Security & Privacy

HIPAA Security

Deep HIPAA Security Rule audit — maps code to Administrative, Physical, and Technical safeguards for ePHI protection.

How to use this audit

Paste your code below and results will stream in real time. Each finding includes severity ratings, line references, and fix suggestions. You can export the report as Markdown or JSON.

Your code is analyzed and discarded — it is not stored on our servers.

Workspace Prep Prompt

Paste this into your preferred code assistant (Claude, Cursor, etc.). It will structure your code into the ideal format for this audit — then paste the result here.

▶Preview prompt

I'm preparing for a **HIPAA Security Rule** code-level assessment. Please help me collect the relevant files.

## HIPAA context (fill in)
- Entity type: [e.g. covered entity, business associate, subcontractor]
- ePHI types handled: [e.g. patient records, lab results, billing data, appointment schedules]
- Infrastructure: [e.g. AWS with BAA, GCP Healthcare API, Azure with HIPAA BAA]
- Current HIPAA status: [e.g. "first risk assessment", "post-breach remediation", "annual review"]
- Known concerns: [e.g. "not sure what counts as ePHI", "audit logs incomplete", "no emergency access procedure"]

## Files to gather

### 1. ePHI data handling
- Patient/health record models and database schemas
- API routes that read, write, or transmit ePHI
- Data serialization — what fields appear in API responses
- PHI de-identification or anonymization logic

### 2. Access control and encryption
- Authentication (login, session, MFA) and authorization (RBAC)
- Automatic logoff / session timeout configuration
- Encryption at rest (AES-256) and in transit (TLS config)
- Key management (generation, storage, rotation)

### 3. Audit controls and integrity
- Audit logging — who accessed what ePHI and when
- Log storage, retention, and tamper detection
- Data validation and integrity verification
- Backup and recovery procedures

Keep total under 30,000 characters.

▶View audit instructions

Audit Instructions

Audit history is stored in your browser's localStorage as unencrypted text. Do not submit proprietary credentials or sensitive data.

0 / 60,000 · ~0 tokens

Related Security & Privacy audits

Security

Identifies vulnerabilities, attack surfaces, and insecure patterns — the issues that cause breaches.

SQL Auditor

Finds injection risks, N+1 queries (database calls that multiply with data size), missing indexes, and transaction issues.

Privacy / GDPR

Checks code and data flows for PII exposure, consent gaps, and GDPR/CCPA compliance.

Dependency Security

Scans for CVEs, outdated packages, license risks, and supply-chain vulnerabilities.

Auth & Session Review

Deep-dives on authentication flows, JWT (login tokens)/session handling, OAuth, and credential security.