HIPAA penetration testing

HIPAA pentest your OCR auditor accepts.

CREST-accredited researchers test PHI-handling systems, BAA-covered surfaces, and the technical safeguards required under 45 CFR 164.308 and 164.312. Two weeks to a report your auditor drops into the risk analysis file.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most HIPAA pentest reports do not match the safeguard standard.

  • Templated reports list CVE numbers, not PHI-exposure paths. OCR audits flag the gap as inadequate risk analysis.

  • BAA-covered surface boundaries blur when downstream subcontractors get tested separately. Findings stop at the seam.

  • Self-attested or scanner-only reports do not satisfy 164.308 risk analysis evidence. Auditors want independent testing.

Here is what we ship.

Why teams pick us

PHI-path findings, not CVE lists.

  • PHI-path tagged findings

    Each finding ships with the path from attacker to PHI. Auditor risk-analysis file accepts it directly.

  • 164.308 and 164.312 mapped

    Findings tagged to administrative and technical safeguards. BAA-covered scope respected.

  • Re-test for OCR defensibility

    Ship the fix, we verify it. Documented re-test sits in the risk-analysis file.

How it works

From PHI flow to report in two to three weeks.

  1. Scope to PHI flows

    Tell us PHI stores, BAA-covered downstream surfaces, and access boundaries. Confirmed before kickoff.

  2. Researchers test safeguards

    Access control, audit logging, transmission security, and PHI-exposure chains.

  3. Report your risk-analysis file accepts

    Findings tagged to 164.308 and 164.312. Auditor evidence ready.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Does this satisfy the HIPAA Security Rule risk analysis?
It supports it. Independent pentest evidence is a defensible input to your 164.308(a)(1) risk analysis.
Do you handle PHI test data?
We work with anonymised or synthetic PHI by default. Real PHI only under a BAA and on-prem if required.
Will you sign a BAA?
Yes. Our standard BAA is on the second call.
OCR audit defensibility?
Findings shaped for OCR review: severity, business impact, remediation, and re-test status.
Re-test included?
Yes. Criticals re-tested in the same engagement and re-test status documented in the file.

Ready to make the OCR risk analysis defensible?

20-minute scoping call with the lead HIPAA pentester. PHI flows, BAA scope, and the safeguards your auditor asks about.

CREST · CERT-In · SOC 2 · ISO 27001