REST API

HIPAA AgentAPI

Four endpoints. Full OpenAPI 3.1 spec. No authentication required. Build HIPAA compliance scanning and provider lookups into your product.

OpenAPI Spec All Integrations

Endpoints

GET/api/reports/lite-scan

Lite Security Scan

Run a real-time 4-check security scan on any domain. Returns SSL status, email authentication (SPF/DMARC/DKIM), security headers, and an overall HIPAA Agent Compliance Score™.

Parameters

domainstringrequired— The domain to scan (e.g., exampleclinic.com)

Response Example

{
  "domain": "exampleclinic.com",
  "grade": "C",
  "ssl": { "valid": true, "issuer": "Let's Encrypt", "expires": "2026-06-15" },
  "email_auth": { "spf": true, "dmarc": false, "dkim": false },
  "headers": { "score": 3, "missing": ["Content-Security-Policy", "X-Frame-Options"] },
  "scan_time_ms": 1847
}

GET/api/reports/summary

Report Summary

Get the full security posture summary for a scanned practice. Includes all findings with severity ratings, HIPAA regulation mappings, and remediation guidance.

Parameters

domainstring— Domain to look up

npistring— NPI number to look up

Response Example

{
  "practice": "Example Clinic",
  "grade": "C",
  "findings_count": 7,
  "critical": 1, "high": 2, "medium": 3, "low": 1,
  "findings": [
    {
      "title": "Email Domain Can Be Spoofed",
      "severity": "CRITICAL",
      "hipaa_section": "164.308(a)(5)(ii)(B)",
      "remediation": "Implement DMARC with p=reject policy"
    }
  ]
}

GET/api/npi/search

NPI Registry Search

Search the CMS NPPES NPI Registry by name, NPI number, specialty, state, or city. Returns provider details including credentials, practice address, and taxonomy.

Parameters

namestring— Provider or organization name

npistring— 10-digit NPI number

statestring— Two-letter state code (e.g., CA)

specialtystring— Taxonomy description (e.g., Cardiology)

Response Example

{
  "results": [
    {
      "npi": "1234567890",
      "name": "Dr. Jane Smith, MD",
      "specialty": "Internal Medicine",
      "address": "123 Main St, Sacramento, CA 95814",
      "phone": "(916) 555-0100"
    }
  ],
  "total": 1
}

GET/api/checkout/links

Product Catalog

Get the full HIPAA Agent product catalog with pricing, descriptions, and direct Stripe checkout URLs. Use this to build purchase flows into your application.

Response Example

{
  "products": {
    "monitor": { "name": "HIPAA Monitor", "price": "$99/month", "checkout_url": "https://buy.stripe.com/..." },
    "sra": { "name": "Security Risk Assessment", "price": "$499", "checkout_url": "https://buy.stripe.com/..." },
    "compliance_platform": { "name": "Compliance Platform", "price": "$299/month", "checkout_url": "https://buy.stripe.com/..." }
  }
}

Code Examples

Copy and paste to get started in seconds.

curl

# Scan a domain
curl "https://hipaaagent.ai/api/reports/lite-scan?domain=exampleclinic.com"

# Search NPI Registry
curl "https://hipaaagent.ai/api/npi/search?name=Smith&state=CA&specialty=Cardiology"

# Get report summary
curl "https://hipaaagent.ai/api/reports/summary?domain=exampleclinic.com"

# Get product catalog
curl "https://hipaaagent.ai/api/checkout/links"

python

import requests

# Scan a domain
scan = requests.get("https://hipaaagent.ai/api/reports/lite-scan",
    params={"domain": "exampleclinic.com"})
print(scan.json()["grade"])  # "C"

# Search NPI Registry
providers = requests.get("https://hipaaagent.ai/api/npi/search",
    params={"name": "Smith", "state": "CA", "specialty": "Cardiology"})
for p in providers.json()["results"]:
    print(f"{p['name']} — {p['specialty']}")

javascript

// Scan a domain
const scan = await fetch(
  "https://hipaaagent.ai/api/reports/lite-scan?domain=exampleclinic.com"
);
const { grade, findings } = await scan.json();

// Search NPI Registry
const providers = await fetch(
  "https://hipaaagent.ai/api/npi/search?name=Smith&state=CA"
);
const { results } = await providers.json();

Frequently Asked Questions

Do I need an API key?

No. All endpoints are public and don't require authentication. Rate limits apply (60 requests/minute for scans, 120/minute for lookups) to prevent abuse.

What format does the API return?

All endpoints return JSON with appropriate HTTP status codes. CORS headers are included so you can call the API from browser-based applications.

Is there a rate limit?

Yes. Lite scans are limited to 60 requests per minute. NPI lookups are limited to 120 requests per minute. The checkout links endpoint is cached with a 24-hour TTL.

Can I use this in a commercial product?

Yes. If you're an MSP, EHR vendor, or healthcare SaaS building compliance features, you can integrate the HIPAA Agent API. For high-volume commercial usage, schedule a call to discuss partnership pricing.

Is there a sandbox or test environment?

The API uses live data — there is no separate sandbox. The lite-scan endpoint runs real-time scans against actual domains, and the NPI endpoint queries the live CMS NPPES registry.

Start Building Today

No API key needed. Make your first request in under a minute.

Full API Documentation Partnership Inquiry