ARCS/Crosswalks/ARCS / HIPAA Security Rule Crosswalk

ARCS / HIPAA Security Rule

Informative · Provider: Vega Commons Project, Inc. · Reference: 45 CFR Part 164, Subpart C · April 2026

This crosswalk is informative and is not part of the normative ARCS control text. It identifies bounded points at which ARCS relates to the HIPAA Security Rule within the narrower domain of interaction-record governance. No claim of equivalence, substitution, or regulatory compliance sufficiency is made. ARCS is not a substitute for HIPAA compliance analysis.
SectionsOverviewInterpretive statusFramework scopeARCS relevanceSelected mappingsOutside scope

Overview

The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards to protect electronic protected health information (ePHI), requiring administrative, physical, and technical safeguards.

ARCS is a separate lifecycle-governance standard for the records AI systems create. Where AI systems process or generate records containing ePHI, the Security Rule and ARCS address related but distinct governance questions.

Interpretive status

This instrument is an informative crosswalk. It does not restate HIPAA requirements, does not modify ARCS control text, and does not establish a claim of regulatory compliance.

Framework scope

This crosswalk addresses only the HIPAA Security Rule. It does not map the Privacy Rule, Breach Notification Rule, or Enforcement Rule. It focuses on safeguard areas where AI systems create interaction records that contain, reference, or derive from ePHI.

ARCS relevance

The Security Rule addresses how ePHI is protected. ARCS addresses what happens to the records AI systems create in those protected environments: custody assignment, retention classification, deletion posture, preservation status, and verification of lifecycle claims.

Selected mappings

Table A maps selected HIPAA Security Rule safeguard themes to ARCS control families. The mapping is directional and explanatory. It is intended to aid governance interpretation, not to claim regulatory compliance or safeguard equivalence.

Security Rule safeguardCFR referenceARCS familiesCrosswalk note
Access controls (Technical)§ 164.312(a)ARCS-CUS, ARCS-OPB, ARCS-PUBThe Security Rule requires technical access controls for systems containing ePHI. ARCS governs how access boundaries map across record custody surfaces, operator boundaries, and publish-boundary events for interaction records that may contain or reference protected health information.
Audit controls (Technical)§ 164.312(b)ARCS-LIF, ARCS-VER, ARCS-TAXThe Security Rule requires audit controls for systems containing ePHI. ARCS governs the lifecycle, classification, and verification of audit artifacts as governed record classes, including retention tier, deletion posture, and whether audit trail claims are verifiable.
Integrity controls (Technical)§ 164.312(c)ARCS-VER, ARCS-LIFThe Security Rule requires mechanisms to protect ePHI from improper alteration or destruction. ARCS governs verification of lifecycle state claims and deletion integrity for interaction records containing protected health information.
Transmission security (Technical)§ 164.312(e)ARCS-PUB, ARCS-CUS, ARCS-OPBThe Security Rule requires transmission security for ePHI sent over electronic networks. ARCS governs publish-boundary controls and custody chain documentation when interaction records cross organizational or vendor boundaries.
Information system activity review (Administrative)§ 164.308(a)(1)(ii)(D)ARCS-VER, ARCS-LIF, ARCS-TAXThe Security Rule requires regular review of information system activity records. ARCS governs the classification, retention, and verifiability of system activity records generated by AI systems processing or referencing ePHI.
Security incident procedures (Administrative)§ 164.308(a)(6)ARCS-PV, ARCS-CUS, ARCS-VERThe Security Rule requires procedures for identifying, responding to, and mitigating security incidents. ARCS governs preservation of incident-related records, custody documentation for evidentiary purposes, and verification of record state during and after incident response.
Contingency plan (Administrative)§ 164.308(a)(7)ARCS-PV, ARCS-CUS, ARCS-LIFThe Security Rule requires contingency plans including data backup, disaster recovery, and emergency mode operation. ARCS governs preservation, custody, and lifecycle treatment of interaction records during contingency events, including hold communication across distributed surfaces.
Business associate contracts (Administrative)§ 164.308(b)ARCS-CUS, ARCS-OPB, ARCS-VERThe Security Rule requires contracts ensuring business associates safeguard ePHI. ARCS governs custody chain mapping, operator-boundary documentation, and governance declaration verification across business associate relationships where AI interaction records are involved.
Device and media controls (Physical)§ 164.310(d)ARCS-LIF, ARCS-CUS, ARCS-NCRThe Security Rule requires policies for receipt, removal, and disposal of hardware and electronic media containing ePHI. ARCS governs the lifecycle of interaction records on those media, including deletion verifiability, non-creation claims, and custody assignment.
Documentation and retention (Administrative)§ 164.316ARCS-LIF, ARCS-TAX, ARCS-VERThe Security Rule requires that policies, procedures, and actions be documented and retained for six years. ARCS governs the lifecycle classification, custody, and verification of documentation artifacts generated by AI systems operating in HIPAA-covered environments.
Access controls (Technical)
§ 164.312(a)
ARCS Families
Crosswalk note
The Security Rule requires technical access controls for systems containing ePHI. ARCS governs how access boundaries map across record custody surfaces, operator boundaries, and publish-boundary events for interaction records that may contain or reference protected health information.
Audit controls (Technical)
§ 164.312(b)
ARCS Families
Crosswalk note
The Security Rule requires audit controls for systems containing ePHI. ARCS governs the lifecycle, classification, and verification of audit artifacts as governed record classes, including retention tier, deletion posture, and whether audit trail claims are verifiable.
Integrity controls (Technical)
§ 164.312(c)
ARCS Families
Crosswalk note
The Security Rule requires mechanisms to protect ePHI from improper alteration or destruction. ARCS governs verification of lifecycle state claims and deletion integrity for interaction records containing protected health information.
Transmission security (Technical)
§ 164.312(e)
ARCS Families
Crosswalk note
The Security Rule requires transmission security for ePHI sent over electronic networks. ARCS governs publish-boundary controls and custody chain documentation when interaction records cross organizational or vendor boundaries.
Information system activity review (Administrative)
§ 164.308(a)(1)(ii)(D)
ARCS Families
Crosswalk note
The Security Rule requires regular review of information system activity records. ARCS governs the classification, retention, and verifiability of system activity records generated by AI systems processing or referencing ePHI.
Security incident procedures (Administrative)
§ 164.308(a)(6)
ARCS Families
Crosswalk note
The Security Rule requires procedures for identifying, responding to, and mitigating security incidents. ARCS governs preservation of incident-related records, custody documentation for evidentiary purposes, and verification of record state during and after incident response.
Contingency plan (Administrative)
§ 164.308(a)(7)
ARCS Families
Crosswalk note
The Security Rule requires contingency plans including data backup, disaster recovery, and emergency mode operation. ARCS governs preservation, custody, and lifecycle treatment of interaction records during contingency events, including hold communication across distributed surfaces.
Business associate contracts (Administrative)
§ 164.308(b)
ARCS Families
Crosswalk note
The Security Rule requires contracts ensuring business associates safeguard ePHI. ARCS governs custody chain mapping, operator-boundary documentation, and governance declaration verification across business associate relationships where AI interaction records are involved.
Device and media controls (Physical)
§ 164.310(d)
ARCS Families
Crosswalk note
The Security Rule requires policies for receipt, removal, and disposal of hardware and electronic media containing ePHI. ARCS governs the lifecycle of interaction records on those media, including deletion verifiability, non-creation claims, and custody assignment.
Documentation and retention (Administrative)
§ 164.316
ARCS Families
Crosswalk note
The Security Rule requires that policies, procedures, and actions be documented and retained for six years. ARCS governs the lifecycle classification, custody, and verification of documentation artifacts generated by AI systems operating in HIPAA-covered environments.

Outside scope

ARCS governs several record-lifecycle domains that fall outside the HIPAA Security Rule's stated scope:

Non-creation claim verification

ARCS-NCR (NCR-01 to NCR-06)

The HIPAA Security Rule does not address claims that interaction records are neither created nor retained. ARCS requires architectural verification of non-creation claims for AI systems operating in covered environments.

Agent tool-use and downstream record surfaces

ARCS-AGT (AGT-01 to AGT-13)

The Security Rule does not separately govern the record-lifecycle consequences of AI agent tool use in healthcare settings. ARCS requires runtime component enumeration and addresses authorization-gap custody.

Delegation and memory persistence

ARCS-DEL (DEL-01 to DEL-12)

The Security Rule does not govern cross-session memory persistence or delegation-chain record creation. ARCS classifies persistent memory artifacts as governed record classes subject to lifecycle and preservation rules.

Publish-boundary governance for AI outputs

ARCS-PUB (PUB-01 to PUB-06)

The Security Rule addresses transmission security but does not govern the full lifecycle of records that cross publication, export, or disclosure boundaries. ARCS governs post-export lifecycle consequences and derivative retention exposure.