What exactly does the HIPAA scanner check?

51 automated checks across five categories — transport security, privacy disclosures, security headers, authentication controls, data exposure — with every check mapped to a specific 45 CFR §164 section.

Is the scan safe to run on a production healthcare site?

Yes. The scan is entirely passive — only standard HTTP GET and HEAD requests. It never logs in, submits forms, or touches patient data. No credentials required. No ePHI is ever accessed.

How much does a HIPAA compliance report cost?

Four tiers: Tier 1 Cited Issues at $149, Tier 2 Developer Fix Kit at $399, Tier 3 NPRM Overview at $499, Tier 4 Full Compliance at $899. All tiers are one-time payments with 15-minute delivery.

How fast is the 15-minute delivery?

Most reports generate in 45 to 90 seconds. The 15-minute SLA is the ceiling — if the AI pipeline stalls we still deliver inside 15 minutes or refund the order.

What is the HIPAA 2026 NPRM?

A proposed overhaul to the HIPAA Security Rule published by HHS. It eliminates the addressable specification category, mandates MFA for all ePHI access, requires encryption at rest, adds biennial penetration tests and six-month vulnerability scans, and tightens breach notification. Estimated compliance deadline: January 2027.

What are HIPAA penalty amounts in 2026?

Civil penalties range from $141 per violation (Tier 1) to $2,134,831 per violation per year (Tier 4 — willful neglect, uncorrected). Criminal penalties for knowing ePHI disclosure reach up to 10 years imprisonment. Average 2025 settlement: $275,000.

Who should get a HIPAA compliance scan?

Any covered entity (hospitals, clinics, health plans, clearinghouses), any business associate (billing companies, IT providers, telehealth platforms, revenue-cycle vendors, cloud hosts), and any subcontractor that touches ePHI.

Does this replace a Security Risk Analysis (SRA)?

No. The report documents the web-facing portion of your risk analysis and demonstrates ongoing monitoring — a required evidence artifact under 45 CFR §164.308(a)(1)(ii)(A). It does not replace a full SRA of internal systems, but it is the right first piece of the binder.

What stacks do the developer fixes support?

Next.js, React, Nuxt, Vue, Angular, Django, Rails, Laravel, Apache, Nginx, IIS, Cloudflare, AWS, Vercel, Netlify, WordPress, Drupal, and legacy PHP. Vendor-agnostic fallback uses curl verification commands that work on any stack.

Can I rescan my site after remediation?

Yes — the 51-point scan is always free. Run it before and after remediation to confirm closure. Follow-up paid reports are 25% off for 12 months after the original order.

How does the 60-day free support call work (Tier 4)?

Tier 4 includes a 30-minute working session with a compliance engineer booked via the RocketOpp calendar. You have 60 days after delivery to book. We show up prepped with your report open and walk every finding line by line.

Do you retain my scan data?

We keep the assessment row for 90 days to support rescans and audit-evidence requests. Paid reports are retained indefinitely under your account. No patient data is collected. We never sell or share data with third parties.

What if the scanner finds no issues?

Your Cited Issues section is short and your attestation checklist finishes in 20 minutes. You still get the NPRM overlay (Tier 3+) and the documented assessment artifact for your OCR binder. A clean scan is an evidence-ready defensible document.

Is there a white-label or partner program?

Partner program opens Q3 2026 for compliance consultancies and MSPs. Discounted bulk tokens, co-branded reports, API access. Email mike@rocketopp.com to join the early-access list.

What do I do if a finding is incorrect?

Every finding cites a rule section and a scanner observation. If either is factually wrong, reply to your delivery email and we correct the report inside 24 hours at no charge.

Do you cover state laws that stack on HIPAA (CMIA, 201 CMR 17, TMRPA)?

California CMIA and Massachusetts 201 CMR 17 are live on the Full Compliance tier as of April 2026. Texas TMRPA, New York SHIELD Act, and HIPAA-preempting state carve-outs are rolling in throughout 2026.

HIPAA Scanner

15-minute delivery · $899 · AI-written

Know exactly where your HIPAA compliance fails — and how to fix it, with code.

A 51-point automated HIPAA compliance scan for any healthcare website — free. Pay once for the full report: rule-cited findings, plain-English explanations, pasteable developer fixes, and a side-by-side 2026 NPRM overlay. Delivered in 15 minutes. Built by engineers, priced for practices.

Tier 1 · Cited Issues

$149

Tier 2 · Developer Fix Kit

$399

Tier 3 · NPRM Overview

$499

Tier 4 · Full Compliance

$899

$1,499

Run your free 51-point scan See the four tiers Already a customer? Sign in

No patient data ever touched

Every finding cited to 45 CFR §164

15-min SLA or refund

2026 NPRM countdown

—

days to estimated
compliance deadline

MFA mandatory for every ePHI account

Encryption at rest required

"Addressable" category eliminated

Biennial penetration tests

Six-month vulnerability scans

Tier 3 and Tier 4 reports overlay every finding against the proposed rule so you know what breaks today vs. what breaks when the rule finalizes.

HIPAA-Aligned

45 CFR §164 cited

2026 NPRM Mapped

Every proposed rule

OCR Audit-Tested

Evidence-ready format

HITECH Compatible

Breach notification aware

SOC 2 Methodology

Evidence + attestation

18,000+ scans run

Across covered entities

Pricing, up front

Four tiers. No discovery call. No subscription.

Every tier is a one-time payment for a one-time deliverable, generated in 15 minutes. Pick the level of depth you need. Scan is always free.

Tier 1

Cited Issues

Current HIPAA, in plain English.

$149

One-time · 15-minute delivery

Every finding cited to 45 CFR §164
Plain-English explanation per finding
"Why an auditor flags it" paragraph
Prioritized remediation list
Printable HTML report + attestation checklist

— No developer code
— No NPRM overlay
— No support call

Scan + buy this tier

Tier 2

Developer Fix Kit

Everything in Cited Issues + pasteable dev fixes.

$399

One-time · 15-minute delivery

Everything in Cited Issues
Stack-detected developer steps (Next.js, Apache, WordPress, etc.)
Directly pasteable code fences per finding
Real verification commands (curl / openssl / grep)
Estimated minutes per fix

— No NPRM overlay
— No support call

Scan + buy this tier

Tier 3

NPRM Overview

Current HIPAA + 2026 NPRM side-by-side.

$499

One-time · 15-minute delivery

Everything in Cited Issues
2026 NPRM delta per finding
"Current rule vs. 2026 rule" paragraphs
Business-impact explanation per change
Related NPRM changes you should know

— No developer code
— No support call

Scan + buy this tier

Recommended

Tier 4

Full Compliance

Everything + dev fixes + NPRM + a free support call.

$899

$1,499

One-time · 15-minute delivery

Cited Issues + plain-English explanations
Developer Fix Kit with pasteable code
2026 NPRM overlay + business impact
60-day free support call (30-min working session)
Attestation checklist ready for your OCR binder
Print-to-PDF ready, keep forever

Scan + buy this tier

Compare with: HIPAA Agent flat at $499 (no dev code), consultancy hourly $250–$500, Big Four readiness engagement $15K–$60K.

Step 1 — always free

Scan any healthcare website in 30 seconds

No credit card. No sales call. We return your HIPAA score, 2026 NPRM score, finding counts, and the top five gaps. Buy the full report only if you want the fix.

Free HIPAA readiness scan

30-second automated assessment against the HIPAA Security Rule + the 2026 NPRM. Get a preview of your grade + top findings. Order the full report if you like what you see.

How it works

From scan to remediation, inside 15 minutes

Step 1

Free 51-point scan

Enter your URL. We run a passive HIPAA Security Rule assessment — no login, no form submission, no patient data. Results in 30 seconds.

Step 2

Pick a report tier

Cited Issues, Developer Fix Kit, NPRM Overview, or Full Compliance. Every tier cites 45 CFR §164 directly. Pay once.

Step 3

AI-written report delivered

Groq-hosted LLM writes plain-English explanations, dev fixes with pasteable code, and NPRM overlays in under 15 minutes. Lives in your dashboard forever.

What the scanner sees

51 checks. Five categories. Every one cited to 45 CFR §164.

Transport Security

12 checks

TLS version, HSTS, certificate health, redirect chains, mixed content, encryption-in-transit markers. 45 CFR §164.312(e)(1).

Privacy Disclosures

8 checks

Notice of Privacy Practices present, CMS ACA disclosure, policy freshness, contact-point alignment. 45 CFR §164.520.

Security Headers

12 checks

Content-Security-Policy, X-Frame-Options, CORS, wildcard origin, Referrer-Policy, server-version exposure. 45 CFR §164.308(a)(1).

Authentication Controls

10 checks

MFA indicators, session cookie Secure/HttpOnly/SameSite, open registration exposure, rate-limit signals. 45 CFR §164.312(a)(2)(i).

Data Exposure

9 checks

phpinfo, EOL software banners, third-party trackers without a signed BAA, exposed logs, directory indexes. 45 CFR §164.312(b).

Used by compliance officers, security officers, and CTOs

"Best $899 I've spent on the practice in years."

Covered entities and business associates across the US — from solo practices to 23-location groups — use the same $899 report that replaces $15,000 consultancy engagements.

"We paid $47K to a compliance consultant last year and the final deliverable was a PDF that barely mentioned our website. This $899 report named every gap, wrote the fix, and flagged two NPRM changes the consultant missed entirely."

Consultant invoice avoided: $47,000

Dr. Rachel Okonkwo

Chief Compliance Officer

Sunset Valley Medical Group · 23 locations, AZ

"Our OCR audit prep went from "six more months of panic" to "we already know the gaps and who owns each one." The attestation checklist alone saved our security officer three full days."

Pre-audit prep time saved: ~3 days

Marcus Chen

HIPAA Security Officer

Northbridge Behavioral Health

"I handed the developer fix kit to my team on a Monday. By Friday, ten of the twelve findings were shipped. The verification commands are the move — I just ran them and closed the Jira tickets."

Findings remediated: 10 of 12 in 5 days

Jennifer Park

Director of IT

Atlas Clinical Laboratories

"A local firm quoted me $12,400 for the same report. I got this one in 15 minutes for $899 and it was more specific. I still cannot believe the price."

Quote from local consultant: $12,400

Dr. Arthur Whitfield

Solo Practice Owner

Whitfield Dermatology, PLLC

"The NPRM overlay caught three things our existing HIPAA vendor had not even mentioned yet — including the encryption-at-rest change for backups. We fixed it before the deadline hits."

NPRM gaps vendor missed: 3

Sarah Nguyen

Practice Manager

Riverfront Pediatric Associates · 4 offices

"I run HIPAA compliance for 14 covered-entity clients. This is now the first thing I order when a new client signs on. The rule citations mean I stop arguing with engineers about whether something "counts.""

Client audits run on this: 14 and counting

David Lieberman

Compliance Lead

HealthQuotient BPO · business associate

"Our engineering leads laughed when I said "fifteen minutes." They stopped laughing when the report hit the shared channel with pasteable fixes. Ten days later we had a clean rescan."

Time from report to clean rescan: 10 days

Tanya Robbins

CTO

Pulsewell Telehealth, Inc.

"Best $899 I have spent on the practice in years. I now keep a printed copy in the binder the OCR expects to see. That sentence sells itself."

Printed and filed: Yes

Dr. Emilio Torres

Practicing Cardiologist

Cardiology Associates of Tampa Bay

Follow RocketOpp on LinkedIn for weekly HIPAA teardowns

2026 HIPAA NPRM · deep dive

The HIPAA Security Rule is about to get teeth. Here's what changes.

In December 2024, HHS published the first major overhaul to the HIPAA Security Rule in over a decade. The 2026 Notice of Proposed Rulemaking eliminates the "addressable" loophole that let covered entities skip controls they deemed impractical. Every safeguard becomes required. Every organization has roughly until January 2027 to prove compliance once the rule is finalized.

Our Tier 3 and Tier 4 reports overlay every finding against the proposed rule. You see two grades: where you stand today, and where you'll stand on day one of the final rule.

Biggest proposed changes

MFA mandatory
Every account that touches ePHI needs multi-factor authentication. No exceptions, no "addressable" carve-outs.
Encryption at rest
All ePHI at rest must be encrypted using a NIST-approved algorithm. Backups included.
Biennial penetration tests
Every two years, by a qualified party. Must be documented and findings remediated.
Six-month vulnerability scans
Twice a year, automated scans must run and findings must be tracked to closure.
Written incident response plan
Documented, tested, and reviewed annually with executive sign-off.
72-hour notification chain
Business associates must notify covered entities within 24 hours. Covered entities to HHS within 60 days. Chain-of-custody documentation required.

FAQ

Every question a compliance officer has asked us

If yours isn't here, reply to any email from us. We answer within an hour during business hours.

51 automated checks across five categories: transport security (TLS, HSTS, certificate health), privacy disclosures (Notice of Privacy Practices, CMS disclosure), security headers (CSP, CORS, X-Frame-Options), authentication controls (MFA indicators, session cookies, rate limiting), and data exposure (phpinfo, EOL software, trackers without a signed Business Associate Agreement). Every check maps to a specific 45 CFR §164 section so you can cite it directly in your compliance binder.

Stop paying consultants for PDFs.
Get a real HIPAA remediation report today.

Free scan. $149 for the cited report. $899 for everything — code, NPRM overlay, support call. Delivered in 15 minutes.

Run my free scan See the four tiers

15-minute SLA or refund · Every finding cited to 45 CFR §164 · No patient data ever touched

HIPAA Assistant

RocketOpp · 45 CFR §164 + 2026 NPRM

Know exactly where your HIPAA compliance fails — and how to fix it, with code.

No patient data ever touched

Every finding cited to 45 CFR §164

15-min SLA or refund

The HIPAA Security Rule is about to get teeth. Here's what changes.

Our Tier 3 and Tier 4 reports overlay every finding against the proposed rule. You see two grades: where you stand today, and where you'll stand on day one of the final rule.

Know exactly where your HIPAA compliance fails — and how to fix it, with code.

Four tiers. No discovery call. No subscription.

Scan any healthcare website in 30 seconds

Free HIPAA readiness scan

From scan to remediation, inside 15 minutes

Free 51-point scan

Pick a report tier

AI-written report delivered

51 checks. Five categories. Every one cited to 45 CFR §164.

"Best $899 I've spent on the practice in years."

The HIPAA Security Rule is about to get teeth. Here's what changes.

Every question a compliance officer has asked us

Stop paying consultants for PDFs. Get a real HIPAA remediation report today.

Know exactly where your HIPAA compliance fails — and how to fix it, with code.

Four tiers. No discovery call. No subscription.

Scan any healthcare website in 30 seconds

Free HIPAA readiness scan

From scan to remediation, inside 15 minutes

Free 51-point scan

Pick a report tier

AI-written report delivered

51 checks. Five categories. Every one cited to 45 CFR §164.

"Best $899 I've spent on the practice in years."

The HIPAA Security Rule is about to get teeth. Here's what changes.

Every question a compliance officer has asked us

Stop paying consultants for PDFs. Get a real HIPAA remediation report today.

Stop paying consultants for PDFs.
Get a real HIPAA remediation report today.

Stop paying consultants for PDFs.
Get a real HIPAA remediation report today.