A HIPAA access review in Dock works like this. An agent pulls Epic audit logs and the ServiceNow access-request ticket for each user under review, drafts a finding row in Dock, and waits. The named privacy officer opens the row, reads the citations, and either approves or sends it back. Only an approved row is written through to Vanta as control evidence. Epic and ServiceNow stay the systems of record for the underlying events. Dock holds the interpretation, the reviewer name, and the timestamp that auditors actually ask for.
The architecture
Epic, ServiceNow, and Vanta stay the systems of record for the raw data: chart accesses, access-request tickets, and the control framework itself. Dock is the system of record for what the agent interprets from that data. Each Dock row carries a pointer back to the source record (epic_audit_event_id, servicenow_ticket_id, vanta_control_id), the agent identity that drafted it, the reviewer who approved it, and a timestamp. When the agent needs current state, for example to confirm a user's role has not changed since the draft, it re-fetches from Epic or ServiceNow through a fresh API read. Dock does not cache PHI. It records decisions about PHI access. That distinction is what makes the review surface defensible under audit.
The review table
| row_id | user | epic_audit_event_id | servicenow_ticket_id | finding | agent | reviewer | status |
|---|---|---|---|---|---|---|---|
| ar-3104 | j.okafor@stclare.org | EPC-AE-99214 | INC-44021 | 14 chart accesses outside assigned unit; ticket INC-44021 grants temporary float coverage. Within scope. | argus-compliance@dock | k.reyes (Privacy Officer) | approved |
| ar-3105 | m.chen@stclare.org | EPC-AE-99217 | (none) | 3 accesses to VIP record with no documented care relationship. No supporting ticket. | argus-compliance@dock | k.reyes (Privacy Officer) | flagged for investigation |
| ar-3106 | l.adebayo@stclare.org | EPC-AE-99221 | INC-44088 | Break-glass access; reason field cites code blue 4N at 02:14. Matches ServiceNow on-call roster. | argus-compliance@dock | k.reyes (Privacy Officer) | approved |
The workflow
The agent runs every Monday at 06:00. It queries Epic for the prior week's audit events flagged as out-of-unit, break-glass, or VIP-touching. For each event, it looks up the user in ServiceNow to see whether a covering ticket exists, then drafts a row with the finding and links back to both sources. Kira Reyes, the named privacy officer, opens her review queue in Dock. She reads each row, expands the citations, and approves or flags. Approved rows post to Vanta against control HIPAA-164.312(b) as audit-control evidence. Flagged rows open a ServiceNow investigation ticket and notify the user's manager. The agent never writes to Vanta without an approved reviewer signature on the row.
Why it matters
HIPAA 45 CFR 164.312(b) requires covered entities to "implement hardware, software, and/or procedural mechanisms that record and examine activity" in systems containing ePHI (Cornell LII, 45 CFR 164.312). The rule does not say a human must read every log line. It says activity must be examined and the examination must be documentable. Dock makes the examination a structured artifact instead of an inbox thread.
NIST SP 800-66 Revision 2 recommends that regulated entities document who reviewed what, when, and on what basis (NIST SP 800-66r2, Feb 2024). A Dock row with agent, reviewer, status, and decided_at columns is exactly that record, queryable and exportable.
The auditor question that ends most HIPAA assessments is "show me who approved this." A privacy officer's name on a row, captured through Dock's agent identity layer with a lifecycle the team can replay through agent identity lifecycle, answers that question in one screen.
See the full picture under Dock for healthcare operations, and the adjacent controls work under Dock for compliance and Dock for security operations.
FAQ
Does Dock store PHI? No. Dock stores pointers to Epic audit events and ServiceNow tickets, plus the agent's finding and the reviewer's decision. Re-reading the chart access still requires a fresh authenticated call into Epic.
Who is on the hook if the agent miscategorizes an access? The named reviewer. The row records that Kira Reyes, not the agent, approved the finding. Agents draft; humans accept accountability.
How often does the agent re-fetch from Epic? On every draft, and again if a row sits in the queue more than 24 hours before review. Stale interpretations expire automatically.
Can this satisfy a SOC 2 control as well as HIPAA? Yes. The same approved row can post to Vanta against multiple control IDs. One review, two frameworks of evidence.
