Request Demo

TAC and HIPAA Compliance Guide

Compliance Alignment Guide

TAC and HIPAA

How TAC maps to HIPAA Technical Safeguards for protecting electronic Protected Health Information.

Note: This guide describes how TAC’s technical capabilities align to HIPAA Technical Safeguard requirements under 45 CFR Part 164. HIPAA compliance requires a complete programme including administrative and physical safeguards. PortSys recommends working with qualified healthcare compliance advisors.

HIPAA Technical Safeguards

45 CFR § 164.312

TAC directly addresses all four Technical Safeguard standards.

Access Control Standard

Access Control (§ 164.312(a)(1))

Requirement How TAC Delivers
Unique user identification TAC identity federation connects to all major directory sources. Every user is uniquely identified and authenticated before any access to ePHI systems.
Emergency access procedure Policy-based emergency access rules can be configured to allow break-glass access with full audit logging.
Automatic logoff Session timeout policies enforced at the proxy layer — idle sessions terminated based on configurable time thresholds.
Service accounts & AI agents Non-human identities — service accounts, API clients, and AI agents accessing ePHI — governed by the same identity, policy, and audit framework as human users. No separate identity silo for programmatic access.
Encryption and decryption All traffic to ePHI applications encrypted via TLS 1.2 or TLS 1.3 with FIPS 140-2 compliant cryptographic modules. No unencrypted access paths exist.
Audit Logging

Audit Controls (§ 164.312(b))

Requirement How TAC Delivers
Record and examine activity Complete audit trail of every access to every ePHI application — user identity, device, location, time, and policy decision — for both human users and AI agents.
Forensic-grade logging Every access event logged with full attribution. Native real-time monitoring and alerting on access events, with optional SIEM export via syslog or API for downstream correlation and forensic analysis.
Data Integrity

Integrity (§ 164.312(c)(1))

Requirement How TAC Delivers
Protect ePHI from improper alteration or destruction Reverse proxy architecture ensures only authenticated, policy-compliant users can reach ePHI applications. Unauthorised connections are blocked at the proxy layer.
Electronic mechanisms to authenticate ePHI Per-request policy evaluation with continuous session validation ensures every transaction is from a verified, authorised identity.
Identity Verification

Person or Entity Authentication (§ 164.312(d))

Requirement How TAC Delivers
Verify identity before granting access MFA enforced on all access to ePHI systems — including legacy EHR and clinical applications that cannot natively support modern authentication.
7+ MFA methods supported Built-in MFA includes FIDO2 / WebAuthn, SafeLogin (proprietary), TOTP, push notifications, SMS, OTP, and hardware tokens. Third-party MFA integration with virtually any provider including Duo, RSA, Swivel, biometric solutions, and others. All MFA methods included in base licence — no add-on purchase required.
Encryption in Transit

Transmission Security (§ 164.312(e)(1))

Requirement How TAC Delivers
Implement technical security measures for transmission All traffic flows through a single port encrypted via TLS 1.2 or TLS 1.3 with FIPS 140-2 compliant cryptographic modules. No unencrypted transmission paths to ePHI applications.
Encryption of ePHI in transit End-to-end encryption between the user’s device and TAC, and between TAC and the ePHI application. No clear-text ePHI traverses any network segment. All cryptography uses FIPS 140-2 compliant modules.
Why TAC for Healthcare

Unique Advantages

Three capabilities that make TAC especially effective in healthcare environments.

Legacy EHR Security

Most healthcare organisations rely on legacy EHR systems that cannot support SAML, OIDC, or FIDO2. TAC injects MFA, device posture, and continuous validation via reverse proxy — without changing the application or its code.

Single-Tenant Isolation

Every TAC deployment is a dedicated, isolated Secure Virtual Appliance. Patient data from your organisation never co-mingles with another healthcare organisation’s environment.

Continuous Validation

Unlike point-in-time authentication, TAC evaluates device posture on every request. A clinician’s device that falls out of compliance mid-session loses access immediately — protecting ePHI at all times.

Questions About HIPAA Compliance?

Our team includes healthcare compliance specialists who can walk through your specific environment and ePHI system inventory.

Talk to a SpecialistBack to Resources

This website uses cookies

We use cookies to personalize content, provide social media features, and analyze our traffic. We also share information about your use of our site with our analytics partners. You can change your preferences at any time. For more information, please see our Privacy Policy and Cookie Policy. Privacy Policy Cookie Policy