Healthcare organizations building software that handles ePHI need HIPAA controls enforced where violations actually happen: in the code. MergeGuide maps the HIPAA Security Rule to code-level detection patterns that enforce at every development touchpoint.
Most healthcare software companies are running both HIPAA and SOC 2. The Security Rule overlaps significantly with SOC 2's TSC — but with stricter requirements on certain controls.
This is where PolicyMerge shines: it resolves the conflicts automatically. HIPAA requires audit logging for all access to ePHI. SOC 2 requires access logging. PolicyMerge selects the HIPAA requirement — which is stricter — and applies it uniformly. One policy set, no gaps.
Code-only analysis: MergeGuide processes source code only — never patient data. Every analysis artifact contains code patterns and policy findings, not ePHI. Your patient data stays in your environment.
MergeGuide templates cover all applicable HIPAA Security Rule standards with code-level controls:
| Security Rule Standard | What MergeGuide Detects | Severity |
|---|---|---|
| §164.312(a)(2)(iv) | ePHI fields stored without encryption in database schemas and ORMs | Critical |
| §164.312(e)(2)(ii) | ePHI transmitted without TLS or over deprecated protocols (TLS 1.0/1.1) | Critical |
| §164.312(b) | Audit logging disabled or missing for ePHI access functions | High |
| §164.312(a)(1) | Hardcoded credentials granting ePHI access | Critical |
| §164.312(a)(1) | Missing session timeout in ePHI-handling applications | High |
| §164.312(c)(1) | ePHI written to unprotected log files or debug output | High |
| §164.312(d) | Authentication bypass patterns in healthcare API endpoints | Critical |
| §164.312(e)(1) | ePHI in query parameters (exposed in server logs and browser history) | High |
MergeGuide detects when code handles ePHI fields without appropriate encryption — in database schemas, API serializers, file writes, and log statements.
Every policy evaluation on ePHI-handling code generates an immutable evidence artifact. Combined with your application audit logs, this creates a complete picture for HHS auditors.
Every PR Gate evaluation on ePHI-handling code generates an immutable, timestamped evidence artifact mapped to the specific HIPAA Security Rule standard being enforced. Audit preparation is continuous — not a scramble when HHS arrives.
See how MergeGuide handles the intersection of HIPAA, SOC 2, and your custom ePHI handling requirements in a live demo.