Display Settings

REST API

HIPAA AgentAPI

Four endpoints. Full OpenAPI 3.1 spec. No authentication required. Build HIPAA compliance scanning and provider lookups into your product.

OpenAPI Spec All Integrations

Endpoints

POST/api/check/scan

Full Compliance Scan

Trigger a full 83-tool HIPAA compliance scan on a healthcare practice. Requires NPI, email, and domain. Returns a scan request ID for status polling.

Parameters

npistringrequired— 10-digit NPI number of the provider

emailstringrequired— Contact email for the practice

domainstringrequired— The domain to scan (e.g., exampleclinic.com)

Response Example

{
  "id": "scan_abc123",
  "status": "pending",
  "npi": "1234567890",
  "domain": "exampleclinic.com",
  "created_at": "2026-04-22T12:00:00Z"
}

GET/api/reports/summary

Report Summary

Get the full security posture summary for a scanned practice. Includes all findings with severity ratings, HIPAA regulation mappings, and remediation guidance.

Parameters

domainstring— Domain to look up

npistring— NPI number to look up

Response Example

{
  "practice": "Example Clinic",
  "grade": "C",
  "findings_count": 7,
  "critical": 1, "high": 2, "medium": 3, "low": 1,
  "findings": [
    {
      "title": "Email Domain Can Be Spoofed",
      "severity": "CRITICAL",
      "hipaa_section": "164.308(a)(5)(ii)(B)",
      "remediation": "Implement DMARC with p=reject policy"
    }
  ]
}

GET/api/npi/search

NPI Registry Search

Search the CMS NPPES NPI Registry by name, NPI number, specialty, state, or city. Returns provider details including credentials, practice address, and taxonomy.

Parameters

namestring— Provider or organization name

npistring— 10-digit NPI number

statestring— Two-letter state code (e.g., CA)

specialtystring— Taxonomy description (e.g., Cardiology)

Response Example

{
  "results": [
    {
      "npi": "1234567890",
      "name": "Dr. Jane Smith, MD",
      "specialty": "Internal Medicine",
      "address": "123 Main St, Sacramento, CA 95814",
      "phone": "(916) 555-0100"
    }
  ],
  "total": 1
}

GET/api/checkout/links

Product Catalog

Get the full HIPAA Agent product catalog with pricing, descriptions, and direct Stripe checkout URLs. Use this to build purchase flows into your application.

Response Example

{
  "products": {
    "free_check": { "name": "Free HIPAA Agent Compliance Score™", "price": "Free", "url": "https://hipaaagent.ai/check" },
    "audit_report": { "name": "Audit & Attestation Report", "price": "$499", "checkout_url": "https://buy.stripe.com/..." },
    "concierge": { "name": "Concierge", "price": "$299/month (billed annually)", "checkout_url": "https://buy.stripe.com/..." }
  }
}

Code Examples

Copy and paste to get started in seconds.

curl

# Scan a domain (full 83-tool scan)
curl -X POST "https://hipaaagent.ai/api/check/scan" \
  -H "Content-Type: application/json" \
  -d '{"npi": "1234567890", "email": "dr@exampleclinic.com", "domain": "exampleclinic.com"}'

# Search NPI Registry
curl "https://hipaaagent.ai/api/npi/search?name=Smith&state=CA&specialty=Cardiology"

# Get report summary
curl "https://hipaaagent.ai/api/reports/summary?domain=exampleclinic.com"

# Get product catalog
curl "https://hipaaagent.ai/api/checkout/links"

python

import requests

# Scan a domain (full 83-tool scan)
scan = requests.post("https://hipaaagent.ai/api/check/scan",
    json={"npi": "1234567890", "email": "dr@exampleclinic.com", "domain": "exampleclinic.com"})
print(scan.json()["id"])  # "scan_abc123"

# Search NPI Registry
providers = requests.get("https://hipaaagent.ai/api/npi/search",
    params={"name": "Smith", "state": "CA", "specialty": "Cardiology"})
for p in providers.json()["results"]:
    print(f"{p['name']} — {p['specialty']}")

javascript

// Scan a domain (full 83-tool scan)
const scan = await fetch("https://hipaaagent.ai/api/check/scan", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ npi: "1234567890", email: "dr@exampleclinic.com", domain: "exampleclinic.com" })
});
const { id, status } = await scan.json();

// Search NPI Registry
const providers = await fetch(
  "https://hipaaagent.ai/api/npi/search?name=Smith&state=CA"
);
const { results } = await providers.json();

Frequently Asked Questions

Do I need an API key?

No. All endpoints are public and don't require authentication. Rate limits apply (60 requests/minute for scans, 120/minute for lookups) to prevent abuse.

What format does the API return?

All endpoints return JSON with appropriate HTTP status codes. CORS headers are included so you can call the API from browser-based applications.

Is there a rate limit?

Yes. Scans are rate-limited to 3 per IP per hour. NPI lookups are limited to 120 requests per minute. The checkout links endpoint is cached with a 24-hour TTL.

Can I use this in a commercial product?

Yes. If you're an MSP, EHR vendor, or healthcare SaaS building compliance features, you can integrate the HIPAA Agent API. For high-volume commercial usage, schedule a call to discuss partnership pricing.

Is there a sandbox or test environment?

The API uses live data — there is no separate sandbox. The scan endpoint triggers a full 83-tool compliance scan against actual domains, and the NPI endpoint queries the live CMS NPPES registry.

Start Building Today

No API key needed. Make your first request in under a minute.

Full API Documentation Partnership Inquiry