Skip to main content

HIPAA Security Risk Assessment

Organization: Nquiry (operated by JE Vectors LLC) Assessment Date: 2026-02-04 Assessment Version: 1.0 Next Review Date: 2027-02-04

1. Executive Summary

This document provides a comprehensive HIPAA Security Risk Assessment for the Nquiry application platform. The assessment evaluates administrative, physical, and technical safeguards required under the HIPAA Security Rule (45 CFR Part 164).

Overall Risk Level: MODERATE Compliance Status: In Progress (targeting Q2 2026 launch)

Key Findings

CategoryFindingRiskStatus
Technical SafeguardsStrong encryption, access controlsLOWImplemented
Administrative SafeguardsPolicies need formalizationMEDIUMIn Progress
Physical SafeguardsAWS manages physical securityLOWCompliant via BAA
Audit ControlsComprehensive logging implementedLOWImplemented
PHI DetectionBedrock Guardrails configuredLOWImplemented

2. Scope

2.1 Systems in Scope

SystemDescriptionPHI Exposure
Nquiry Web ApplicationNext.js application on AWS AmplifyPotential - user-uploaded evidence
Amazon RDS PostgreSQLPrimary databasePotential - investigation data
Amazon S3Evidence file storagePotential - uploaded documents
Amazon CognitoAuthentication serviceMinimal - user credentials
AWS BedrockAI analysis enginePotential - processes investigation text

2.2 Data Types

Data CategoryHIPAA ClassificationStorage Location
User accountsNot PHIRDS, Cognito
Investigation metadataPotentially PHIRDS
Evidence documentsPotentially PHIS3
AI analysis outputPotentially PHIRDS
Audit logsPotentially PHIRDS

2.3 Exclusions

  • Marketing website (nquiry.ai landing page)
  • Development/test environments with synthetic data
  • Internal documentation systems

3. Risk Assessment Methodology

3.1 Risk Calculation

Risk Level = Likelihood × Impact

LikelihoodDescription
High (3)Expected to occur multiple times per year
Medium (2)May occur once per year
Low (1)Unlikely to occur
ImpactDescription
High (3)Breach affecting >500 individuals, regulatory action
Medium (2)Breach affecting <500 individuals, reputational damage
Low (1)Minimal impact, quickly contained
Risk ScoreRisk Level
7-9HIGH
4-6MEDIUM
1-3LOW

4. Administrative Safeguards (§164.308)

4.1 Security Management Process

RequirementImplementationRiskMitigation
Risk analysisThis documentLOWAnnual review scheduled
Risk managementSecurity remediation planLOWContinuous monitoring
Sanction policyEmployee handbook (draft)MEDIUMFormalize policy
Information system activity reviewAudit logging + CloudWatchLOWImplemented

4.2 Assigned Security Responsibility

RequirementImplementationRisk
Security official designation[To be assigned]MEDIUM

Action Required: Formally designate a HIPAA Security Officer before production launch.

4.3 Workforce Security

RequirementImplementationRisk
Authorization proceduresRole-based access (owner/admin/member/viewer)LOW
Workforce clearanceBackground checks for employeesLOW
Termination proceduresAWS IAM access revocation processLOW

4.4 Information Access Management

RequirementImplementationRisk
Access authorizationOrganization-based permissionsLOW
Access establishment/modificationSelf-service with admin approvalLOW

4.5 Security Awareness and Training

RequirementImplementationRiskMitigation
Security remindersPlanned quarterly emailsMEDIUMImplement before launch
Protection from malwareAWS Shield, WAFLOWImplemented
Log-in monitoringFailed attempt trackingLOWImplemented
Password managementNIST-compliant policyLOWImplemented

4.6 Security Incident Procedures

RequirementImplementationRisk
Response and reportingIncident response plan draftedLOW

4.7 Contingency Plan

RequirementImplementationRisk
Data backupRDS automated backups (7-day retention)LOW
Disaster recoveryMulti-AZ deployment plannedLOW
Emergency mode operationAWS region failover capabilityLOW
Testing and revisionAnnual DR test plannedMEDIUM
Applications and data criticalityDocumented in this assessmentLOW

4.8 Evaluation

RequirementImplementationRisk
Periodic evaluationAnnual security assessmentLOW

4.9 Business Associate Contracts

RequirementImplementationRiskMitigation
Written contract/agreementAWS BAAMEDIUMSign before production

Action Required: Execute AWS Business Associate Agreement before processing any PHI.

5. Physical Safeguards (§164.310)

All physical infrastructure is managed by AWS under their BAA. AWS maintains:

RequirementAWS Implementation
Facility access controlsBiometric access, 24/7 security
Workstation useN/A - cloud infrastructure
Workstation securityN/A - cloud infrastructure
Device and media controlsSecure media destruction

Risk Level: LOW (inherited from AWS)

6. Technical Safeguards (§164.312)

6.1 Access Control

RequirementImplementationRisk
Unique user identificationCognito user IDsLOW
Emergency access procedureAdmin override capabilityLOW
Automatic logoff24-hour session timeoutLOW
Encryption and decryptionAES-256 at rest, TLS 1.3 in transitLOW

6.2 Audit Controls

RequirementImplementationRisk
Audit loggingComprehensive audit trail (lib/audit)LOW
Log retention7 years (configurable)LOW
Log integrityAppend-only, timestampedLOW

6.3 Integrity

RequirementImplementationRisk
Mechanism to authenticate ePHIDatabase constraints, validationLOW

6.4 Person or Entity Authentication

RequirementImplementationRisk
MFAWebAuthn + TOTP (FedRAMP compliant)LOW

6.5 Transmission Security

RequirementImplementationRisk
Integrity controlsTLS 1.3, HTTPS onlyLOW
EncryptionTLS 1.3 for all connectionsLOW

7. PHI-Specific Safeguards

7.1 Bedrock Guardrails

AWS Bedrock Guardrails are configured to detect and block PHI/PII in AI interactions:

PHI TypeDetectionAction
NamesRegex + MLBlock
SSNPattern matchingBlock
Medical record numbersCustom regexBlock
Health plan IDsCustom regexBlock
Dates (DOB)Pattern matchingBlock
Contact informationML detectionBlock

7.2 Data Minimization

  • Users control what data they upload
  • AI analysis processes only selected evidence
  • No PHI required for core application functions

8. Risk Register

IDRisk DescriptionLikelihoodImpactRisk LevelMitigationOwnerStatus
R-001Unauthorized access to PHILowHighMEDIUMMFA, RLS, audit loggingSecurityMitigated
R-002PHI in AI promptsMediumMediumMEDIUMBedrock GuardrailsDevMitigated
R-003Data breach via SQL injectionLowHighMEDIUMParameterized queries, RLSDevMitigated
R-004Insider threatLowHighMEDIUMRole-based access, audit logsSecurityMitigated
R-005AWS service disruptionLowMediumLOWMulti-AZ, backupsOpsMitigated
R-006Unpatched vulnerabilitiesMediumMediumMEDIUMAutomated scanning, updatesDevOngoing
R-007Inadequate loggingLowMediumLOWComprehensive audit systemDevMitigated
R-008BAA not executedN/AHighHIGHExecute AWS BAALegalOpen

9. Action Items

Pre-Launch (Required)

ItemOwnerDue DateStatus
Sign AWS BAAJoeBefore productionOpen
Verify Bedrock HIPAA eligibilityJoeBefore productionOpen
Designate Security OfficerJoeBefore productionOpen
Formalize security policiesClaude/JoeBefore productionIn Progress
Complete security trainingJoeBefore productionOpen

Post-Launch (Recommended)

ItemOwnerDue DateStatus
Annual risk assessment reviewSecurity Officer2027-02-04Scheduled
Penetration testExternal vendorQ2 2026Planned
DR testOpsQ3 2026Planned

10. Approval

RoleNameDateSignature
Security Officer**_**____**_**
CEO/Owner**_**____**_**

Appendix A: References

  • HIPAA Security Rule: 45 CFR Part 164
  • NIST SP 800-66: Implementing the HIPAA Security Rule
  • AWS HIPAA Compliance: https://aws.amazon.com/compliance/hipaa-compliance/
  • nquir Security Remediation Plan: docs/admin/security/remediation-plan.md
  • nquir Asset Inventory: docs/admin/security/asset-inventory.md

Document History

VersionDateAuthorChanges
1.02026-02-04Claude (AI)Initial assessment