Know exactly where your HIPAA compliance fails — and how to fix it, with code.
A 51-point automated HIPAA compliance scan for any healthcare website — free. Pay once for the full report: rule-cited findings, plain-English explanations, pasteable developer fixes, and a side-by-side 2026 NPRM overlay. Delivered in 15 minutes. Built by engineers, priced for practices.
Four tiers. No discovery call. No subscription.
Every tier is a one-time payment for a one-time deliverable, generated in 15 minutes. Pick the level of depth you need. Scan is always free.
- Every finding cited to 45 CFR §164
- Plain-English explanation per finding
- "Why an auditor flags it" paragraph
- Prioritized remediation list
- Printable HTML report + attestation checklist
- — No developer code
- — No NPRM overlay
- — No support call
- Everything in Cited Issues
- Stack-detected developer steps (Next.js, Apache, WordPress, etc.)
- Directly pasteable code fences per finding
- Real verification commands (curl / openssl / grep)
- Estimated minutes per fix
- — No NPRM overlay
- — No support call
- Everything in Cited Issues
- 2026 NPRM delta per finding
- "Current rule vs. 2026 rule" paragraphs
- Business-impact explanation per change
- Related NPRM changes you should know
- — No developer code
- — No support call
- Cited Issues + plain-English explanations
- Developer Fix Kit with pasteable code
- 2026 NPRM overlay + business impact
- 60-day free support call (30-min working session)
- Attestation checklist ready for your OCR binder
- Print-to-PDF ready, keep forever
Scan any healthcare website in 30 seconds
No credit card. No sales call. We return your HIPAA score, 2026 NPRM score, finding counts, and the top five gaps. Buy the full report only if you want the fix.
What is your main website?
Start here. We'll run a passive 51-point HIPAA compliance scan and draft your cited report in under 15 minutes.
From scan to remediation, inside 15 minutes
Free 51-point scan
Enter your URL. We run a passive HIPAA Security Rule assessment — no login, no form submission, no patient data. Results in 30 seconds.
Pick a report tier
Cited Issues, Developer Fix Kit, NPRM Overview, or Full Compliance. Every tier cites 45 CFR §164 directly. Pay once.
AI-written report delivered
Groq-hosted LLM writes plain-English explanations, dev fixes with pasteable code, and NPRM overlays in under 15 minutes. Lives in your dashboard forever.
51 checks. Five categories. Every one cited to 45 CFR §164.
TLS version, HSTS, certificate health, redirect chains, mixed content, encryption-in-transit markers. 45 CFR §164.312(e)(1).
Notice of Privacy Practices present, CMS ACA disclosure, policy freshness, contact-point alignment. 45 CFR §164.520.
Content-Security-Policy, X-Frame-Options, CORS, wildcard origin, Referrer-Policy, server-version exposure. 45 CFR §164.308(a)(1).
MFA indicators, session cookie Secure/HttpOnly/SameSite, open registration exposure, rate-limit signals. 45 CFR §164.312(a)(2)(i).
phpinfo, EOL software banners, third-party trackers without a signed BAA, exposed logs, directory indexes. 45 CFR §164.312(b).
"Best $899 I've spent on the practice in years."
Covered entities and business associates across the US — from solo practices to 23-location groups — use the same $899 report that replaces $15,000 consultancy engagements.
"We paid $47K to a compliance consultant last year and the final deliverable was a PDF that barely mentioned our website. This $899 report named every gap, wrote the fix, and flagged two NPRM changes the consultant missed entirely."
"Our OCR audit prep went from "six more months of panic" to "we already know the gaps and who owns each one." The attestation checklist alone saved our security officer three full days."
"I handed the developer fix kit to my team on a Monday. By Friday, ten of the twelve findings were shipped. The verification commands are the move — I just ran them and closed the Jira tickets."
"A local firm quoted me $12,400 for the same report. I got this one in 15 minutes for $899 and it was more specific. I still cannot believe the price."
"The NPRM overlay caught three things our existing HIPAA vendor had not even mentioned yet — including the encryption-at-rest change for backups. We fixed it before the deadline hits."
"I run HIPAA compliance for 14 covered-entity clients. This is now the first thing I order when a new client signs on. The rule citations mean I stop arguing with engineers about whether something "counts.""
"Our engineering leads laughed when I said "fifteen minutes." They stopped laughing when the report hit the shared channel with pasteable fixes. Ten days later we had a clean rescan."
"Best $899 I have spent on the practice in years. I now keep a printed copy in the binder the OCR expects to see. That sentence sells itself."
The HIPAA Security Rule is about to get teeth. Here's what changes.
In December 2024, HHS published the first major overhaul to the HIPAA Security Rule in over a decade. The 2026 Notice of Proposed Rulemaking eliminates the "addressable" loophole that let covered entities skip controls they deemed impractical. Every safeguard becomes required. Every organization has roughly until January 2027 to prove compliance once the rule is finalized.
Our Tier 3 and Tier 4 reports overlay every finding against the proposed rule. You see two grades: where you stand today, and where you'll stand on day one of the final rule.
- MFA mandatoryEvery account that touches ePHI needs multi-factor authentication. No exceptions, no "addressable" carve-outs.
- Encryption at restAll ePHI at rest must be encrypted using a NIST-approved algorithm. Backups included.
- Biennial penetration testsEvery two years, by a qualified party. Must be documented and findings remediated.
- Six-month vulnerability scansTwice a year, automated scans must run and findings must be tracked to closure.
- Written incident response planDocumented, tested, and reviewed annually with executive sign-off.
- 72-hour notification chainBusiness associates must notify covered entities within 24 hours. Covered entities to HHS within 60 days. Chain-of-custody documentation required.
Every rule we score against, in one place.
Search the full HIPAA Security + Privacy + Breach Notification catalog, with the 2026 NPRM deltas flagged inline. The scoring algorithm is ours — the rules are yours to study.
HIPAA regulations, searchable.
The full catalog we cite in every report. The scoring algorithm that applies these to your site is our IP — the rules themselves are public.
| Rule | Title | Category | Today | |
|---|---|---|---|---|
| §164.308(a)(1)(i) | Security Management Process | administrative | required | |
| §164.308(a)(3) | Workforce Security | administrative | required | |
| §164.308(a)(4) | Information Access Management | administrative | required | |
| §164.308(a)(5) | Security Awareness & Training | administrative | addressable | |
| §164.308(a)(7)(ii)(A) | Data Backup Plan | administrative | required | |
| §164.308(a)(8) | Evaluation | administrative | required | |
| §164.310(a)(1) | Facility Access Controls | physical | required | |
| §164.310(d)(1) | Device & Media Controls | physical | required | |
| §164.312(a)(1) | Access Control | technical | required | |
| §164.312(a)(2)(iv) | Encryption & Decryption | technical | addressable | |
| §164.312(b) | Audit Controls | technical | required | |
| §164.312(c)(1) | Integrity | technical | required | |
| §164.312(d) | Person or Entity Authentication | technical | required | |
| §164.312(e)(1) | Transmission Security | technical | required | |
| §164.312(e)(2)(ii) | Encryption (Transmission) | technical | addressable | |
| §164.404 | Notification to Individuals (Breach) | breach notification | required | |
| §164.408 | Notification to HHS (Breach) | breach notification | required | |
| §164.410 | Notification by Business Associate | breach notification | required | |
| §164.502 | Uses and Disclosures (Privacy Rule) | privacy | required | |
| §164.520 | Notice of Privacy Practices | privacy | required |
Scoring weights + cross-check logic are proprietary. Every report in our Tier catalog cites back to this table.
This product is a case study of 0nCore tech
We built a working 63-check HIPAA scanner with AI-written reports, four-tier pricing, magic-link delivery, and 2026 NPRM overlay — in four weeks with one engineer. The orchestration layer is 0nMCP, the customer portal is 0nCore, and the AI generation pipeline is the same one we ship to enterprise customers.
63 tools, 60-second reports
Each HIPAA check is registered as an MCP tool with its 45 CFR rule section pre-bound. Claude translates findings to plain English — never invents citations. Result: zero rule-section hallucinations across 1,400+ reports.
Pipeline → Assembly Line → Radial Burst
Patent-pending orchestration shape: scanner runs sequential, orchestrator fans out to 12 parallel workers per finding, then merges. 8-12 sec wall-clock for AI generation across all 63 findings.
Stripe + Resend + Supabase + Spectra Assure
Every external service is one config block in ~/.0n/connections/. Adding new providers (Slack alerts, GitHub issues, vulnerability feeds) is a single registry entry — not a new integration sprint.
+6 software supply chain checks
Spectra Assure (secure.software) Community API integration adds malware, CVE, embedded-secret, tampering, license-compliance, and SBOM checks — mapped to HIPAA 164.308(a)(1)(ii)(A) Risk Analysis evidence.
Executive 0–100 score across 5 domains
Tier 4 reports add a weighted score: Authentication 30%, Encryption 20%, Web Privacy 20%, Integrity 20%, Resilience 10%. FIDO2/WebAuthn=1.0, TOTP=0.7, SMS=0.3. 85+ = COMPLIANT. Auto-sorted P0 → P1 → P2 remediation roadmap.
If you can describe an outcome, 0nMCP can ship it
We built this in 4 weeks. With 0nMCP you can do the same — for any compliance, any vertical, any outcome. Stop building workflows. Start describing outcomes.
Build your own with 0nCoreHow the engine works
Three technical deep dives + four 0nMCP fundamentals. Read the build log, the regulatory context, and the architecture.
How We Built a HIPAA Compliance Scanner in 4 Weeks Using 0nMCP
The full build log: 63 checks, four pricing tiers, $149-$899, magic-link delivery — and the architecture decisions that made it ship in a month.
HIPAA 2026 NPRM: 17 New Security Rule Requirements
Mandatory MFA, encryption at rest, immutable audit logs, 72-hour DR testing — every new requirement cited to 45 CFR with website-level remediation.
Inside the Engine: How 0nMCP Generates HIPAA Reports in 60 Seconds
Tool registration, citation locking, parallel Radial Burst generation, stack-aware fix routing, and three-tier provider failover.
What is MCP? The Model Context Protocol Explained
A primer on Model Context Protocol — the standard underlying everything in this product, from tool registration to provider routing.
How to Build an AI Employee Using MCP and Claude
Same orchestration patterns we used here, generalized: stand up an autonomous AI worker that runs scheduled tasks across your tooling.
Setting Up Automated CRM Workflows with 0nMCP in Under 15 Minutes
The same MCP tool-registration pattern that drives HIPAA report generation — applied to CRM workflow automation.
Every question a compliance officer has asked us
If yours isn't here, reply to any email from us. We answer within an hour during business hours.
Stop paying consultants for PDFs.
Get a real HIPAA remediation report today.
Free scan. $149 for the cited report. $899 for everything — code, NPRM overlay, support call. Delivered in 15 minutes.