Improve HIPAA addressable and resilience evidence

[Peter7896]

Summary

• add HIPAA addressable-specification decision evidence so missing encryption is evaluated as Conditional Compliance only when risk rationale, equivalent alternatives, approval, and review evidence are documented
• add destructive-malware backup resilience checks for immutable/offline copies, backup-admin separation, restore testing, and wiper scenario evidence
• expand remote-work physical safeguard gates and add HITECH recognized security practice / safe-harbor evidence mapping
• add BAA supply-chain visibility checks for right-to-audit/assurance, subcontractor disclosure, breach-notice SLA, return/destruction, and downstream flowdown tracking

Scope

This addresses #1106 and is intentionally complementary to #1089: it does not rework the BAA inventory flow, but adds granular evidence gates requested in the review.

Closes #1106

Validation

• git diff --check (only existing Windows LF-to-CRLF warning)
• verified markdown code fence count is even (8)
• verified issue-specific markers for Conditional Compliance, destructive malware resilience, remote work safeguards, HITECH safe-harbor evidence, and right-to-audit supply-chain checks