Honest framing. SiteSecurityScore is a web security scanner, not a HIPAA certification, audit, or legal service. It helps you find, fix, and evidence a specific slice of the HIPAA Security Rule technical safeguards. It does not cover administrative or physical safeguards, business associate agreements, risk analysis, or written policies, and it cannot make any app HIPAA compliant on its own.
The HIPAA Security Rule and your web surface
The HIPAA Security Rule sets standards for protecting electronic protected health information, known as ePHI, across three groups of safeguards. Administrative safeguards cover risk analysis, policies, and workforce training. Physical safeguards cover facilities, devices, and media. Technical safeguards cover the technology that protects ePHI and controls access to it. A web application that transmits or displays ePHI sits squarely inside the technical safeguards.
The transmission security standard at 45 CFR 164.312(e)(1) expects covered entities and business associates to guard against unauthorized access to ePHI that travels over a network. In practice that means encrypting ePHI in transit, which on the web means modern TLS, valid certificates, strong cipher suites, and Strict-Transport-Security so browsers never fall back to plain HTTP. The same standard speaks to integrity controls that keep ePHI from being improperly altered while it moves. Alongside transmission security, a secure web configuration reduces the attack surface that could expose ePHI through cross site scripting, clickjacking, weak cookies, or overly permissive cross origin sharing.
This is the layer SiteSecurityScore inspects. One free scan grades your TLS configuration, security headers, Content Security Policy, cookie attributes, DNS records, CORS, and security.txt, then hands you copy and paste fixes. That gives you concrete, dated evidence for the transmission security and secure web configuration parts of your technical safeguards. It does not touch access control inside the app, audit logging, encryption at rest, or anything outside the technical safeguards.
HIPAA safeguard to SiteSecurityScore mapping
The table below maps HIPAA Security Rule safeguards to what SiteSecurityScore actually checks. A green check means the scanner produces direct evidence for that area. Amber Partial means it helps but does not fully satisfy the safeguard. A red cross means the area is outside the scope of an external web scanner and you must address it elsewhere.
Technical safeguards SiteSecurityScore helps evidence
| Safeguard | SiteSecurityScore |
|---|---|
| Transmission security and encryption of ePHI in transit (TLS, HSTS, strong ciphers, valid certificates) per 164.312(e)(1) | |
| Secure web configuration protecting ePHI web apps (security headers, CSP, secure cookies, CORS, security.txt) | |
| Ongoing evaluation of technical safeguards through automated daily monitoring and email alerts | |
| Integrity controls for ePHI in transit (HSTS and TLS reduce tampering and downgrade risk, but full integrity validation lives in the app) | Partial |
Outside the scope of SiteSecurityScore
| Safeguard | SiteSecurityScore |
|---|---|
| Access control, unique user identification, automatic logoff, and authentication inside the application | |
| Audit controls and logging that record who accessed or modified ePHI | |
| Encryption of ePHI at rest inside databases, storage, and backups | |
| Administrative safeguards, risk analysis program, workforce training, and written policies | |
| Physical safeguards for facilities, devices, and media | |
| Business associate agreements (BAAs) and contractual obligations |
This mapping is a technical aid, not a compliance determination. Confirm how each safeguard applies to your environment with your own risk analysis and qualified advisors.
How SiteSecurityScore helps your HIPAA technical safeguards evidence
Encryption of ePHI in transit
Verify TLS and SSL versions, cipher suites, and certificate validity on the endpoints that carry ePHI. Confirm HSTS forces HTTPS so traffic never drops to plain HTTP. This is direct evidence for the 164.312(e)(1) transmission security standard.
Secure web configuration
Check security headers like CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy that harden the web app presenting ePHI against XSS, clickjacking, and data leakage.
Session cookie integrity
Confirm session cookies carry Secure, HttpOnly, and SameSite attributes so ePHI sessions are not exposed over plain HTTP or to client side scripts. This supports integrity and session protection.
Dated PDF evidence
Export PDF reports with a letter grade and findings you can attach to your risk analysis and audit file. A dated report shows an assessor that the control was real on a specific day.
REST API for proof in CI
Call the REST API in your build pipeline so a release that weakens TLS or removes a security header is caught before it reaches a system handling ePHI. Evidence becomes continuous, not annual.
Letter grade and fixes
Every scan returns a letter grade plus copy and paste fixes for your web server, so closing a gap on the transmission security or web configuration safeguards is fast.
Ongoing evaluation of technical safeguards
HIPAA expects safeguards to be maintained, not set once. A certificate can expire, a header can be dropped in a deploy, or a cipher can drift out of date. A point in time scan will not catch that next week.
SiteSecurityScore runs automated daily scans of your TLS and SSL configuration, HTTP security headers, Content Security Policy, DNS records, and cookie security in a single pass. When a control that protects ePHI changes or a new issue appears, you get an email alert. The monitoring history becomes evidence that you evaluate your technical safeguards on an ongoing basis rather than once a year.
Automated daily scans
Every monitored site is rescanned daily across TLS, headers, CSP, DNS, and cookies that protect ePHI.
Email alerts on drift
Get notified when a certificate nears expiry, a security header is removed, or TLS weakens.
What SiteSecurityScore does not do for HIPAA
Being clear about the limits matters as much as the coverage. The following parts of HIPAA are outside what an external web scanner can see or evidence, and you must handle them through your own program, application controls, and advisors.
Access control and authentication
Unique user IDs, role based permissions, automatic logoff, and login security live inside your app and identity provider, not in an external scan.
Audit controls and logging
The records of who viewed or changed ePHI come from your application and infrastructure logs. SiteSecurityScore does not create or inspect them.
Encryption at rest
Protecting ePHI stored in databases, object storage, and backups is a server side concern that an external web scan cannot verify.
Administrative and physical safeguards
Risk analysis, written policies, workforce training, facility access, and device controls are program level and physical, not web configuration.
Business associate agreements
BAAs and the contractual flow of ePHI between parties are legal documents. SiteSecurityScore plays no role in them.
Compliance certification
There is no single official HIPAA certificate, and SiteSecurityScore does not issue attestations. It provides technical evidence only.
Evidence your transmission security safeguards
Run a free scan of any URL that handles ePHI and get a letter grade across TLS encryption, HSTS, security headers, CSP, and cookie security, with copy and paste fixes. No account required.
Start scanningFrequently asked questions
Does SiteSecurityScore make my app HIPAA compliant?
No. SiteSecurityScore does not make any app HIPAA compliant and no scanning tool can. HIPAA compliance is a program that spans administrative safeguards, physical safeguards, technical safeguards, business associate agreements, risk analysis, and written policies. SiteSecurityScore helps with one slice of the technical safeguards, namely transmission security and secure web configuration for apps that handle electronic protected health information. It gives you evidence that ePHI is encrypted in transit and that your web surface is configured securely, which you can attach to your own risk analysis and audit file. The rest of the program is your responsibility and that of your covered entity or business associate.
Which HIPAA technical safeguards can SiteSecurityScore help evidence?
SiteSecurityScore is most useful for the transmission security standard at 45 CFR 164.312(e)(1), which expects covered entities and business associates to guard against unauthorized access to ePHI transmitted over a network and to encrypt ePHI in transit where appropriate. The scanner checks TLS and SSL configuration, certificate validity, HSTS, and security headers that protect the web application carrying ePHI. It also supports the ongoing evaluation of technical safeguards through daily monitoring. It does not address access control, authentication, audit logging, administrative safeguards, or physical safeguards.
How does SiteSecurityScore relate to encryption of ePHI in transit?
The HIPAA Security Rule expects ePHI moving across a network to be protected, and encryption in transit is the common way to meet that expectation. SiteSecurityScore inspects your TLS and SSL configuration, the protocol versions and cipher suites you accept, certificate validity, and whether Strict-Transport-Security (HSTS) forces browsers onto HTTPS. A clean scan gives you concrete evidence that the transport carrying ePHI is encrypted with modern settings. SiteSecurityScore does not encrypt data, manage keys, or assess encryption at rest inside your database.
Does SiteSecurityScore cover access control, authentication, or audit logging?
No. Access control, unique user identification, automatic logoff, and audit logging live inside your application and identity systems. SiteSecurityScore is an external configuration scanner that looks at TLS, security headers, CSP, cookies, DNS, CORS, and security.txt from the outside. It can confirm that session cookies carry Secure, HttpOnly, and SameSite attributes, which supports session integrity, but it does not test login flows, role based permissions, or the audit trails that record who viewed ePHI.
Can I use SiteSecurityScore reports as HIPAA audit evidence?
You can use SiteSecurityScore scans and PDF reports as supporting evidence for the specific technical safeguards they cover, such as encryption in transit and secure web configuration. Auditors and assessors often want proof that controls are real and maintained over time, and a dated PDF report plus a daily monitoring history shows both. Treat these reports as one input to your risk analysis and documentation, not as a certificate of compliance. SiteSecurityScore does not issue HIPAA attestations or certifications.
Is SiteSecurityScore legal advice or a HIPAA certification?
No. Nothing on this page or in any SiteSecurityScore report is legal advice, and SiteSecurityScore is not a HIPAA certification or accreditation body. HIPAA does not recognize a single official certification, and your obligations depend on your role as a covered entity or business associate, your business associate agreements, and your own risk analysis. Work with qualified counsel and a security or compliance professional to interpret the Security Rule for your situation. SiteSecurityScore is a technical tool that helps you find and fix web security gaps and gather evidence.