Technical security evaluation of your ePHI systems under §164.308(a)(8) of the HIPAA Security Rule. BAA executed before kickoff. Findings mapped to Security Rule citations. Deliverables your privacy officer and external auditor both accept.
HIPAA does not use the phrase "penetration test," but HHS enforcement and OCR guidance have made the expectation clear. Three provisions drive the requirement.
Requires periodic technical and nontechnical evaluation of security safeguards whenever environmental or operational changes occur. OCR interprets this to include technical testing — organizations that experienced breaches without conducting regular technical evaluations face the highest penalties.
An accurate and thorough assessment of potential risks to ePHI confidentiality, integrity, and availability. Technical vulnerabilities in ePHI systems must be identified. Penetration testing is the standard method for finding vulnerabilities that risk assessments miss.
Technical policies and procedures that allow only authorized users to access ePHI. Testing that access controls actually work — not just that policies exist — satisfies this provision and provides documentary evidence of technical review.
In the majority of HHS resolution agreements following a breach, OCR cites failure to conduct adequate risk analysis and failure to implement evaluation procedures. Both point directly to the absence of regular technical testing. Post-breach remediation costs are orders of magnitude higher than prevention.
We are a business associate when we touch systems that process ePHI. Here is how we manage that legally and operationally.
Scope follows your ePHI data flow. Any system that creates, receives, maintains, or transmits ePHI is in scope. Connected systems are typically in scope too.
Authentication, session management, authorization between patient roles and clinician roles, data export controls. Usually the highest-risk surface from an external attacker's perspective.
HL7 FHIR endpoints, billing system integrations, lab result pipelines. Third-party integrations frequently have weaker access controls than first-party surfaces. Often missed in vendor-led assessments.
Who can reach ePHI from inside the network? Database access controls, admin tooling, data warehouse permissions, logging coverage. Internal lateral movement to ePHI is the most common breach path.
S3 / Blob / GCS buckets containing health records. ETL pipelines that touch PHI. Data lake permissions. IAM roles that can enumerate or export ePHI. Cloud misconfigurations are the leading cause of HIPAA breaches in SaaS health companies.
§164.312(b) requires audit controls that record and examine ePHI access activity. We verify that logging is present, covers the right events, and cannot be circumvented by an attacker who gains access.
§164.312(e)(2)(ii) encryption of ePHI in transit. TLS configuration, certificate validity, downgrade attack paths. At-rest encryption coverage and key management access controls.
What comes up on every healthcare scoping call. See compliance gap analysis if you need a full HIPAA Security Rule review alongside the technical test.
Not by name. But §164.308(a)(8) requires periodic technical evaluation of security safeguards. OCR consistently interprets this to include penetration testing. Every significant HIPAA resolution agreement from the past five years cites failure to conduct adequate technical evaluation as an aggravating factor.
Yes. We execute a BAA before any engagement that involves access to systems that create, receive, maintain, or transmit ePHI. We have a standard BAA template, or we sign yours. The BAA is non-negotiable for HIPAA engagements.
Yes. Business associates have the same Security Rule obligations as covered entities under the HITECH Act. If you process ePHI on behalf of a covered entity, the §164.308(a)(8) evaluation requirement applies to you directly.
"Periodic" under §164.308(a)(8) is not defined as a specific interval. Most healthcare security programs run annually. OCR expects more frequent testing when material changes occur: new product features, new integrations, acquired systems, or after a near-miss security incident.
We map each finding to the relevant Security Rule provision (§164.308, §164.310, §164.312) alongside the standard CVSS severity rating. This gives your privacy officer, legal team, and external auditor a single document that answers both the technical question and the compliance question.
Scoping call covers your ePHI data flow, system boundary, BAA requirements, and audit timeline. 30 minutes. Free.