Audit the technical safeguards that protect electronic Protected Health Information on your Cisco Meraki infrastructure. Access controls, encryption, logging, and transmission security — mapped to 45 CFR Part 164.
Start Free TodayThe HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting electronic Protected Health Information (ePHI). It applies to every covered entity and business associate that creates, receives, maintains, or transmits ePHI — including hospitals, clinics, insurers, and their IT service providers.
The Security Rule is organised into three categories of safeguards: administrative (policies and procedures), physical (facility and device access), and technical (system and network controls). MerakiGuard focuses on the technical safeguards that can be validated through your Meraki network configuration.
The 2026 proposed rule changes are eliminating the distinction between "required" and "addressable" implementation specifications — making all 73 specifications mandatory. Organisations that previously deferred addressable controls now need to implement them.
Each scan maps your live Meraki configuration to HIPAA Security Rule technical safeguards. Checks run against ePHI-scoped networks — you choose which networks handle patient data.
Validates default-deny firewall posture, restricted traffic rules, and VLAN segmentation to isolate ePHI systems from general network traffic. Maps to 164.312(a)(1).
164.312(a)(1)Checks for unique admin accounts (no shared credentials), MFA enforcement, least-privilege role assignments, and idle session timeouts. Maps to 164.312(a)(2) and 164.312(d).
164.312(a)(2) / 164.312(d)Verifies syslog servers are configured for centralised security event logging. HIPAA requires recording and examining activity in systems containing ePHI, with 6-year retention. Maps to 164.312(b).
164.312(b)Checks that Advanced Malware Protection (AMP) and Intrusion Detection/Prevention (IDS/IPS) are enabled on boundary devices to protect ePHI from improper alteration. Maps to 164.312(c)(1).
164.312(c)(1)Validates WPA2/WPA3 encryption on all wireless networks, detects open SSIDs, and checks site-to-site VPN configuration for encrypted ePHI transmission between locations. Maps to 164.312(e)(1).
164.312(e)(1)Checks VLAN configuration to ensure clinical, guest, and administrative traffic are isolated. Proper segmentation prevents lateral movement and limits the blast radius of a breach.
164.312(a)(1)Validates firmware currency across all devices, content filtering on boundary appliances, and scan frequency for quarterly periodic evaluation. Maps to 164.308.
164.308Checks for Meraki MV camera presence in areas containing ePHI systems. Physical security monitoring is part of the facility access controls required under 164.310(a).
164.310(a)If your Meraki network touches patient data in any way, HIPAA applies. Non-compliance is not a theoretical risk — it comes with real enforcement and real penalties.
Multi-site healthcare organisations with Meraki infrastructure spanning clinical, administrative, and guest networks. ePHI network scoping lets you focus checks where patient data flows.
Managed service providers responsible for clinic and hospital networks. Demonstrate HIPAA technical compliance to your healthcare clients with automated evidence and monthly reports.
Any organisation that handles ePHI on behalf of a covered entity. IT vendors, cloud providers, billing services, and consultants with network access to healthcare data.
HIPAA enforcement has real financial and operational consequences. The Office for Civil Rights (OCR) investigates every reported breach affecting 500 or more individuals.
HIPAA penalties range from $141 to $2.13 million per violation category per year, depending on the level of negligence. Willful neglect with no corrective action triggers the highest tier.
A reportable breach triggers mandatory notification to every affected individual, HHS, and potentially the media. Average breach cost in healthcare is $10.9 million — the highest of any industry.
OCR settlements typically include multi-year corrective action plans with mandatory monitoring, staff training, and regular compliance reporting. These are operationally expensive and time-consuming.
Breaches affecting 500+ individuals are published on the HHS "Wall of Shame". Patient trust, once lost, is difficult to rebuild — and competitors are quick to capitalise on publicised incidents.
Connect your Meraki dashboard and see where your network stands against HIPAA technical safeguards. Scope to ePHI networks, get actionable findings, and generate auditor-ready reports.
Start Free Today