Compliance regime · United States

HIPAA compliance — what GateTest actually catches

Health Insurance Portability and Accountability Act

OCR enforcement has shifted to telehealth and AI-powered clinical SaaS — the 2024-25 wave of breach reports points back to swallowed errors that hid PHI exposures and to plaintext TLS in service-to-service calls. Both are static-analysis findings.

Run a scan →See the modules

The regime

Health Insurance Portability and Accountability Act — United States — covered entities and business associates handling Protected Health Information (PHI). Effective since Privacy Rule 2003, Security Rule 2005, HITECH amendments 2009.

Maximum penalty: Civil penalties up to $2,067,813 per violation category per calendar year (45 CFR § 102.3, 2024 inflation adjustment).

Authoritative source: https://www.hhs.gov/hipaa/index.html

The 3 modules that do the heaviest lifting for HIPAA

Linked to each module's page for the full finding list.

Technical findings GateTest catches for HIPAA

Each item ties a specific code-level pattern to a clause or principle of HIPAA. These are the findings auditors sample.

TLS validation disabled in production (rejectUnauthorized: false, NODE_TLS_REJECT_UNAUTHORIZED=0, Python verify=False) — 45 CFR § 164.312(e)(1) transmission security.
Empty catch blocks on database / API paths that handle PHI — masks integrity-failure events required to be logged under 45 CFR § 164.312(b).
Hardcoded credentials granting access to PHI stores — § 164.312(a)(1) access control.
PHI / patient identifiers logged via console.log, logger.info, or JSON.stringify(user) — § 164.312(b) audit-controls misuse.
Cookies on PHI-handling endpoints missing httpOnly / Secure — XSS becomes session takeover, § 164.312(a)(2)(i).
Stale long-lived credentials in repo — § 164.308(a)(5)(ii)(D) password management.
Outdated dependencies with known CVEs in PHI-touching services — § 164.308(a)(8) periodic technical evaluation.
Missing CSP / X-Frame-Options on patient-facing endpoints — § 164.312(c)(1) integrity controls.

Out of scope — what you still need humans for

GateTest is a code scanner. HIPAA compliance is a programme, not a tool. These items will never be answerable from source code alone.

Business Associate Agreements (BAAs) — contractual.
Risk Analysis under § 164.308(a)(1)(ii)(A) — methodological / human.
Workforce training, sanction policies, and access authorisation procedures.
Physical safeguards (facility access, workstation security, device disposal).
Breach notification within 60 days — procedural, not code-level.

Where this regime applies

Country-specific guides:

usa

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.