Now accepting Q2 projects — limited slots available. Get started →
45 CFR § 164.312ePHI ProtectionTechnical Safeguards

Your Patient Portal Just Failed Its Security Rule Audit

If you're a healthcare CTO holding a 60-day remediation notice, you need penetration testing that maps to 45 CFR § 164.312 controls -- not generic security theater.

We test your healthcare applications against every technical safeguard in the HIPAA Security Rule -- then fix what we find.

Get Your HIPAA Pentest Scoped See Our Process
100%
Safeguard Coverage
All §164.312 controls tested
72hr
Initial Report
Critical findings delivered fast
0
ePHI Exposures
Our clients' target
$2M+
Avg. Breach Cost
What you're avoiding
What Is HIPAA Penetration Testing?

HIPAA penetration testing is a controlled, authorized attack simulation against systems that store, process, or transmit electronic protected health information (ePHI). It maps directly to the technical safeguard requirements in 45 CFR § 164.312 -- access controls, audit controls, integrity controls, authentication, and transmission security. The goal? Find exploitable vulnerabilities before an attacker or an OCR auditor does.

Your Current Site May Be a Liability

Common gaps we find in nearly every audit.

Your annual risk analysis checks a box
Risk: It doesn't simulate a real attack against ePHI systems. OCR findings of willful neglect can trigger penalties up to $2.13M per violation category per year -- and "we ran a scan" won't save you.
Generic vulnerability scans don't catch application-layer flaws in patient portals or EHR integrations
Risk: SQL injection or broken access control in a patient portal exposes entire ePHI databases. Those bugs won't show up in an automated report.
§164.312(a)(1) requires access controls, but when did you last test whether session tokens or RBAC actually hold under pressure? One privilege escalation bug lets any authenticated user pull any patient record they want.
Risk: A single privilege escalation bug lets any authenticated user access any patient record.
Audit logging exists on paper but hasn't been validated under adversarial conditions per §164.312(b)
Risk: When a breach happens and OCR asks what was accessed, by whom, and when -- you need an answer that holds up.
You've got TLS, so transmission security feels handled
Risk: But cipher suites and certificate chains rarely get tested. Downgrade attacks and misconfigured certificates can expose ePHI in transit without triggering a single alert.
Business associates handle ePHI through APIs you've probably never tested for authentication bypass per §164.312(d)
Risk: A BA's compromised credentials become your breach notification problem.

What Your Website Could Look Like

Custom-designed for your industry. No templates. No stock photos.

HIPAA penetration testing report with OCR-mappable findings
A real HIPAA pen-test cockpit -- Security Rule § 164.312 technical safeguards tested, OCR-mappable finding format, exploit chain reproduction steps, remediation deadlines

How We Build This Right

Every safeguard, built in from Day 1.

Access Control Testing -- §164.312(a)

We attempt to bypass unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms. Every required and addressable implementation specification gets tested with real exploit techniques -- not theoretical ones.

Audit Control Validation -- §164.312(b)

We verify that your audit logs actually captured our attack activity, accurately and completely. If we can modify, delete, or evade audit trails, you've got a compliance gap that'll hurt when it matters most.

Integrity Control Testing -- §164.312(c)(1)

We go after ePHI integrity directly -- targeting database records, API responses, and file storage to see whether data can be altered without detection. Integrity mechanisms have to prove tamper-evidence when someone's actively trying to break them.

Person or Entity Authentication -- §164.312(d)

We attack authentication across the board: password policies, MFA implementations, session management, API key handling. Credential stuffing, brute force, token forgery -- all in scope.

Transmission Security -- §164.312(e)(1)

We pick apart TLS configurations, certificate pinning, cipher suite strength, and HSTS enforcement across every ePHI transmission path. Internal traffic between services gets tested too, not just what's exposed at the public edge.

Remediation Verification & Reporting

Every finding includes a CVSS score, the specific §164.312 provision it violates, step-by-step reproduction instructions, and a fix. We retest all critical and high findings after remediation at no extra charge.

What We Build

Purpose-built features for your industry.

OWASP Top 10 + HIPAA Mapping

Every vulnerability gets mapped to both OWASP categories and the specific 45 CFR § 164.312 implementation specification it violates -- so your documentation holds up to scrutiny.

Authenticated & Unauthenticated Testing

We test as four different personas: an external attacker, a low-privilege patient user, a clinical staff member, and an admin. RBAC gets validated at every tier, not just the top.

API & EHR Integration Testing

FHIR endpoints, HL7 interfaces, and third-party BA integrations get tested for injection, broken authentication, and excessive data exposure. These are common weak points that often go untouched.

Cloud Infrastructure Review

AWS, Azure, or GCP environments get assessed for S3 bucket exposure, IAM misconfigurations, and network segmentation failures around ePHI workloads.

Social Engineering Add-On

We also offer optional phishing and pretexting campaigns targeting staff with ePHI access. Technical safeguards only go so far -- the human layer needs testing too.

OCR-Ready Deliverables

Final reports are structured to directly support your HIPAA risk analysis documentation and show due diligence to OCR investigators. This isn't a generic PDF you'll struggle to explain.

Built on a Modern, Secure Stack

Burp Suite ProOWASP ZAPNessusMetasploitNext.jsSupabaseVercel

Our Development Process

From discovery to launch. Quality at every step.

01

Scoping & Rules of Engagement

Week 1

We start by identifying every system that touches ePHI, defining testing boundaries, signing a BAA, and setting up communication protocols for critical findings. No surprises mid-engagement.

02

Reconnaissance & Threat Modeling

Week 1-2

Then we map your attack surface the way an adversary would -- OSINT, DNS enumeration, technology fingerprinting, and an architecture review against each §164.312 control.

03

Active Exploitation

Week 2-3

From there, it's manual and tool-assisted testing across all in-scope targets. We chain vulnerabilities together the way a real attacker would. We're not running a scanner and handing you the output.

04

Reporting & Risk Prioritization

Week 3-4

You get a detailed technical report with an executive summary, §164.312 compliance mapping, CVSS-scored findings, proof-of-concept evidence, and prioritized remediation guidance.

05

Remediation Verification

Week 5-6

After your team addresses the critical and high findings, we retest to confirm they're actually fixed -- then issue an updated attestation letter.

Social Animal

Ready to discuss your your patient portal just failed its security rule audit project?

Get a free quote

HIPAA Penetration Testing from $8,000

Fixed-fee engagement. BAA included. Retest at no extra cost. See all packages →

Get Your Quote
Related Resources
solution
Your Patient Data Sits on Servers Built for Shopify. That's Your HIPAA Problem.
blog
Healthcare WordPress to Next.js + Payload CMS (HIPAA-Safe)
capability
Your React App Shouldn't Need JavaScript to Work
capability
Your Content Team is Writing Checks to a SaaS CMS. Stop.
capability
Your Content is Hostage to a CMS You Don't Control

Frequently Asked Questions

The Security Rule requires a risk analysis under §164.308(a)(1) and a technical evaluation under §164.308(a)(8). The phrase "penetration test" never appears in the regulation, but OCR guidance and NIST SP 800-66 make clear that simulated attacks against technical safeguards are the expected way to demonstrate compliance. Most auditors expect it, and the ones who don't will still want proof you've done something equivalent.
Yes — any engagement where we might encounter ePHI requires a BAA, and we execute one before testing begins. Our methodology is designed to minimize ePHI exposure. Wherever feasible, we validate that access is possible without actually exfiltrating real patient data.
A vulnerability scan runs automated tools to find known weaknesses. A penetration test goes further. We manually exploit vulnerabilities, chain them together, and show you real-world impact. Scanners miss logic flaws, broken access controls, and authentication bypasses — which happen to be exactly the issues that matter most for ePHI protection under §164.312.
At minimum, test annually and after any significant change to your ePHI environment — a new patient portal, cloud migration, major code release, or infrastructure overhaul. Had a breach or a close call? Test immediately. OCR expects your risk analysis to be ongoing, not something you did once in 2019.
We design rules of engagement specifically to prevent disruption. Denial-of-service testing stays out of scope unless you explicitly request it against a staging environment. High-risk tests get scheduled during maintenance windows, and we stay in constant contact with your team throughout. In 12+ years, we've never caused unplanned downtime.
You get an executive summary, a full technical report with every finding mapped to §164.312 provisions, CVSS scores, proof-of-concept screenshots, step-by-step reproduction instructions, and prioritized remediation guidance. Once you've remediated, we retest and issue an updated attestation letter you can actually hand to an OCR investigator.
More solutions

Explore related industries

Your Designer Ships in Framer. Your Developer Wants Next.js. We Build Both.

We are a Framer agency that also knows when Framer stops being the right tool. Design-led marketing sites in Framer. Code-grade builds in Next.js or Astro. Migration both directions when the moment comes.

Your Dev Shop Quoted 3 Months for an MVP. We Ship It in 9 Days with Claude Code.

We are a Claude Code agency, not an agency that 'uses AI'. Claude Code is our delivery vehicle -- subagents, hooks, skills, the full workflow -- backed by senior engineers who've shipped 5,000+ sites since 2014.

LLM SEO: AI Search Optimization Services

We build the code that makes ChatGPT, Perplexity, and Gemini cite you.
Need enterprise scale?

200+ employee company? Complex multi-tenant, auction, or multi-location requirement? We have a dedicated enterprise capability track.

View Enterprise Hub

Get Your HIPAA Pentest Scoped

We'll review your ePHI footprint and deliver a fixed-fee quote within 24 hours.

Or book a 30-minute call
Get in touch

Let's build
something together.

Whether it's a migration, a new build, or an SEO challenge — the Social Animal team would love to hear from you.

Get in touch →