NIST SP 800-66 mapping
HIPAA Security Rule requirements mapped to SOP Studio controls — with file paths, migrations, and config references auditors can verify.
About this mapping
NIST Special Publication 800-66 Rev 2 (“Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”) is the widely-used reference for mapping the HIPAA Security Rule to technical controls. This page is a good-faith mapping of the HIPAA Security Rule requirements at 45 CFR §164.308 (Administrative Safeguards), §164.310 (Physical Safeguards), and §164.312 (Technical Safeguards) to the SOP Studio controls that implement them, with citations to source files, database migrations, and configuration in the running application.
This is not a NIST endorsement, an audit attestation, or a certification. We publish it so customers can use it as a starting point for their own risk analyses, Security Rule compliance work, and auditor Q&A. Covered entities and business associates remain responsible for completing their own risk assessments per §164.308(a)(1)(ii)(A).
Source: NIST SP 800-66 Rev 2 (PDF). Last reviewed: April 2026.
§164.308 Administrative Safeguards
Administrative Safeguards are largely a shared responsibility — the covered entity owns the policies, SOP Studio provides the infrastructure to enforce and evidence them. Rows below describe what SOP Studio implements.
| Requirement | SOP Studio implementation | Reference |
|---|---|---|
| §164.308(a)(3)(ii)(A) Authorization & Supervision | Role-based access control model with owner, admin, editor, viewer, staff, and reader roles. All SOP authoring, approval, and settings actions check role via a central permissions matrix. | src/lib/permissions.tssrc/lib/api-helpers.ts |
| §164.308(a)(3)(ii)(C) Termination Procedures | Admins can remove org members via team management; removal revokes access immediately because all data access is RLS-scoped to users.organization_id. | src/app/dashboard/team/page.tsxsupabase/migrations/ (users table RLS) |
| §164.308(a)(4) Information Access Management | Per-organization isolation via Postgres Row-Level Security on every customer table. Cross-org reads are structurally impossible, not policy-based. | supabase/migrations/011_db_hardening.sqlsupabase/migrations/067_rls_and_extension_hardening.sql |
| §164.308(a)(5)(ii)(C) Log-in Monitoring | Supabase Auth records all login events. SSO-eligible domains are checked at login so federated users are steered to their IdP. Rate limiter blocks credential-stuffing patterns. | src/app/api/auth/sso-check/route.tssrc/lib/rate-limit.ts |
| §164.308(a)(7)(ii)(A) Data Backup Plan | Supabase Postgres automated daily backups with point-in-time recovery (PITR) on paid tiers. SOP Studio does not run its own database backup infrastructure. | Subprocessor: Supabase (see Trust page) |
| §164.308(a)(8) Evaluation | Review cadence tooling at the SOP level (review_interval_days, next_review_at) supports periodic technical and non-technical evaluation of documented controls. | src/app/dashboard/audit/page.tsx |
| §164.308(b)(1) Business Associate Contracts | Click-wrap Business Associate Agreement (BAA) flow for covered-entity customers; BAA signature events are recorded in the HIPAA audit log for durable proof. | src/lib/org/context.ts (logHipaaAction) |
§164.310 Physical Safeguards
SOP Studio is a cloud SaaS application. We do not operate physical datacenters. Physical Safeguards are inherited from our SOC 2 Type II certified infrastructure subprocessors.
| Requirement | SOP Studio implementation | Reference |
|---|---|---|
| §164.310(a)(1) Facility Access Controls | Provided by subprocessors. Application hosting is on Vercel; managed Postgres, storage, and authentication run on Supabase. Both operate in SOC 2 Type II-audited facilities. | Subprocessors: Vercel, Supabase |
| §164.310(c) Workstation Security | Customer responsibility — SOP Studio runs in the browser; customers control endpoint security, device management, and workstation policy for their workforce. | Customer-owned |
| §164.310(d)(1) Device and Media Controls | Storage media lifecycle (decommissioning, re-use, disposal) is handled by the managed infrastructure providers. SOP Studio does not handle physical media. | Subprocessors: Vercel, Supabase |
§164.312 Technical Safeguards
Technical Safeguards are where SOP Studio does most of its work. Every row below cites a specific file, migration, or configuration you can inspect.
| Requirement | SOP Studio implementation | Reference |
|---|---|---|
| §164.312(a)(1) Access Control | Central permissions matrix keyed by user role is enforced on every API helper and guarded on the client by the same table. Middleware gates authenticated vs. public paths. SSO/SAML is wired through Supabase for domain-federated login. | src/lib/permissions.tssrc/lib/api-helpers.ts (isAdmin, getAuthContext)src/middleware.ts |
| §164.312(a)(2)(i) Unique User Identification | Every user has a unique Supabase Auth UUID that flows through the users profile table and is written to actor_id on every audit log entry. | src/lib/supabase/server.tssrc/lib/org/context.ts |
| §164.312(a)(2)(iii) Automatic Logoff | Supabase Auth sessions expire and refresh-token rotation invalidates stale sessions. Middleware re-validates session presence on every protected request; expired sessions are redirected to the login page. | src/middleware.tssrc/lib/supabase/server.ts |
| §164.312(a)(2)(iv) Encryption and Decryption | TLS 1.2+ enforced in transit (HSTS with preload). Supabase Postgres and Storage encrypt customer data at rest using AES-256 per the platform spec. | next.config.js (Strict-Transport-Security)Subprocessor: Supabase (at-rest) |
| §164.312(b) Audit Controls | HIPAA-scoped action log via logHipaaAction captures PHI-adjacent reads, exports, BAA signature events, and org-context changes. Append-only audit_events table provides tamper-evident storage. Admins can export the log as JSON or CSV over an arbitrary date window for SIEM ingestion. | src/lib/org/context.ts (logHipaaAction)supabase/migrations/055_audit_events.sqlsrc/app/api/organizations/audit-log/export/route.ts |
| §164.312(c)(1) Integrity | Audit events are hash-chained: each row stores prev_hash and row_hash so any in-place modification is detectable. SOP acknowledgment records store content_hash (SHA-256 of the SOP version content at the time of acknowledgment) for tamper-evident attestations. | supabase/migrations/055_audit_events.sql |
| §164.312(d) Person or Entity Authentication | Supabase Auth (email + password, passwordless magic link, or SAML SSO for federated customers). Invite tokens are compared with constant-time equality to prevent timing oracles. | src/app/api/auth/check-invite/route.tssrc/app/api/auth/sso-check/route.ts |
| §164.312(e)(1) Transmission Security | TLS 1.2+ on every edge request; HSTS preload header set. Hardened Content Security Policy restricts script, style, connect, and frame sources. Upstash-backed token bucket rate limiting at the edge rejects abuse with 429 + Retry-After. | next.config.js (CSP, HSTS)src/lib/rate-limit.tssrc/middleware.ts |
What SOP Studio does not provide
Honest scope statement. The requirements below are not implemented by SOP Studio today — they are either the customer’s responsibility, delivered by a subprocessor, or on a labeled roadmap.
- §164.308(a)(1)(ii)(A) Risk Analysis & §164.308(a)(1)(ii)(B) Risk Management — Covered entities and business associates are responsible for conducting their own risk analyses. SOP Studio supports the operational side (documented procedures, evidence capture) but does not produce the risk analysis itself.
- §164.308(a)(5)(i) Security Awareness and Training — Customer responsibility. SOP Studio can host training SOPs and record workforce acknowledgments as evidence, but is not a training content provider.
- §164.308(a)(6) Security Incident Procedures — Customer-owned. SOP Studio provides the audit log and export tooling to support incident investigations, but does not run your incident response process.
- §164.308(a)(7)(ii)(B) Disaster Recovery Plan & §164.308(a)(7)(ii)(C) Emergency Mode Operation — Continuity of the SOP Studio application is provided by Vercel (edge hosting) and Supabase (managed Postgres with point-in-time recovery on paid tiers). Customer-side BCP/DR is the customer’s responsibility.
- §164.310 Physical Safeguards (all) — Inherited from Vercel and Supabase, both SOC 2 Type II certified. SOP Studio does not operate datacenters.
- Multi-factor authentication enforcement — Supabase Auth supports MFA factors, but organization-wide enforcement of MFA in SOP Studio is on the roadmap and not live today. Customers using SSO can enforce MFA upstream at their IdP.
- §164.312(c)(2) Mechanism to Authenticate ePHI (integrity of stored data) — SOP Studio hash-chains the audit log and hashes acknowledged content, but does not checksum every stored row. Deeper integrity verification is planned.
Back to Trust & Security.
Talk to security