US HIPAA Compliance
HIPAA's Security Rule requires covered entities and business associates to protect electronic health information.
Learn how ImmuniWeb helps you evaluate and test the applications that handle ePHI.
HIPAA Compliance
What Is the HIPAA Security Rule?
The HIPAA Security Rule requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ePHI. At its core is a risk analysis: identifying risks and vulnerabilities to ePHI and implementing measures to reduce them to a reasonable level.
It applies to covered entities (health plans, health care clearinghouses and most health care providers) and to business associates and their subcontractors that handle ePHI on their behalf. The Privacy Rule and Breach Notification Rule sit alongside the Security Rule.
See how ImmuniWeb helps you evaluate and test the apps that handle ePHI - supporting your HIPAA risk analysis and security evaluation. Request a demo· or run a free Community Edition test.
Who Must Comply with HIPAA?
HIPAA's Security Rule applies to:
- Covered entities - - health plans, health care clearinghouses and most health care providers.
- Business associates that create, receive, maintain or transmit ePHI on behalf of a covered entity.
- Subcontractors of business associates that handle ePHI.
Any of these running web and mobile applications that handle ePHI must assess and test those applications.
Key HIPAA Requirements for Application Security
Several Security Rule provisions drive application-security work:
- 164.308(a)(1)(ii)(A) - Risk analysis: conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI.
- 164.308(a)(8) - Evaluation: perform periodic technical and non-technical evaluation of how well security controls meet the Rule.
- 164.312 - Technical safeguards: access control, audit controls, integrity, and transmission security (including encryption) for ePHI.
HIPAA Security Requirements in Depth
Risk Analysis and Evaluation/h3>
The Security Rule's risk analysis and periodic evaluation requirements are met in practice through penetration testing and vulnerability scanning of the systems and applications that store or transmit ePHI. Risk-analysis failures are the most frequently cited issue in OCR enforcement, which makes demonstrable, regular testing especially valuable.
Technical Safeguards
Section 164.312 requires access control, audit controls, integrity protection and transmission security for ePHI. Testing web and mobile applications verifies that these safeguards actually hold against real-world attacks.
Proposed 2025 Security Rule Update
A Notice of Proposed Rulemaking (90 FR 800, published 6 January 2025) would significantly strengthen the Security Rule - including explicit requirements for vulnerability scanning at least every six months and penetration testing at least every 12 months, plus mandatory encryption, MFA and network segmentation. As of mid-2026 this remains proposed: OCR has not issued a final rule, and it could be finalized, modified, delayed or withdrawn. The current Security Rule remains in effect, but organizations that already perform regular testing are well positioned for the update.
Common Web & Mobile Application Risks to Address
Healthcare applications are a prime target for attackers. The vulnerabilities to test for map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures —untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) —the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Approach HIPAA Application Security with ImmuniWeb
- Inventory ePHI systems. Map internet-facing apps and assets that handle ePHI with ImmuniWeb Discovery.
- Support your risk analysis by testing web apps with On-Demand and Neuron.
- Test mobile health apps with MobileSuite and Neuron Mobile.
- Remediate and retest with clear, zero-false-positive reports as evaluation evidence.
- Test continuouslywith Continuous - and be ready for the proposed scanning/pentest cadence.
- Monitor for exposure with Discovery, including dark-web monitoring for leaked health data.
How ImmuniWeb Helps You Achieve HIPAA Compliance
ImmuniWeb supports the HIPAA Security Rule's risk-analysis and evaluation requirements with testing that produces clear, audit-ready evidence.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Risk analysis / evaluation | Assess and periodically evaluate risks to ePHI. | On-Demand, Neuron, Continuous |
| Technical safeguards | Verify access control, integrity and transmission security. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
| Exposure | Detect exposed assets and leaked health data. | Discovery (ASM / Dark Web) |
ImmuniWeb On-Demand delivers manual web application penetration testing; MobileSuite covers mobile health apps; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface and monitors the dark web for leaked ePHI.
HIPAA vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| HIPAA Security Rule | Risk analysis, evaluation, technical safeguards | Web/mobile pentest, scanning, ASM |
| HITRUST CSF | Prescriptive healthcare control set | Testing as control evidence |
| NIST SP 800-53 | Security & privacy controls | Application testing & monitoring |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing apps and assets handling ePHI
- Risk analysis covering application vulnerabilities
- Web applications tested against the OWASP Top 10
- Mobile health apps tested against the OWASP Mobile Top 10
- Periodic security evaluation evidenced (164.308(a)(8))
- Findings remediated and re-tested; documentation retained
- Readiness for proposed scanning/pentest cadence
Why HIPAA Compliance Matters
OCR can impose tiered civil monetary penalties for Security Rule violations, with significant annual caps, and serious cases can carry criminal penalties. A breach of ePHI also triggers breach-notification duties and reputational harm.
Healthcare is one of the most heavily targeted sectors for ransomware and data theft, and risk-analysis failures dominate OCR enforcement - so demonstrable, regular application testing is both a compliance and a risk-reduction priority.