External HIPAA Observable Control Scanner

Scan Observable Controls

Enter your domain. Get an external observable control score with evidence-backed findings. Runtime controls clearly marked when internal assessment is required.

What the scanner checks

External observable controls mapped to HIPAA Security Rule requirements. Every finding includes evidence. No evidence, no claim.

Transport Encryption

§164.312(e)(1)

Is HSTS enabled? Is TLS 1.2+ enforced? Data in transit must be encrypted.

Access Control Indicators

§164.312(d)

Are MFA indicators present? Login pages should require multi-factor authentication.

Audit Controls

§164.312(b)

Are audit logging headers present? Systems must record access to ePHI.

Integrity Controls

§164.312(c)(1)

Are integrity headers (CSP, X-Content-Type) configured to prevent tampering?

Notice of Privacy Practices

§164.520

Is an NPP present and accessible? Required for all covered entities.

Business Associate Agreements

§164.308(b)(1)

Are BAA references visible? Required for all third-party data handlers.

Security Awareness Training

§164.308(a)(5)

Are training program references present? Workforce must be trained.

Contingency Plan

§164.308(a)(7)

Are disaster recovery/backup indicators present? Data must be recoverable.

Risk Analysis Evidence

§164.308(a)(1)

Are security assessment indicators present? Risk analysis is mandatory.

HIPAA Security Rule Categories

Technical Safeguards

§164.312
  • Access Control
  • Audit Controls
  • Integrity
  • Authentication
  • Transmission Security

Administrative Safeguards

§164.308
  • Security Management
  • Workforce Security
  • Information Access
  • Security Awareness
  • Contingency Plan

Physical Safeguards

§164.310
  • Facility Access
  • Workstation Use
  • Workstation Security
  • Device & Media Controls

HIPAA Penalty Tiers

$100-$50K
Tier 1: Unknowing
$1K-$50K
Tier 2: Reasonable Cause
$10K-$50K
Tier 3: Willful Neglect (Corrected)
$50K+
Tier 4: Willful Neglect (Not Corrected)

Maximum annual penalty: $1.5M per violation category — OCR enforcement is active.

Important: This scanner evaluates externally observable controls against HIPAA Security Rule technical standards. Results are meaningful only for HIPAA-covered entities and business associates that handle protected health information (PHI). Runtime controls (encryption at rest, access logs, workforce training completion) require internal assessment. This tool does not determine whether an organization is subject to HIPAA.