HIPAA Agent
Compliance Score™
10 weighted categories. 73 checkpoints. One score. Full transparency into how your practice is graded and exactly how to improve.
Check Your Score →Grade Scale
Excellent compliance posture. Minor improvements possible.
Good compliance. A few findings to address.
Moderate risk. Multiple compliance gaps identified.
Significant risk. Critical issues need immediate attention.
Severe compliance failure. Major vulnerabilities exposed.
10 Scoring Categories
Each category is weighted by its impact on HIPAA compliance risk.
Email Security
SPF, DKIM, and DMARC configuration. Email is the #1 attack vector in healthcare — misconfigured email authentication enables phishing, spoofing, and business email compromise.
Application Security
CMS vulnerabilities, JavaScript library exploits, subresource integrity, mixed content, and open redirect flaws. Covers the security posture of your web-facing applications.
Privacy & Compliance
Privacy policy presence, cookie consent mechanisms, form security, and HIPAA BAA status with your hosting provider. Measures visible compliance posture.
Network Security
Open ports across all resolved IPs, RDP exposure, SMB exposure, LDAP exposure, Exchange/OWA detection, and firewall presence. Tests your network perimeter.
Information Leakage
HTML comment exposure, directory listings, error disclosure, exposed backup files, sensitive paths, and robots.txt analysis. Checks for data your site accidentally reveals.
Breach History
Cross-references your practice against the HHS breach portal, Shodan InternetDB, and deep breach databases. Past breaches indicate systemic compliance gaps.
SSL/TLS
Certificate validity, chain completeness, supported TLS versions, cipher suite strength, and HSTS configuration. The foundation of encrypted communications.
DNS Health
DNSSEC deployment, CAA records, zone transfer protection, subdomain enumeration, and WHOIS privacy. DNS misconfigurations can expose your entire infrastructure.
Patching Cadence
Server software versions, known CVEs, banner exposure, and technology fingerprinting. Outdated software is a top exploitation vector in healthcare breaches.
Infrastructure
Hosting provider identification, CDN presence, WAF detection, cache control headers, and server configuration. Measures the security maturity of your hosting environment.
Cap Rules
Cap rules prevent inflated grades. A practice cannot earn an A overall while failing critical compliance areas.
Sample Scorecard
How a practice with grade C is scored across all 10 categories.
Note: Email Security scored 40 (a HIGH-weight category below 40), so this practice is capped at grade D regardless of total score.
How to Improve Your Score
Top 3 quick wins that move the needle the most.
Add a DMARC record
DMARC is the highest-impact single fix. It tells email servers how to handle messages that fail SPF or DKIM. Without it, anyone can spoof your practice's email address.
Enable HSTS
HTTP Strict Transport Security forces browsers to use HTTPS. One header addition prevents SSL stripping attacks and improves both your SSL/TLS and application security scores.
Add a privacy policy
A visible, linked privacy policy is both a HIPAA requirement and a trust signal. The agent checks for it via anchor tags, footer text, sitemap, and common URL paths.
Check Your Score
Enter your NPI at hipaaagent.ai. The agent scans 73 checkpoints, grades your practice across 10 categories, and delivers your report — free.
Check Your Compliance →