Zero PHI Touchpoint. Full Audit Trail.
Workforce phishing training that proves your security-awareness program works, without adding one more system that has to touch a medical record to do it.
The constraint healthcare security teams actually have
HIPAA's Security Rule expects documented workforce security-awareness training (45 CFR §164.308(a)(5)) — but every additional vendor system you connect to run that training is one more system your privacy office has to review for PHI exposure. The easiest way to pass that review is to never be in scope for it in the first place.
PHI never enters the platform
PhishArmory's data model is employee directory information — name, work email, role — the same fields any training LMS already holds. There is no patient record, EHR integration, or clinical data path anywhere in this system, by construction, not by access control alone.
Reads are logged, not just writes
Per-employee results are visible only to Operator/Admin roles — and every time someone with access opens that detail view, the view itself is logged with user agent and IP. Exactly the kind of access-log evidence a HITRUST assessor or privacy officer asks for.
Administrative & Cryptographic Hardening
The admin console behind this employee-only data model is itself hardened: every operator account requires TOTP multi-factor authentication to sign in, and every stored credential — including those MFA secrets themselves — is protected under host-isolated envelope encryption, a per-secret data key wrapped by a master key that never leaves this host's environment. Baseline platform protections, not a per-engagement configuration.
What this maps to on your compliance calendar
Architectural controls, not certifications — this is the evidence our platform contributes to a program you already run.
| Framework | What we contribute |
|---|---|
| HIPAA Security Rule §164.308(a)(5) |
A timestamped record of every training campaign, per-employee result, and remediation action — the security-awareness-training evidence the administrative safeguards standard expects your program to produce. |
| HITRUST CSF | Role-gated access to sensitive results, with every read logged, maps directly to the access-control and audit-logging control references HITRUST assessors check against. |
| SOC 2 Type II (CC7.2) | The same append-only, tamper-resistant action log doubles as the system-monitoring evidence CC7.2 audits request, if your organization is also pursuing SOC 2. |