged accounts becomes explicitly required — no longer merely recommended.
The Problem: Shared Admin Accounts
Multiple staff share a single "sysadmin" or "administrator" credential
Impossible to attribute specific actions to individual users in audit logs
Password rotation forces coordinated downtime across teams
Departing employees retain access until passwords are manually changed
Violates both HIPAA minimum necessary standard and 405(d) HICP Practice 3
The Delinea Solution Secret Server
Vault stores privileged credentials — users never see the password
Each checkout is uniquely attributed: user, time, system, duration
Automatic password rotation after every checkout (check-in/check-out)
Just-In-Time (JIT) provisioning — accounts created on-demand, expire automatically
Break-glass accounts with dual-approval workflows and full session recording
REQUIREMENT → DELINEA CONTROL MAPPINGADMIN SAFEGUARD
§164.312(a)(2)(i)Assign unique identifier to each user
⟶
Secret ServerPer-user account checkout with attribution logging
§164.308(a)(3)(ii)(C)Terminate access for departed workforce members
⟶
Secret ServerAD/LDAP sync + automatic account disablement on HR trigger
§164.308(a)(4)(ii)(B)Minimum necessary access — least privilege
2024 NPRM — MFA MandateMFA required for all ePHI system access
⟶
Secret Server + MFAStep-up authentication for privileged credential checkout
⚠️OCR Enforcement Note: OCR has cited shared credential use in multiple HIPAA settlements. In the 2023 Banner Health settlement ($1.25M), investigators found that terminated employee credentials remained active in privileged systems. Delinea's automated de-provisioning directly addresses this audit finding.
🧠 Knowledge Check — Module 1
Under HIPAA and the 2024 NPRM, which of the following BEST describes the requirement for privileged account credentials in a covered entity?
⏱️
Automatic Logoff
Technical Safeguard · 45 CFR §164.312(a)(2)(iii)
ℹ️HIPAA Requirement: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. This prevents unauthorized users from accessing ePHI via an unattended, authenticated workstation or session — a top vector for insider threat and opportunistic access.
Scope of the Requirement
Applies to all workstations and applications that access ePHI
Under the 2024 NPRM, timeout thresholds must be documented and risk-assessed
Privileged sessions (RDP, SSH, database consoles) carry the highest risk if left idle
HICP Practice 2 (Endpoint Protection) specifically calls for session lockout controls
Screen lock ≠ session termination — PAM-level logoff is distinct from OS screen savers
Delinea Session Controls Connection Manager
Configurable idle timeout per secret, per role, or per system classification
Session proxy architecture: Delinea intermediates all RDP/SSH — timeout enforced at the broker, not the endpoint
Session recording preserved even when the live session is terminated
Re-authentication required after timeout (MFA step-up for high-value targets)
Concurrent session limits prevent credential re-use across multiple open windows
REQUIREMENT → DELINEA CONTROL MAPPINGTECHNICAL SAFEGUARD
§164.312(a)(2)(iii)Automatic logoff after inactivity period
⟶
Connection ManagerConfigurable idle timeout per session type/secret policy
§164.312(d)Unique user identification on re-authentication
⟶
Secret Server + MFAMFA step-up challenge on session resume
Connection ManagerSession proxy prevents direct endpoint exposure; sessions recorded for forensic review
§164.312(e)(2)(ii)Encryption of ePHI in transit
⟶
Connection ManagerTLS-encrypted session tunnels for all RDP/SSH proxied connections
Recommended Timeout Thresholds by System Classification
System Type
Rec. Timeout
Delinea Policy
EHR / Clinical Workstation
5 min
Per-secret idle timeout + MFA re-auth
Database Admin Console
10 min
Session recording + auto-terminate on idle
Server RDP / SSH
15 min
Connection Manager proxy termination
Break-Glass / Emergency Access
5 min / alert
Real-time alert + forced timeout + full recording
🧠 Knowledge Check — Module 2
A nurse leaves an EHR workstation unattended for 20 minutes without logging out. The HIPAA Automatic Logoff requirement is meant to address this scenario. Which Delinea feature MOST directly fulfills this HIPAA control?
ℹ️HIPAA Requirement: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. The 2024 NPRM strengthens this by requiring audit logs be tamper-proof, retained for a defined period, and reviewable within a specific timeframe post-incident.
Why "Immutable" Matters
Logs that can be edited by admins are legally unreliable in breach investigations
OCR investigations hinge on demonstrating what happened, when, and by whom
Ransomware actors routinely delete or encrypt logs as part of their attack chain
HICP Practice 8 (Incident Response) requires preserved, trusted forensic evidence
Under 2024 NPRM: logs must be protected from unauthorized modification or deletion
Delinea Audit Architecture Connection Manager
Session recordings stored in a separate, cryptographically signed vault
Every session log includes: user identity, time, target system, commands, keystrokes
Video-equivalent session replay for RDP sessions — admissible as forensic evidence
SIEM integration (Splunk, QRadar, Sentinel) for real-time log forwarding
Retention policies configurable per system class — minimum 6 years for HIPAA covered entities
REQUIREMENT → DELINEA CONTROL MAPPINGAUDIT CONTROLS
§164.312(b)Record and examine activity in ePHI systems
⟶
Connection ManagerFull keystroke/video session recording for all proxied sessions
§164.308(a)(1)(ii)(D)Information system activity review
⟶
Secret ServerCentralized audit trail dashboard — search by user, system, time, action
2024 NPRM — Tamper-proof logsProtect logs from unauthorized modification
⟶
Vault + SIEMCryptographically signed logs forwarded to immutable SIEM store
Connection ManagerSession recordings isolated in separate vault inaccessible to compromised admin accounts
✅Delinea + 72-Hour Recovery SLA: The 2024 NPRM requires restoration of ePHI within 72 hours post-breach. Delinea's audit logs provide the forensic timeline necessary to scope the breach accurately — knowing exactly which systems were accessed, by which credential, and when, reduces recovery time by eliminating guesswork in the incident scope.
Audit Log Minimum Data Fields — HIPAA Evidence Standard
UTC timestamp of session start, each action, session end — millisecond precision
ACTION
Commands executed, files accessed, queries run, data exported or modified
TARGET SYSTEM
Hostname, IP, system classification (ePHI-containing or not)
INTEGRITY HASH
Cryptographic hash confirming log record has not been altered post-write
RETENTION
Minimum 6 years for HIPAA; Delinea policy enforces retention and alerts on premature deletion
🧠 Knowledge Check — Module 3
During an OCR breach investigation, the investigator requests all audit logs for privileged access to the hospital's database server for a 90-day window. The hospital's DBA claims the logs show no unusual activity. What Delinea capability ensures these logs can be trusted as forensic evidence?
🛡️
Access Control to PHI Systems via PAM
Technical Safeguard — Access Control · 45 CFR §164.312(a)(1)
ℹ️HIPAA Requirement: Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. Under HICP Practice 3, this maps directly to role-based access control (RBAC) and multi-factor authentication — both now mandatory under the 2024 NPRM.
RBAC Requirements for ePHI Systems
Access tied to job function — a billing analyst has no need for server shell access
Minimum necessary standard: grant only permissions required to perform the specific task
Access must be reviewed periodically — 2024 NPRM suggests 6-month certification cycle
Privileged access should be time-limited — JIT provisioning, not standing access
Separation of duties: the person who can approve access shouldn't also manage the vault
Delinea PAM Architecture Secret Server
Secret folders organized by role, team, and system classification
Secret ServerBreak-glass workflow with dual approval, auto-alert, and mandatory post-use review
§164.308(a)(4)(ii)(B)Access establishment and modification
⟶
Secret Server + ADSCIM/AD-sync provisioning with automated role assignment based on HR attributes
2024 NPRM — MFA for all ePHI accessMulti-factor authentication mandatory
⟶
Secret Server MFATOTP/FIDO2 step-up required for secret checkout on classified systems
2024 NPRM — Periodic access reviewCertify access every 6 months
⟶
Secret Server ReportsAutomated access certification reports exportable for audit evidence packages
⚠️The 405(d) Connection: HICP Practice 3 (Access Management) directly maps to this module. HHS designed HICP to bridge the gap between abstract HIPAA language and concrete technical controls. The 2024 NPRM essentially codifies HICP Practice 3 — organizations already following 405(d) guidance with a PAM solution like Delinea are well-positioned to demonstrate compliance.
Sample Role → Secret Access Matrix
Role
EHR Admin
DB Server
Network
Break-Glass
Clinical RN
Read
—
—
—
IT System Admin
Approval Req.
Approval Req.
Full
—
DBA
—
Full + Recorded
—
—
Security Officer
Approve Only
Approve Only
Approve Only
Dual Approval
🧠 Knowledge Check — Module 4
A hospital's IT team wants to implement HIPAA-compliant access control to its EHR database server using Delinea. Which approach BEST aligns with both HIPAA §164.312(a)(1) and the 2024 NPRM's minimum necessary and MFA requirements?
HIPAA Evidence Checklist
Use this checklist to document compliance evidence for each HIPAA Security Rule safeguard mapped to Delinea controls. Check each item as evidence is collected, policies are documented, or controls are verified.
Administrative Safeguards — Unique User Identification
Shared account inventory completed
All shared/generic admin accounts identified across ePHI systems (EHR, databases, servers, network devices). Documented in risk register.
ADMIN
Delinea Secret Server deployed and configured for privileged accounts
All identified shared accounts migrated to Secret Server vault. Individual user checkout configured. Password rotation policy active.
ADMIN
AD/LDAP synchronization configured for automated de-provisioning
Delinea connected to Active Directory. Workflow tested: HR offboarding triggers account disable in Secret Server within 4 hours.
ADMIN
MFA enforced for all privileged credential checkout
TOTP or FIDO2 MFA required for Secret Server login and high-sensitivity secret checkout. Bypass exceptions documented and approved by CISO.
ADMIN
Workforce training on unique account usage completed
All IT staff and privileged users trained on the prohibition of shared credentials and the process for requesting access via Delinea.
ADMIN
Technical Safeguards — Automatic Logoff
Session timeout policy documented and approved
Written policy defines idle timeout thresholds by system classification. Approved by Security Officer and Privacy Officer. Reviewed annually.
TECH
Delinea Connection Manager configured with idle timeout per secret policy
EHR sessions: 5 min. Database consoles: 10 min. Server RDP/SSH: 15 min. Break-glass: 5 min + real-time alert. All tested and documented.
TECH
MFA re-authentication on session resume confirmed
After idle timeout, user must re-authenticate with MFA before session can be resumed. Tested and documented in control testing log.
TECH
Concurrent session limits enforced
Maximum concurrent sessions per user per secret configured in Secret Server. Alert triggered if anomalous concurrent session activity detected.
TECH
Audit Controls — Immutable Logging
Session recording enabled for all ePHI-adjacent privileged sessions
All RDP, SSH, and database sessions proxied through Delinea Connection Manager with video/keystroke recording enabled. Coverage documented per system inventory.
AUDIT
Log integrity — cryptographic signing configured
Delinea audit logs cryptographically signed on write. Hash validation procedure documented. SIEM integration active for immutable off-vault copy.
AUDIT
Log retention policy set to minimum 6 years
Retention policy configured in Secret Server and SIEM. Automated alert on premature deletion attempt. Storage capacity reviewed quarterly.
AUDIT
Information system activity review — monthly log review procedure
Security team conducts monthly review of anomalous access patterns via Secret Server reports. Review documented in audit log. Escalation path defined.
Incident response plan includes step-by-step procedure for pulling Delinea session recordings as forensic evidence within the 72-hour OCR-required notification window.
AUDIT
Access Control — Role-Based Access to PHI Systems via PAM
Role-based secret folder structure implemented in Secret Server
Folders organized by role and system classification. Access rights mapped to job functions. Reviewed and approved by Security Officer.
ACCESS
Access request and approval workflow active
Workflow-based access requests configured in Secret Server for sensitive ePHI systems. Dual-approval for break-glass accounts. Ticket trail generated per request.
ACCESS
JIT provisioning enabled for high-risk ePHI system access
Zero standing access configured for database servers and EHR admin consoles. Accounts provisioned on-demand and deprovisioned on session close. JIT policy documented.
ACCESS
Semi-annual access certification completed
All privileged access rights reviewed by managers every 6 months. Delinea access certification report generated, attested, and filed as HIPAA audit evidence.
ACCESS
Privilege Manager deployed — local admin removal on clinical endpoints
Delinea Privilege Manager removes local admin rights from clinical workstations. Policy-based elevation for approved applications only. Exceptions logged.
ACCESS
HHS 405(d) HICP Practice 3 self-assessment completed
Organization has completed the HICP self-assessment tool for Access Management (Practice 3). Gaps documented. Delinea deployment mapped as remediation evidence.
