initializing
Every check maps to a specific HIPAA Security Rule section and its 2026 NPRM equivalent.
TLS configuration, HSTS enforcement, certificate validity, and encryption-in-transit verification across public and authenticated endpoints.
Notice of Privacy Practices presence, contact forms, data use statements, HIPAA badge visibility, and consent language assessment.
Content-Security-Policy, X-Frame-Options, CORS configuration, server version exposure, and clickjacking prevention.
MFA indicators, session timeout headers, rate-limiting evidence, login page security, and password policy signals.
PHI leakage in URLs, exposed development files, third-party trackers without BAA, open directory listings, and debug endpoints.
What was once optional is now required. Here is what changes under the proposed rule.
| Requirement | Current Rule | 2026 NPRM |
|---|---|---|
| Multi-Factor Authentication | Addressable | Required |
| Encryption at Rest | Addressable | Required |
| Vulnerability Scans | Not specified | Every 6 months |
| Penetration Tests | Not specified | Annual |
| Risk Analysis | General requirement | Explicit threat documentation |
| Compliance Audit | Implied | Every 12 months |
Compliance deadline: ~January 2027. Penalties: up to $1.5M per violation category per year.
We assess your compliance against both the current rule and the proposed 2026 changes.
How you comply today against the 2013 Security Rule. Addressable specifications are scored with partial credit.
How you will comply under the new rules. No partial credit — every safeguard is now mandatory.
Most healthcare organizations score 20-40 points lower on the 2026 NPRM track.
HIPAA sets the floor. Many states add stricter requirements for healthcare data protection.
Requires reasonable data security safeguards for any business handling private info of NY residents. Mandatory breach notification within 72 hours.
Confidentiality of Medical Information Act adds state-level PHI protections. CCPA grants patients additional data rights beyond HIPAA.
Stricter than HIPAA for electronic health records. Requires employee training, limits PHI sales, and mandates 60-day breach notice.
Biometric Information Privacy Act requires written consent before collecting fingerprints or facial recognition data. Private right of action.
Comprehensive data security regulations requiring written information security programs, encryption, and access controls.
Data privacy act with specific health data provisions. Requires opt-in consent for processing sensitive health information.
The HIPAA 2026 Notice of Proposed Rulemaking (NPRM) is a major update to the HIPAA Security Rule published by the U.S. Department of Health and Human Services. It eliminates the distinction between "Required" and "Addressable" implementation specifications, making nearly all safeguards mandatory. It also introduces new requirements for vulnerability scanning, penetration testing, and network segmentation.
The final rule is expected to be published in late 2025 or early 2026, with a compliance deadline approximately 180 days after publication — estimated around January 2027. Organizations should begin preparing now, as many requirements (MFA, encryption, vulnerability scanning) require significant implementation time.
Our scanner performs 51 passive checks across 5 categories: Transport Security (TLS, HSTS, certificates), Privacy Disclosures (NPP, consent forms), Security Headers (CSP, X-Frame-Options), Authentication Controls (MFA indicators, session management), and Data Exposure (PHI in URLs, third-party trackers). All checks are non-invasive HTTP requests — we never attempt to log in or access protected data.
Completely safe. Our scanner only makes standard HTTP GET and HEAD requests — the same requests any web browser makes when visiting your site. We never submit forms, attempt authentication, or interact with any functionality. The scan is equivalent to someone visiting your public website and login page.
Absolutely not. We scan only publicly accessible pages and HTTP response headers. We never access, store, or process any Protected Health Information (PHI). Our scanner cannot see any data behind authentication. No BAA is required to use this tool.
Under the current HIPAA Security Rule, "Required" specifications must be implemented exactly as described. "Addressable" specifications allow organizations to assess whether they are reasonable and appropriate — and implement alternatives if not. The 2026 NPRM eliminates this distinction, making virtually all specifications mandatory with no alternative implementations allowed.
Business Associates are equally subject to the HIPAA Security Rule and will be equally affected by the 2026 NPRM. If you handle, store, transmit, or process ePHI on behalf of a Covered Entity, you must comply with all Security Rule requirements. Our scanner assesses your web infrastructure regardless of entity type.
Remediation costs vary significantly based on your current compliance posture, infrastructure complexity, and the number of findings. Common fixes like enabling HSTS or adding security headers can be done in hours. Larger projects like implementing MFA or encryption at rest may take weeks. Our consultation provides a prioritized remediation plan with estimated effort and cost for each finding.
Yes. After your free scan, you can book a consultation where our team walks you through every finding and builds a prioritized remediation plan. We offer hands-on remediation services for healthcare organizations, including security header configuration, TLS hardening, MFA implementation, and ongoing compliance monitoring.
You immediately see your two scores (Current Rule and 2026 NPRM) along with your top 5 critical findings. To get the full detailed report with all 51 check results, remediation steps, and state-specific guidance, book a free consultation. There is no obligation — the consultation is free and we will walk you through the complete assessment.
51-point assessment. Two scores. 30 seconds. No login required.