NSAuditor AI EE 0.9.4: HIPAA Reports Now Surface HHS-OCR’s 2024 Enforcement Priorities

Nsasoft has released NSAuditor AI Enterprise Edition 0.9.4, a patch focused entirely on HIPAA evidence-defensibility depth. The update introduces a 2024 HHS-OCR Priority view directly inside HIPAA audit reports — surfacing the two attack vectors that the Office for Civil Rights has identified as driving a 264% rise in large ransomware breaches in the healthcare sector.

Why HHS-OCR Priorities Matter for HIPAA Compliance

The Department of Health and Human Services Office for Civil Rights (HHS-OCR) has been unambiguous in its 2024 enforcement guidance: remote-access credential risks and unpatched infrastructure are the dominant cause of large-scale healthcare breaches. Yet most HIPAA compliance tools continue to produce generic pass/fail scorecards that make no distinction between controls relevant to these enforcement priorities and those that are not.

When an OCR investigator arrives after a breach, they are not working through a uniform checklist — they are looking first at the controls most likely to have been exploited. A compliance report that does not reflect those priorities leaves healthcare organizations unable to demonstrate defensible posture on the controls that matter most.

What EE 0.9.4 Delivers

The 0.9.4 patch ships four targeted improvements to the audit-hipaa-risk-analysis-ocr skill:

HHS-OCR Priority View

HIPAA reports now include a dedicated Priority section that categorizes findings by the 2024 HHS-OCR enforcement focus areas: remote-access credential exposures and unpatched-infrastructure vulnerabilities. Each flagged finding is presented with the regulatory framing an OCR investigator would apply, making the report useful not just for internal remediation but as an evidence exhibit in an investigation or audit response.

Manual Procedure Evidence Schema on PARTIAL Controls

Three HIPAA controls previously marked PARTIAL — §164.312(c)(1) (integrity), §164.312(c)(2) (mechanism to authenticate electronic PHI), and §164.312(e)(2)(i) (encryption in transit) — now carry a manualProcedure evidence slot. Organizations can attach their documented compensating procedures directly to the finding, converting what appeared to be a gap into a defensible, evidence-backed posture. This aligns with how OCR actually evaluates PARTIAL controls: a reasonable and appropriate implementation supported by documented procedures is a legitimate compliance position.

Risk-Analysis Citation Slot for §164.308(a)(1)(ii)(A)

The Security Management Process risk-analysis requirement — §164.308(a)(1)(ii)(A) — is consistently the first control OCR examines in breach investigations. EE 0.9.4 adds a dedicated citation slot for this control, allowing organizations to link their formal risk analysis documentation directly to the scan finding. In an OCR inquiry, being able to produce a current, scan-corroborated risk analysis for this specific control is a significant evidentiary advantage.

Three New Citation Slots

Additional citation slots have been added for three evidence categories that repeatedly arise in OCR settlement discussions: retention (documentation retention policies supporting breach investigation timelines), integrity-substrate (underlying system controls supporting data integrity claims), and breach-signal (monitoring and detection evidence relevant to breach notification timelines under §164.400–414).

Coverage Remains Unchanged

HIPAA coverage in EE 0.9.4 is identical to 0.9.3: 7 safeguard categories, 3 PARTIAL controls, and 45 individual controls assessed. The patch adds no new controls and changes no existing pass/fail determinations — its value is in the depth and defensibility of the evidence the report can now capture and present.

SOC 2 coverage is also unchanged at 10 control families / 4 PARTIAL / 33 criteria.

Release Details

• Version: NSAuditor AI EE 0.9.4 / CE 0.1.70 / agent-skill 0.1.37
• Release date: 2026-05-22
• Type: EE-only patch (fourth consecutive non-trio release since 0.4.5)
• Plugins: 24 (27 CE + 24 EE; unchanged)

Installation

npm install -g nsauditor-ai@0.1.70 @nsasoft/nsauditor-ai-ee@0.9.4

Full HIPAA coverage documentation is available at nsauditor.com/ai/docs/hipaa/. Enterprise feature overview and release history at nsauditor.com/ai/enterprise/.

NSAuditor AI is a local-first, zero-data-exfiltration security scanner. All scan data remains on your infrastructure. EE features include cloud scanners (AWS, Azure, GCP), compliance engine (SOC 2, HIPAA, CIS, NIST, PCI DSS), Docker isolation, and air-gapped licensing support.