OCR enforcement expects it
OCR enforcement actions treat penetration testing as expected technical evaluation under 164.308(a)(8). An absent or stale pentest is a gap examiners flag.
A payer or partner is asking for HIPAA pentest evidence. You need a report that holds up.
Technical safeguard testing scoped to your ePHI flows, mapped to the Administrative, Physical, and Technical safeguards under 45 CFR Part 164 — with a report that reflects what was tested and what was fixed.
What is at stake
Without current pentest evidence, your HIPAA risk analysis has a credibility problem.
Payers and partners require it
Healthcare payers, health systems, and enterprise partners routinely ask for current pentest evidence before contracting.
The proposed rule raises the bar
The 2025 HHS NPRM proposes explicit penetration-testing language. Programs without a current test today face a harder path when the rule finalizes.
How we help — what we cover
Six Security Rule expectations your evidence file should answer.
We scope to the safeguards your evidence file needs to address and map each finding so your Privacy Officer and engineering team can both use the report without translation.
Security Rule — Technical Safeguards
45 CFR § 164.312 — access controls, audit controls, integrity, person/entity authentication, and transmission security. The direct technical subset most pentests evaluate.
Risk Analysis — 164.308(a)(1)(ii)(A)
Required analysis of risks and vulnerabilities to ePHI. A current pentest is the primary evidence that the risk analysis reflects real exposure, not theoretical risk.
Evaluation — 164.308(a)(8)
Periodic technical and nontechnical evaluation of safeguards. Penetration testing is the de facto technical evaluation evidence.
ePHI flow scoping
Findings scoped to systems that create, receive, maintain, or transmit ePHI, plus connected administrative systems.
Business Associate Agreements
Where ePHI flows through a Business Associate, the test scope accounts for the boundary established by the BAA.
Proposed Security Rule update
The 2025 HHS NPRM proposes explicit penetration-testing expectations. We scope conservatively against the proposed text so you are ready when (and if) it finalizes.
How an engagement works
Four phases, every HIPAA engagement.
- 01
ePHI flow scoping
We map your ePHI data-flow diagram, identify Business Associate boundaries, and confirm rules of engagement.
- 02
Technical safeguard testing
Manual testing of access controls, authentication, transmission security, and integrity controls across in-scope systems.
- 03
Safeguard-mapped reporting
Each finding tagged to Administrative, Physical, or Technical safeguard sections of the Security Rule.
- 04
Retest and reissue
After fixes we retest and reissue; the version your auditor or payer sees reflects post-fix state.
Payer review or OCR audit approaching?
A quick scoping call confirms your ePHI scope, BAA boundaries, and a start date.
Get a straight answer Control mapping in the report
How findings tie to the Security Rule.
Every finding is tagged to the specific 45 CFR Part 164 safeguards it touches — Administrative, Physical, and Technical sections called out explicitly.
| Example finding | Mapped to |
|---|---|
| Broken access control to ePHI records | § 164.312(a)(1) Access Control; § 164.308(a)(4) Information Access Management |
| Cleartext ePHI in transit between services | § 164.312(e)(1) Transmission Security |
| ePHI access not audited | § 164.312(b) Audit Controls |
| No periodic technical evaluation in place | § 164.308(a)(8) Evaluation |
| Risk analysis missing for a new ePHI flow | § 164.308(a)(1)(ii)(A) Risk Analysis |
| Production access shared without unique IDs | § 164.312(a)(2)(i) Unique User Identification |
Each finding also carries severity, reproduction steps, evidence, and a paste-ready remediation — the safeguard reference for your Privacy Officer, the fix for your engineering team.
Adjacent engagements
HIPAA pentests pair with these.
Compliance pentest index →
See coverage across SOC 2, ISO 27001, PCI DSS, HIPAA, and GLBA in one place.
SOC 2 pentest →
Healthcare SaaS often runs SOC 2 + HIPAA together; one engagement maps to both.
Authenticated testing →
Role-matrix coverage for technical safeguards on multi-tenant healthcare apps.
Web application testing →
The patient- or clinician-facing surface where ePHI most often touches the public boundary.
Further reading
Background from our team.
FAQ
HIPAA pentest — common questions
Is penetration testing explicitly required by HIPAA today?
The current Security Rule does not name "penetration testing" word-for-word, but 164.308(a)(1)(ii)(A) requires a risk analysis and 164.308(a)(8) requires periodic technical evaluation. OCR enforcement actions and the proposed 2025 Security Rule update treat pentests as expected technical evidence.
What is in scope on a HIPAA pentest?
Systems that create, receive, maintain, or transmit ePHI, plus connected administrative systems (identity providers, monitoring tools, backup systems). We confirm scope against your ePHI data-flow diagram on the scoping call.
How do you handle Business Associates?
Where ePHI flows through a Business Associate, we test the boundary your BAA establishes and avoid testing the BA's infrastructure without their explicit written authorization. The report calls out where coverage stops and why.
What if the proposed Security Rule update changes things?
We track the rulemaking and scope against the proposed text. Programs aligned to the proposed update today will be ready when it finalizes; those aligned only to the current text risk a gap once enforcement catches up.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.