Where pentest sits under HIPAA
HIPAA's Security Rule does not name "penetration testing" as a discrete required control. It requires covered entities and business associates to conduct accurate and thorough risk assessments and to implement reasonable and appropriate safeguards. The Office for Civil Rights (OCR) — which enforces HIPAA — has consistently treated current third-party penetration testing as expected evidence of technical safeguard effectiveness during investigations.
For practical purposes, if you handle ePHI either as a covered entity or as a business associate, you should be running periodic penetration tests and producing reports that map to the technical safeguards. Covered-entity partners that engage you under a BAA increasingly require this evidence as part of vendor risk management.
Which technical safeguards pentest supports
| Safeguard (45 CFR §164.312) | What it requires | Pentest contribution |
|---|---|---|
| (a) Access control | Unique user identification, emergency access, automatic logoff, encryption/decryption | Authorization, role-matrix, multi-tenant isolation findings |
| (b) Audit controls | Hardware, software, and procedural mechanisms to record and examine activity | Audit-log completeness and integrity findings |
| (c) Integrity | Mechanisms to authenticate ePHI to ensure it has not been altered | Tamper-evidence, replay, and integrity-check findings |
| (d) Person/entity authentication | Verify identity of person/entity seeking access | Auth flow, MFA, account-recovery, SSO findings |
| (e) Transmission security | Guard against unauthorized access during transmission | TLS configuration, integrity-protection, end-to-end encryption findings |
Scoping the engagement around ePHI flows
The first hour of a HIPAA-aligned scoping call is usually about mapping ePHI flows — not the full application. Three flows almost always end up in scope:
Patient-facing surfaces
Patient portals, mobile apps, telehealth platforms, intake forms. Anywhere a patient interacts with their own record. These are tested as authenticated web/API surfaces with explicit attention to authorization and account-recovery flows.
Clinician-facing surfaces
EHR-adjacent applications, clinical tooling, billing systems. Role complexity is usually higher here (provider, nurse, scheduler, billing, support), and the pentest needs explicit role-matrix coverage.
Integration and EHR boundaries
FHIR APIs, HL7 interfaces, SMART on FHIR scopes, vendor-to-vendor data exchanges. These are the surfaces where ePHI moves between organizations and where access-control failures have outsized impact.
Out of scope but adjacent: backoffice tooling that touches ePHI through admin actions (refunds, support overrides, audit exports). These need testing but are often forgotten in scope statements.
Handling ePHI during testing
Three rules govern any HIPAA-scoped engagement:
- BAA in place before any sensitive material moves. The pentest vendor is a business associate when handling ePHI on behalf of a covered entity. A signed BAA is required.
- Default to synthetic ePHI in non-production. Production testing is allowed but requires explicit safe-testing rules, throttled activity, and documented retention windows for evidence.
- Encrypt evidence; document retention. Findings, screenshots, and request/response logs are encrypted in transit and at rest, retained only for the agreed window plus a brief post-engagement period for legal-hold reasons.
What the report should include
- Explicit ePHI scope statement. Which ePHI flows were in scope, which were not, and why.
- HIPAA Security Rule control mapping. Each finding tied to the specific technical safeguard or administrative safeguard it relates to.
- Methodology. Reference to NIST SP 800-115 or OWASP Testing Guide.
- Findings with severity, evidence, and remediation. Standard pentest deliverable shape.
- Retest evidence. Dated, with verification details for each closed finding.
- BAA reference. Note that the engagement was performed under a signed BAA.
If you are a business associate
Most pentest demand from covered-entity partners falls on business associates: SaaS vendors, billing platforms, telehealth providers, AI-feature companies that touch ePHI. Three things to anticipate:
- Annual cadence is the working assumption. Most BAAs and most covered-entity partners expect a current third-party pentest within the last twelve months.
- The report itself is part of vendor risk management. Covered-entity security teams read pentest reports as part of onboarding and renewal. The report needs to read well to that audience.
- Cross-walk to HITRUST CSF if you are pursuing HITRUST. HITRUST is increasingly the bar for healthcare partners. Reports that map to both HIPAA Security Rule and HITRUST CSF reduce duplicate work.
Practical tip: if a covered-entity partner is asking for a pentest report and you do not have a current one, the question to ask back is what their procurement team specifically reviews — explicit safeguard mapping is what most look for first, and including it in the report saves multiple rounds of follow-up.
Related articles
Preparing for your first pentest? Download the SMB Pentest Readiness Checklist →