What is the HIPAA Agent API?

The HIPAA Agent API is a compliance-as-a-service platform that lets developers run HIPAA compliance scans, retrieve grades, generate reports, and manage compliance artifacts programmatically. It supports REST, MCP (Model Context Protocol), JSON-RPC 2.0, and Google A2A protocols.

How much does the HIPAA Agent API cost?

HIPAA Agent offers a free developer tier with 500 credits and no credit card required. Consumer plans: Free HIPAA Agent Compliance Score™ ($0), HIPAA Audit & Attestation Report ($499 one-time), and Concierge HIPAA Compliance ($299/month billed annually, $3,588/year). API credits are consumed per tool call (25-500 credits depending on the tool).

What is the MCP Server?

The MCP (Model Context Protocol) Server exposes 36 HIPAA compliance tools that AI assistants like Claude, ChatGPT, and Cursor can call directly. It runs at POST /api/mcp using Streamable HTTP transport with per-tool credit billing.

How do I get an API key?

Sign up at hipaaagent.ai/developers to get a free API key instantly. The key format is ha_... and is passed via the X-API-Key header. No credit card required. You get 500 free credits — enough for 3 full scans or 20 tool calls.

What protocols does the API support?

HIPAA Agent supports four protocols: REST API (POST /api/a2a with 16 task types), MCP Server (POST /api/mcp with 36 tools), JSON-RPC 2.0 (26 batch-capable methods via POST /api/a2a), and Google A2A protocol for agent-to-agent task delegation.

HIPAA Agent

Display Settings

Developers & Enterprise

Integrate HIPAA Compliance
Into Your Workflow via API

Pull the HIPAA Agent Compliance Score™ for any US healthcare provider by NPI. Grade lookups, compliance scans, AI reports, policy generation, training programs, and more.

REST API, MCP Server, A2A Protocol. NPI is the universal key. Metered pricing.

View Pricing ↓View Docs

API & Enterprise Pricing

Three tracks. NPI is the universal key.

FREE

Free Tier

500 credits. No credit card. Get your key in 30 seconds.

Grade Lookup25 credits

Breach Check25 credits

Findings List25 credits

Threat Intel25 credits

Full Scan + Report150 credits

Need more? See our Startup Program

TRACK 1

Per-Check API

On-demand compliance data for insurance, legal, and agent integrations.

Grade Lookup$25/check

Breach Check$25/check

Findings Retrieval$25/check

Full Compliance Scan + Report$150/check

Security Risk Assessment$500/check

$5,000 annual minimum (credited against usage)

Request API Access

TRACK 2

MSP / Reseller

Manage HIPAA compliance for your client portfolio.

Standard1–24 practices

$179/practice/mo

Professional25–99 practices

$129/practice/mo

includes white-label

Enterprise100+ practices

$99/practice/mo

includes white-label + portfolio reports

SRA Batch Onboarding

1–24 practices$350/each

25–99 practices$250/each

100+ practices$150/each

Contact Sales

TRACK 3

Consumer Plans

Direct plans for individual healthcare practices.

Free HIPAA Agent Compliance Score™$0

83-tool scan, HIPAA Agent Compliance Score™, top 3 findings, free 30-minute consultation.

HIPAA Audit & Attestation Report$499 one-time

22-page signed report with attestation page, audit response readiness, SHA-256 integrity hash. Ready for OCR, insurers, and BAA partners.

Concierge HIPAA Compliance$299/mo billed annually

Everything — monthly scanning, 24 policies, staff training, BAA management, evidence packages, weekly intelligence, annual SRA, unlimited audit reports, GPT access. $3,588/year via PayPal invoice.

View Plans

Authentication

Get a free API key instantly above, or contact compliance@hipaaagent.ai for enterprise keys. Include your key in every request via the X-API-Key header. Keys are tied to your billing account.

Rate Limits

Standard: 60 requests/minute. Bulk tier: 600 requests/minute. Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) included in every response.

Code Examples

cURLGrade lookup

curl -X GET "https://hipaaagent.ai/v1/a2a/grade/1234567890" \
  -H "X-API-Key: your_api_key" \
  -H "Content-Type: application/json"

# Response
# "compliance_score" = HIPAA Agent Compliance Score™ (0-100)
# "grade" = HIPAA Agent Compliance Score™ letter grade (A-F)
{
  "npi": "1234567890",
  "practice_name": "Sacramento Family Dental",
  "compliance_score": 72,
  "grade": "C",
  "categories": {
    "email_security": { "score": 45, "weight": 35 },
    "application_security": { "score": 82, "weight": 13 },
    "privacy_compliance": { "score": 90, "weight": 10 }
  },
  "scan_date": "2026-02-28T09:14:34Z"
}

PythonScan dispatch + async polling

import requests

API_KEY = "your_api_key"
BASE = "https://hipaaagent.ai/v1/a2a"

# Dispatch a full compliance scan
resp = requests.post(
    f"{BASE}/scans/dispatch",
    headers={"X-API-Key": API_KEY},
    json={
        "npi": "1234567890",
        "scan_type": "full",
        "callback_url": "https://your-app.com/webhook"
    }
)

# 202 Accepted — async scan dispatched
data = resp.json()
# {
#   "status": "accepted",
#   "job_id": "job_7f3a9bc1d92e",
#   "poll_url": "/v1/a2a/jobs/job_7f3a9bc1d92e",
#   "estimated_duration_ms": 45000
# }

# Poll for completion
import time
while True:
    job = requests.get(
        f"{BASE}/../v1/a2a/jobs/{data['job_id']}",
        headers={"X-API-Key": API_KEY}
    ).json()
    if job["status"] == "completed":
        # grade = HIPAA Agent Compliance Score™ letter grade (A-F)
        print(f"Grade: {job['result']['grade']}")
        break
    time.sleep(5)

Webhooks: All async endpoints accept an optional callback_url. When the job completes, we POST the full result to your webhook endpoint.

Node.jsGrade lookup

const response = await fetch('https://hipaaagent.ai/v1/a2a/grade/1234567890', {
  headers: { 'X-API-Key': process.env.HIPAA_AGENT_API_KEY }
});
// compliance_score = HIPAA Agent Compliance Score™ (0-100)
// grade = HIPAA Agent Compliance Score™ letter grade (A-F)
const { grade, compliance_score, categories } = await response.json();
console.log(`Grade: ${grade} (${compliance_score}/100)`);

Internal Network Scanner

Deploy a local agent inside your network. 12-phase scan covers encryption, MFA, segmentation, asset inventory, and more. Results merge with your external scan for a unified compliance grade.

Deploy

Install the scanner on any machine inside the network.

Scan

12-phase internal scan: ports, encryption, MFA, segmentation, patches, backups, ePHI flow.

Results

Automatic upload to HIPAA Agent. Combined with external scan for unified compliance grade.

# Request a deploy token via API
curl -X POST "https://hipaaagent.ai/v1/a2a/network/deploy/YOUR_NPI" \
  -H "X-API-Key: your_api_key"

# Install and run the scanner
npx @hipaaagent/network-scanner --key DEPLOY_TOKEN

# Or install globally
npm install -g @hipaaagent/network-scanner
hipaa-scan register --api-key DEPLOY_TOKEN
hipaa-scan scan

May 2026 HIPAA Security Rule Coverage

Combined external + internal scanning verifies all 13 requirements.

Encryption at rest verification

§164.312(a)(2)(iv)

Multi-factor authentication

§164.312(d)

Network segmentation analysis

§164.312(a)(1)

Asset inventory & classification

§164.310(d)(1)

Patch management & EOL detection

§164.308(a)(5)(ii)(B)

Backup & 72-hour restore readiness

§164.308(a)(7)(ii)(A)

ePHI data flow mapping

§164.312(e)(1)

Vulnerability scanning (external)

§164.308(a)(8)

Security risk assessment

§164.308(a)(1)(ii)(A)

Policy documentation (24 policies)

§164.316(b)(1)

Staff training verification

§164.308(a)(5)(i)

BAA management & tracking

§164.308(b)(1)

Audit trail with SHA-256 hashing

§164.312(b)

Blockchain-anchored audit proof (Base L2)

§164.312(b)

Integration Protocols

REST API

Primary

Primary integration method. JSON request/response, API key authentication, metered billing. Full spec at /openapi-a2a.yaml. View →

MCP Server

AI Native

Model Context Protocol for Claude, ChatGPT, and custom AI assistants. Expose compliance tools natively.

A2A Protocol

Agent Economy

Google Agent-to-Agent protocol for direct machine-to-machine compliance task delegation.

Agent Card

Discovery

Discoverable at /.well-known/agent-card.json. Describes capabilities, pricing, and rate limits for agent discovery. See our agent card for machine-readable capability discovery. View →

Blockchain Verification

Trustless

Daily SHA-256 root hash of all audit events anchored on Base (Ethereum L2). Verify compliance records independently on Basescan — no trust required. View →

Engineering BlogMarch 9, 2026

HIPAA Agent is Now Agent-Ready: How AI Agents Can Automate Healthcare Compliance

HIPAA compliance fails because it demands sustained human attention across dozens of tasks. AI agents don't forget, don't miss deadlines, and don't get distracted. REST API, MCP Server, A2A Protocol — three integration paths for the agent economy.

Read the full post →

Built For

MSPs

Monitor 100+ clinics from one API. Trigger scans, pull grades, generate reports for your entire client base programmatically.

Insurance

Automate underwriting compliance checks. Pull compliance grades and breach history for any practice by NPI before binding a policy.

DSOs

Standardize compliance across locations. Run scans across every practice in your organization and track remediation centrally.

EHR Vendors

Embed compliance into onboarding. When a new practice joins your EHR, trigger a compliance scan and surface their grade inside your product.

Compliance Consultants

White-label compliance infrastructure. Run scans, generate policies, and deliver evidence packages under your brand for your entire client portfolio.

Legal & M&A

Due diligence automation. Pull compliance grades, breach history, and risk assessments for acquisition targets or litigation support.

JSON-RPC 2.0 Adapter

The A2A endpoint at POST /api/a2a accepts both REST and spec-compliant JSON-RPC 2.0 requests. Batch requests supported.

JSON-RPC 2.0Single request

curl -X POST "https://hipaaagent.ai/api/a2a" \
  -H "X-API-Key: your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "hipaa.grade",
    "params": { "npi": "1234567890" },
    "id": 1
  }'

# Response
{
  "jsonrpc": "2.0",
  "result": {
    "npi": "1234567890",
    "grade": "C",
    "compliance_score": 72,
    "categories": { ... }
  },
  "id": 1
}

16 Named Methods

hipaa.scanhipaa.gradehipaa.findingshipaa.breachhipaa.srahipaa.policieshipaa.baahipaa.evidencehipaa.batchhipaa.reputationhipaa.validate_workflowhipaa.breach_probabilityhipaa.vendor_riskhipaa.get_controlshipaa.compliance_statehipaa.compliance_delta

Trust & Transparency

Publicly verifiable reputation stats backed by SHA-256 data integrity hashes. Every number comes from live database queries.

MACHINE-READABLE

Agent Reputation Dashboard

Total scans, practices served, findings detected, breaches tracked, documents generated, average response time, and uptime. Queryable via REST, MCP, or agent card. SHA-256 integrity hash for every data snapshot.

View Reputation →GET /api/reputation

Start Building

Get your free API key instantly. 500 credits, no credit card. Need enterprise volume? Contact sales.