is a specialized auditing tool for the healthcare industry. Its goal is to provide a technical assessment of how well an application adheres to the HIPAA Security Rule, specifically focusing on the protection of Electronic Protected Health Information (ePHI).
When to Use
Architecture Reviews
Run during the design phase to ensure encryption and logging are planned.
Pre-Audit Self-Assessment
Use before a formal 3rd-party HIPAA audit to identify and fix low-hanging violations.
Infrastructure Changes
Run after modifying Terraform or Cloud scripts to ensure security groups or encryption haven't been compromised.
When NOT to Use
Real Patient Data
This tool should NOT be used on live databases containing PHI. It is for checking the
systems
that handle the data.
Legal Certification
Passing this audit does not mean you are "HIPAA Certified"; it means your technical configuration follows best practices.
Error Conditions and Edge Cases
Obfuscated Infrastructure
If cloud resources are created via manual console actions (ClickOps) instead of code, this tool cannot see them.
Custom Encryption
Proprietary or non-standard encryption methods may be flagged as warnings.
Security and Data-Handling Considerations
No PHI Access
The tool is designed to look at configurations, not data.
Local Analysis
Keep your infrastructure code local and run the scan within your trusted environment.