HIPAA Security Rule Guide: Requirements, Risk Assessment & Compliance Checklist

1. What Is the HIPAA Security Rule?

The HIPAA Security Rule, codified at 45 CFR Part 164, Subpart C, is the federal regulation that establishes a national floor of protection for electronic Protected Health Information (ePHI). Originally published by the U.S. Department of Health and Human Services (HHS) in 2003 and enforced since April 2005, the Security Rule mandates that every organization handling ePHI implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of that information. Unlike many cybersecurity frameworks that are voluntary or industry-specific, the HIPAA Security Rule carries the full force of federal law, with civil monetary penalties reaching $2.13 million per violation category per calendar year and criminal penalties extending to imprisonment.

The Security Rule was designed to be technology-neutral and scalable. It does not prescribe specific technologies or products. Instead, it defines security objectives and allows organizations to determine the most appropriate means of meeting those objectives based on their size, complexity, capabilities, technical infrastructure, and the cost of implementing particular security measures. This flexibility is both a strength and a challenge — it prevents the regulation from becoming obsolete as technology evolves, but it also requires organizations to exercise informed judgment about what constitutes reasonable and appropriate security for their specific environment.

At its core, the Security Rule protects three properties of ePHI. Confidentiality ensures that ePHI is not made available or disclosed to unauthorized persons. Integrity ensures that ePHI has not been altered or destroyed in an unauthorized manner. Availability ensures that ePHI is accessible and usable on demand by authorized persons. Every standard and implementation specification in the Security Rule exists to protect one or more of these three properties. When conducting a HIPAA security risk assessment, each identified threat is evaluated against the potential impact on confidentiality, integrity, and availability.

The regulatory landscape around HIPAA security has intensified significantly since the HITECH Act of 2009, which strengthened enforcement provisions, extended Security Rule applicability to business associates, and introduced the Breach Notification Rule. In 2024, HHS proposed substantial updates to the Security Rule that would eliminate the distinction between required and addressable implementation specifications, mandate encryption of ePHI at rest and in transit, require vulnerability scanning every six months and penetration testing annually, and strengthen requirements around multi-factor authentication. While these proposed changes are still moving through the rulemaking process, they signal the direction of enforcement and represent the standard of care that HIPAA security consultants should already be advising clients to meet.

Understanding the HIPAA Security Rule is not merely a compliance exercise — it is a business imperative. Healthcare was the most breached industry in 2024 for the fourteenth consecutive year, with the average cost of a healthcare data breach reaching $10.93 million according to IBM's Cost of a Data Breach Report. Organizations that treat security compliance as a genuine risk management function rather than a paperwork obligation are demonstrably better positioned to prevent breaches, limit their impact, and defend enforcement actions when incidents do occur. Petronella Technology Group, Inc. approaches HIPAA security from this dual perspective: we build programs that genuinely protect patient data while producing the documentation and evidence that regulators require.

2. Who Does the HIPAA Security Rule Apply To?

The HIPAA Security Rule applies to two categories of organizations: covered entities and business associates. Understanding which category your organization falls into — and whether you might qualify as both — is the essential first step in any HIPAA security compliance program.

Covered entities are organizations that directly create, receive, maintain, or transmit ePHI in the course of performing HIPAA-defined functions. There are three types of covered entities:

• Healthcare providers — physicians, dentists, chiropractors, hospitals, nursing homes, clinics, pharmacies, and any other provider that transmits health information electronically in connection with a HIPAA-covered transaction (such as submitting claims electronically). A solo practitioner who submits electronic claims is a covered entity subject to the full Security Rule.
• Health plans — health insurance companies, HMOs, employer-sponsored group health plans (with more than 50 participants or administered by a third party), Medicare, Medicaid, Medicare supplement insurers, and long-term care insurers. Self-insured employer health plans, even those administered internally, are covered entities if they have 50 or more participants.
• Healthcare clearinghouses — entities that process nonstandard health information received from another entity into a standard format, or vice versa. Clearinghouses typically sit between providers and payers, translating electronic claims into standard HIPAA transaction formats.

Business associates are persons or organizations that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to ePHI. Since the HITECH Act, business associates are directly subject to the HIPAA Security Rule and face the same penalties as covered entities for non-compliance. Common examples include:

• IT service providers and managed service providers (MSPs) that access ePHI systems
• Cloud service providers hosting ePHI (AWS, Azure, Google Cloud, SaaS EHR vendors)
• Medical billing companies and claims processing services
• Electronic health record (EHR) vendors
• Shredding, data destruction, and document storage companies
• Attorneys, accountants, and consultants with ePHI access
• Health information exchanges (HIEs)
• Patient scheduling, telehealth, and messaging platform providers

A critical and often misunderstood aspect of the Security Rule's applicability is the subcontractor chain. If a business associate engages a subcontractor that will have access to ePHI, that subcontractor is itself a business associate and must comply with the Security Rule. This chain extends indefinitely — a cloud provider's infrastructure subcontractor who could access ePHI is also subject to HIPAA. Each link in the chain requires a Business Associate Agreement (BAA) and must independently comply with applicable Security Rule provisions.

The question "does the HIPAA Security Rule apply to my organization?" is answered by a single criterion: does your organization create, receive, maintain, or transmit ePHI in connection with covered functions or services to a covered entity? If yes, the Security Rule applies. There is no size exemption — a solo-provider practice with one desktop computer and a two-person medical billing company are subject to the same regulatory standards as a hospital system. The scale and complexity of their required security measures will differ, but the obligation to implement reasonable and appropriate safeguards is identical.

3. The Three HIPAA Security Safeguards: Administrative, Physical, Technical

The HIPAA Security Rule organizes its requirements into three categories of safeguards, plus organizational requirements and documentation standards. Within each category, individual requirements are classified as either required (must be implemented exactly as specified) or addressable (must be assessed and either implemented, implemented with an equivalent alternative, or documented as not reasonable and appropriate). The frequently repeated point bears emphasizing: addressable does not mean optional. OCR has imposed millions of dollars in penalties on organizations that treated addressable specifications as discretionary.

Administrative Safeguards (45 CFR 164.308)

Administrative safeguards are the policies, procedures, and organizational actions that manage the selection, development, implementation, and maintenance of security measures. They represent approximately half of the Security Rule's requirements and form the governance backbone of your HIPAA security program. Key administrative safeguards include:

• Security Management Process (Required) — The foundational standard requiring a risk analysis, risk management plan, sanction policy for workforce violations, and information system activity review. The risk analysis under this standard is the single most cited deficiency in OCR enforcement actions.
• Assigned Security Responsibility (Required) — A designated HIPAA Security Officer responsible for developing and implementing security policies and procedures. This can be an existing employee or a virtual security officer from an outside firm.
• Workforce Security (Addressable) — Authorization and supervision procedures, workforce clearance procedures, and termination procedures ensuring that access to ePHI is properly provisioned and promptly revoked.
• Information Access Management (Required/Addressable) — Policies for authorizing access to ePHI, including role-based access controls based on the minimum necessary standard.
• Security Awareness and Training (Addressable) — Security reminders, protection from malicious software, login monitoring, and password management training for all workforce members.
• Security Incident Procedures (Required) — Procedures to identify, report, and respond to suspected or known security incidents.
• Contingency Planning (Required/Addressable) — Data backup plans, disaster recovery plans, emergency mode operations plans, testing and revision procedures, and applications and data criticality analysis.
• Evaluation (Required) — Periodic technical and nontechnical evaluations establishing the extent to which security policies and procedures meet Security Rule requirements.
• Business Associate Contracts (Required) — Written agreements with business associates that establish permitted uses and disclosures and require appropriate safeguards for ePHI.

Physical Safeguards (45 CFR 164.310)

Physical safeguards protect the physical infrastructure, buildings, equipment, and media that house and interact with ePHI. In the modern healthcare environment where data resides in cloud environments, on mobile devices, and across distributed networks, physical safeguards extend well beyond traditional server room locks.

• Facility Access Controls (Addressable) — Contingency operations procedures, facility security plans, access control and validation procedures, and maintenance records for physical access systems. Server rooms, network closets, and areas with workstations accessing ePHI require documented access restrictions.
• Workstation Use (Required) — Policies specifying the proper functions to be performed and the manner in which they are to be performed on workstations accessing ePHI, including screen positioning, location restrictions, and authorized uses.
• Workstation Security (Required) — Physical safeguards for all workstations that access ePHI, restricting access to authorized users only. This includes laptops, tablets, and mobile devices used to access ePHI.
• Device and Media Controls (Required/Addressable) — Disposal procedures, media re-use procedures, accountability tracking, and data backup and storage procedures governing hardware and electronic media containing ePHI throughout their lifecycle.

Technical Safeguards (45 CFR 164.312)

Technical safeguards are the technology and related policies that protect ePHI and control access to it. These are the controls that IT teams and HIPAA security consultants spend the most time implementing and monitoring.

• Access Control (Required/Addressable) — Unique user identification (no shared accounts), emergency access procedures, automatic logoff, and encryption and decryption of ePHI. Unique user IDs and emergency access are required; automatic logoff and encryption are addressable.
• Audit Controls (Required) — Hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI. This means centralized logging, log review, and the ability to detect unauthorized access patterns.
• Integrity Controls (Addressable) — Policies and procedures to protect ePHI from improper alteration or destruction, including electronic mechanisms to corroborate that ePHI has not been altered or destroyed.
• Person or Entity Authentication (Required) — Procedures to verify that a person or entity seeking access to ePHI is who they claim to be. Multi-factor authentication (MFA), while not explicitly named in the original rule, has become the de facto standard and is included in the 2024 proposed rule update as a requirement.
• Transmission Security (Addressable) — Integrity controls and encryption for ePHI transmitted over electronic communications networks. TLS 1.2+ for web traffic, encrypted email, VPN for remote access, and encrypted file transfers are standard implementations.

The interplay between these three safeguard categories is critical. Technical controls without supporting administrative policies create security gaps that OCR will identify. Physical safeguards without documented procedures cannot demonstrate compliance during an audit. A genuinely secure HIPAA environment integrates all three categories into a unified security program where administrative governance directs technical implementation and physical protections, and continuous evaluation ensures all three categories remain effective. For a deeper dive into specific regulatory requirements, see our HIPAA Security Rules breakdown.

4. HIPAA Security Risk Assessment: A Step-by-Step Guide

The HIPAA security risk assessment (also called a security risk analysis or SRA) is the single most important requirement in the entire Security Rule. Codified at 45 CFR 164.308(a)(1)(ii)(A), it requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." It is the most frequently cited deficiency in OCR enforcement actions, settlement agreements, and corrective action plans. An organization without a current, thorough risk assessment is, by definition, not HIPAA compliant.

The following step-by-step methodology aligns with NIST SP 800-30 (Guide for Conducting Risk Assessments) and NIST SP 800-66 (the HHS-recommended HIPAA Security Rule implementation guide):

Petronella Technology Group, Inc. uses AI-enhanced tools alongside expert human judgment to conduct HIPAA security risk assessments that go beyond checkbox compliance. Our automated asset discovery identifies ePHI systems that manual inventories miss. Our threat intelligence integrates real-time healthcare sector threat data. And our reporting produces risk assessments that satisfy OCR scrutiny while giving leadership actionable intelligence about their actual security posture. For more on how generative AI is reshaping healthcare compliance, see our analysis of scaling HIPAA-compliant GenAI from pilot to production.

5. HIPAA Security Rule vs. Privacy Rule: Key Differences

The HIPAA Security Rule and Privacy Rule are distinct but complementary regulations that together form the foundation of PHI protection. Understanding how they differ — and how they overlap — is essential for building a compliance program that satisfies both.

The most important practical distinction is scope: the Privacy Rule governs all PHI regardless of format, while the Security Rule applies exclusively to ePHI. A paper medical chart left open on a reception desk is a Privacy Rule violation but not a Security Rule issue. Conversely, a misconfigured firewall that exposes an EHR database to the internet is primarily a Security Rule concern. In practice, the vast majority of PHI in modern healthcare exists electronically, which means the Security Rule's requirements drive the bulk of technical compliance investment. Petronella Technology Group, Inc. addresses both rules through our comprehensive HIPAA compliance services, ensuring that your organization's Privacy and Security programs are aligned and mutually reinforcing.

6. HIPAA Network Security Requirements

While the HIPAA Security Rule does not prescribe specific network technologies, its technical safeguard requirements — particularly access control, audit controls, integrity, and transmission security — translate into concrete network security requirements that every organization handling ePHI must address. The 2024 proposed rule update makes several of these requirements more explicit, reflecting the evolved threat landscape and modern network architectures.

The following HIPAA network security requirements represent the standard of care that healthcare organizations and their HIPAA security consultants should implement:

Network Segmentation and Access Control

ePHI systems should be isolated on dedicated network segments separated from general-purpose networks by firewalls or next-generation firewalls with explicit allow-list rules. Network access control (NAC) prevents unauthorized devices from connecting to ePHI network segments. VLANs separate clinical, administrative, guest, and IoT/medical device traffic. Zero-trust network architecture, where every access request is verified regardless of source location, is rapidly becoming the standard for healthcare environments. The 2024 proposed rule explicitly requires network segmentation as a security measure.

Encryption in Transit and at Rest

All ePHI in transit must be encrypted using TLS 1.2 or higher for web traffic, IPsec or WireGuard VPN for site-to-site and remote access connections, encrypted email (TLS-enforced SMTP, S/MIME, or encrypted messaging platforms), and SFTP or SCP for file transfers. ePHI at rest must be encrypted using AES-256 or equivalent on all storage systems, including databases, file servers, backup media, and endpoint drives. Full-disk encryption on all endpoints (laptops, desktops, mobile devices) is essential — lost or stolen unencrypted devices are the most common source of large HIPAA breaches. For details on encryption requirements, see our guide on whether HTTPS alone is HIPAA compliant.

Intrusion Detection and Prevention

Network-based intrusion detection/prevention systems (IDS/IPS) monitor ePHI network segments for malicious traffic, exploit attempts, and lateral movement. Endpoint detection and response (EDR) provides visibility into endpoint-level threats. Security information and event management (SIEM) aggregates logs from network devices, servers, applications, and endpoints, correlating events to detect sophisticated attacks that individual systems would miss. The 2024 proposed rule requires implementation of "relevant electronic information system activity review" through automated mechanisms — SIEM is the standard implementation.

Vulnerability Management

Regular vulnerability scanning (at least quarterly, biweekly recommended) identifies known vulnerabilities in network devices, servers, applications, and endpoints. Penetration testing (at least annually) validates that controls are effective against real-world attack techniques. Patch management processes ensure critical vulnerabilities are remediated within defined timeframes — 14 days for critical severity, 30 days for high, 90 days for medium. The 2024 proposed rule specifies vulnerability scanning every six months and annual penetration testing as minimum frequencies.

Wireless Network Security

Clinical wireless networks carrying ePHI require WPA3 Enterprise (or WPA2 Enterprise minimum) with RADIUS authentication, certificate-based device authentication, and encryption. Guest wireless networks must be completely isolated from ePHI networks with no routing between segments. Wireless intrusion detection identifies rogue access points that could provide unauthorized network access. Regular wireless assessments verify that segmentation and encryption remain effective.

Remote Access Security

With telehealth, remote work, and distributed care delivery now standard in healthcare, remote access to ePHI systems requires VPN with multi-factor authentication, endpoint compliance checking (device encryption, up-to-date patches, active endpoint protection), session timeout and re-authentication policies, and logging of all remote access sessions. The HIPAA network security requirements for remote access became significantly more important during and after the pandemic, and OCR has signaled increased enforcement attention to remote access controls.

7. HIPAA Cloud Security: Compliance in AWS, Azure, and Google Cloud

Cloud computing has transformed healthcare IT, and the majority of healthcare organizations now store or process ePHI in cloud environments. HHS has confirmed that cloud service providers (CSPs) that create, receive, maintain, or transmit ePHI are business associates subject to the HIPAA Security Rule, regardless of whether they actually view or access the ePHI. This means that HIPAA cloud security is a shared responsibility between the healthcare organization and the CSP.

The shared responsibility model means the CSP secures the cloud infrastructure (physical data centers, network, hypervisor) while the customer secures everything deployed within the cloud (data, access controls, application configuration, encryption keys). A signed Business Associate Agreement with the CSP is mandatory but does not transfer security responsibility — it allocates it. Organizations that assume their CSP "handles HIPAA compliance" are setting themselves up for enforcement exposure.

Regardless of which cloud provider you choose, HIPAA cloud security fundamentals remain consistent: execute a BAA before any ePHI enters the cloud, encrypt ePHI at rest and in transit with customer-managed keys, implement identity and access management with MFA and least-privilege principles, enable comprehensive audit logging for all ePHI access and modifications, configure network isolation to prevent public exposure, establish backup and disaster recovery procedures with tested restoration, and maintain continuous monitoring for threats and compliance drift. Petronella Technology Group, Inc. designs and implements HIPAA-compliant cloud architectures across all three major providers, ensuring that your cloud deployment meets both Security Rule requirements and cloud security best practices. For organizations exploring AI workloads in cloud environments, see our guide to confidential AI with BYOK and TEEs for HIPAA-ready enterprise deployments.

8. HIPAA Security Officer Responsibilities

The HIPAA Security Rule at 45 CFR 164.308(a)(2) requires every covered entity and business associate to designate a HIPAA Security Officer who is responsible for the development and implementation of the organization's security policies and procedures. This is a required standard — there is no addressable alternative and no exemption for small organizations. The Security Officer can be an existing employee (who adds HIPAA security to their responsibilities), a dedicated hire, or an outsourced virtual Chief Information Security Officer (vCISO) from a qualified firm.

The HIPAA Security Officer's core responsibilities include:

• Risk Management Program — Leading the security risk assessment process, maintaining the risk register, overseeing risk treatment plans, and ensuring the risk management program is reviewed and updated at least annually.
• Policy and Procedure Development — Creating, implementing, maintaining, and enforcing security policies and procedures that address all applicable Security Rule standards. Policies must be reviewed periodically and updated in response to environmental changes, regulatory updates, or security incidents.
• Security Awareness Training — Developing and overseeing the workforce security awareness training program, including onboarding training for new hires, annual refresher training, phishing simulation campaigns, and specialized training for high-risk roles (IT staff, administrators with privileged access).
• Incident Management — Overseeing the security incident response program, including incident identification, investigation, containment, eradication, recovery, and post-incident analysis. The Security Officer coordinates with the Privacy Officer on potential breach determinations and notification obligations.
• Access Management Oversight — Ensuring that access to ePHI is granted based on the minimum necessary standard, regularly reviewed, and promptly revoked when no longer needed. This includes overseeing user provisioning, access reviews, and termination procedures.
• Business Associate Management — Participating in the evaluation of business associate security practices, reviewing BAAs, and maintaining an inventory of business associates with ePHI access.
• Compliance Monitoring — Conducting or overseeing periodic evaluations of the security program's effectiveness, reviewing audit logs and security reports, tracking remediation activities, and reporting on compliance status to organizational leadership.
• Contingency Planning — Ensuring that data backup, disaster recovery, and emergency mode operations plans are developed, documented, tested, and updated regularly.

For small and mid-sized healthcare organizations, the Security Officer role often falls to someone who already wears multiple hats — an office manager, IT director, or practice administrator. While this can work, the person must have sufficient authority, time, training, and organizational support to fulfill the role effectively. OCR does not accept "we assigned it to someone but never gave them time or resources" as a defense. Many organizations find that engaging Petronella Technology Group, Inc. as a virtual CISO provides dedicated HIPAA security expertise without the cost of a full-time hire, ensuring that the Security Officer function is performed by qualified professionals with deep regulatory and technical knowledge.

9. HIPAA Compliant Hosting: What to Look For

Selecting a HIPAA-compliant hosting provider is one of the most consequential infrastructure decisions a healthcare organization makes. The hosting provider will be a business associate under HIPAA, and any security failures in the hosting environment directly affect the organization's compliance posture. Here is what to evaluate:

Petronella Technology Group, Inc. evaluates hosting providers on behalf of our healthcare clients, conducts security assessments of proposed hosting environments, and designs HIPAA-compliant hosting architectures that balance security requirements with performance and cost objectives. We help you navigate the BAA negotiation process and ensure that the hosting provider's security controls integrate with your broader HIPAA security program.

10. HIPAA Security Compliance Checklist

Use this checklist to evaluate your organization's HIPAA Security Rule compliance posture. Each item maps to a specific Security Rule standard or implementation specification. Items marked with an asterisk (*) are addressed in the 2024 proposed rule updates with more prescriptive requirements.

Administrative Safeguards

• Comprehensive security risk assessment completed within the past 12 months*
• Documented risk management plan with assigned remediation owners and timelines*
• Designated HIPAA Security Officer with documented responsibilities
• Written security policies and procedures covering all Security Rule standards*
• Sanctions policy for workforce members who violate security policies
• Regular information system activity review (audit log review)*
• Workforce security authorization and clearance procedures
• Termination procedures including immediate ePHI access revocation
• Role-based access authorization based on the minimum necessary standard
• Security awareness training for all workforce members (annual minimum)*
• Phishing simulation testing program*
• Security incident response procedures with testing*
• Contingency plan: data backup, disaster recovery, emergency mode operations*
• Contingency plan testing at least annually*
• Periodic security evaluations (technical and nontechnical)*
• Business Associate Agreements with all vendors accessing ePHI*
• Business associate inventory maintained and reviewed*

Physical Safeguards

• Facility access controls with documented security plan
• Server room and network closet access restrictions
• Visitor management procedures for areas with ePHI access
• Workstation use policies specifying authorized functions and locations
• Workstation physical security (cable locks, privacy screens, screen positioning)
• Device and media disposal procedures with documented destruction
• Media re-use sanitization procedures (NIST 800-88 aligned)
• Hardware and media accountability tracking
• Data backup and offsite storage procedures

Technical Safeguards

• Unique user identification for all ePHI system users (no shared accounts)*
• Multi-factor authentication (MFA) for ePHI system access*
• Emergency access procedures for critical ePHI systems
• Automatic session timeout/logoff on all ePHI systems*
• Encryption of ePHI at rest (AES-256 on all storage)*
• Encryption of ePHI in transit (TLS 1.2+ minimum)*
• Comprehensive audit logging on all ePHI systems*
• Automated log review and alerting (SIEM)*
• Integrity controls preventing unauthorized ePHI modification
• Vulnerability scanning at least quarterly (biweekly recommended)*
• Penetration testing at least annually*
• Patch management within defined SLAs (14 days critical)*
• Network segmentation isolating ePHI systems*
• Intrusion detection/prevention systems on ePHI network segments
• Endpoint detection and response (EDR) on all endpoints
• Secure remote access with VPN and MFA
• Anti-malware on all systems accessing ePHI*

Scoring yourself: If you cannot check off more than 75% of these items, your organization has material HIPAA Security Rule compliance gaps that represent both regulatory risk and genuine security vulnerabilities. Contact Petronella Technology Group, Inc. at 919-348-4912 for a professional gap assessment that identifies your specific deficiencies and provides a prioritized remediation roadmap.

11. How PTG Helps: AI-Powered HIPAA Security Services

Petronella Technology Group, Inc. has delivered HIPAA security solutions for healthcare organizations, business associates, and health plans since our founding in 2002. Our approach combines AI-enhanced assessment and monitoring tools with 23+ years of hands-on regulatory expertise, producing HIPAA security programs that protect patients and satisfy regulators. Based in Raleigh, North Carolina, we serve healthcare organizations throughout the Research Triangle and nationwide.

What Sets Our HIPAA Security Practice Apart

Our HIPAA Security Service Portfolio

• HIPAA Security Risk Assessment — AI-enhanced SRA meeting OCR requirements with NIST SP 800-30/800-66 methodology
• Gap Assessment and Remediation — Evaluation against all Security Rule standards with prioritized remediation roadmap
• Security Rule Compliance Implementation — Full administrative, physical, and technical safeguard deployment
• HIPAA Security Policy Suite — Complete policy and procedure documentation covering all applicable standards
• Security Awareness Training — Role-based training with phishing simulation and compliance tracking
• Penetration Testing and Vulnerability Assessment — Technical evaluation of ePHI system security posture
• Cloud Security Architecture — HIPAA-compliant design for AWS, Azure, and GCP deployments
• Incident Response Planning — IR procedures with breach notification guidance aligned to the Breach Notification Rule
• Virtual CISO / Security Officer Services — Outsourced HIPAA Security Officer function with ongoing program management
• Managed Security and Compliance Monitoring — Continuous SIEM monitoring, vulnerability management, and compliance reporting