Compliance · HIPAA Security Rule
HIPAA website security checklist — what Scorifya helps with
The HIPAA Security Rule (45 CFR §164.312) sets technical safeguards that any covered entity or business associate handling electronic protected health information (ePHI) must implement. Most of those safeguards are about authenticated systems and internal infrastructure — but a meaningful subset apply to your public web surface, especially patient portals, marketing pages that link to ePHI flows, and any site that receives form-collected health information. Scorifya covers the public-posture portion: encryption-in-transit, header-based browser controls that limit ePHI leakage, and audit signals that show up in the HHS guidance.
Scope
Scope: Scorifya scans the public surface of a hostname. It does not access ePHI, audit your access controls, evaluate your BAAs, or replace your HIPAA risk assessment. Use it as evidence for the technical-safeguard subset that applies to public web infrastructure.
Control mapping
Each control below references the framework requirement and lists the Scorifya scan checks that produce supporting evidence.
§164.312(e)(1) — Transmission Security (encryption in transit)
Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network.
§164.312(e)(2)(ii) — Encryption (addressable)
Implement a mechanism to encrypt ePHI whenever deemed appropriate. HHS guidance specifies TLS 1.2+ as the modern minimum.
§164.308(a)(1)(ii)(D) — Information system activity review
Implement procedures to regularly review records of information system activity. External scan output is one input.
§164.312(c)(1) — Integrity controls
Implement policies and procedures to protect ePHI from improper alteration or destruction. CSP, X-Frame-Options, and X-Content-Type-Options are the browser-side integrity primitives.
§164.312(d) — Person or entity authentication
Verify that a person or entity seeking access to ePHI is the one claimed. Session cookie attributes are part of the technical implementation.
Scorifya checks:
Important caveats
- HIPAA compliance requires a documented risk assessment, BAAs with all relevant business associates, and ongoing administrative and physical safeguards — none of which an external scanner can produce.
- Scorifya does not access, evaluate, or audit ePHI handling itself. If your patient portal authenticates users and serves ePHI behind login, the authenticated portion of that flow is out of scope for any external scan.
- Scan output is one piece of evidence; HIPAA compliance is determined by your privacy officer and security officer, not by any single tool.
Run a scan to produce evidence
Submit any URL you're authorized to test. The scan output (TLS posture, header coverage, DNS hygiene) is repeatable and dated, which is exactly what auditors expect for evidence of design and operating effectiveness.