HIPAA Compliance Audit
Free HIPAA Compliance Audit (AWS, Azure & GCP) - HHS OCR Audit Protocol Aligned
A read-only HIPAA gap assessment of your cloud estate across AWS, Azure, and Google Cloud. Benchmarked against the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule - aligned with the HHS OCR Audit Protocol and HITRUST CSF. Covers IAM, audit logging, ePHI discovery (Macie, Purview, GCP DLP), encryption, network isolation, backups, and BAA coverage. No ePHI leaves your environment.
- Covers AWS, Azure, and Google Cloud - including HealthLake, Azure Health Data Services, and Cloud Healthcare API
- Aligned with the HHS OCR Audit Protocol and mapped to HITRUST CSF, NIST 800-66, and SOC 2 so the report drops into auditor evidence packs
- Senior compliance engineer verifies every finding - typical first audit surfaces 15-30 Security Rule gaps and 1-3 immediate ePHI exposures
- Read-only access only
- No ePHI leaves your environment
- Senior compliance-engineer verified
- Live findings walkthrough included
Supported Platforms
What We Audit Against the HIPAA Security Rule
Six areas covering every Technical, Administrative, and Physical Safeguard relevant to cloud workloads - aligned with the HHS OCR Audit Protocol and mapped to HITRUST CSF.
Access Control & Workforce Authorisation
Reviews IAM roles and policies, MFA enforcement, least-privilege scoping, credential rotation, break-glass access, and SSO / IdP integration against HIPAA §164.312(a) and §164.308(a)(3) - across AWS IAM / Identity Center, Azure Entra ID, and GCP IAM.
Audit Controls & Logging
Validates CloudTrail / CloudTrail Lake, Azure Activity Log, GCP Cloud Audit Logs, log retention and immutability, alerting, and SIEM integration (Security Hub, Microsoft Sentinel, Chronicle) per HIPAA §164.312(b) and §164.308(a)(1)(ii)(D).
Encryption, Integrity & ePHI Discovery
Checks encryption at rest (KMS / CMK, Azure Key Vault, GCP CMEK, customer-managed keys for RDS / Aurora / Cosmos DB / Cloud SQL), TLS enforcement, and ePHI discovery via Amazon Macie, Microsoft Purview, and GCP DLP - per HIPAA §164.312(c) and §164.312(e).
Network Security & Data Exfiltration
Evaluates VPC / VNet design, security group and NSG rules, PrivateLink / Private Endpoints / VPC Service Controls, Transit Gateway topology, WAF and egress controls, and DLP coverage - preventing unintended ePHI flows out of HIPAA-aligned accounts.
Backup, Immutability & Disaster Recovery
Assesses RDS / Aurora / Cosmos DB / Cloud SQL backups, S3 / Blob / GCS Object Lock, AWS Backup Vault Lock, Azure Backup soft delete, cross-region replication, retention and tamper-protection, plus RTO / RPO targets for every ePHI data store.
BAA Coverage, Risk Register & OCR Audit Mapping
Maps each finding to the HHS OCR Audit Protocol and HITRUST CSF, separates controls covered by your AWS / Azure / GCP BAA from those you must implement yourself, and produces a prioritised risk register with severity, likelihood, and remediation effort.
How It Works
Register & Grant Read-Only Access
We provide a ready-to-deploy IAM Role, App Registration, or Service Account with read-only permissions scoped to compliance-relevant APIs - no ability to read ePHI, modify config, or trigger any workflow. Step-by-step setup guides included.
Automated HIPAA Posture Scan
We run automated checks across IAM, audit logging, encryption, ePHI discovery, network isolation, and backup posture - leveraging AWS Audit Manager, Config, Security Hub, GuardDuty, Macie, Azure Defender for Cloud, Policy, Purview, GCP SCC, and DLP signals where you have them.
Senior Compliance Engineer Verification
A senior compliance engineer reviews every finding, removes false positives, models ePHI exposure for your architecture, and rewrites recommendations into prioritised, account-specific remediation steps mapped to the HHS OCR Audit Protocol and HITRUST CSF.
Receive Report & Live Debrief
Get your HIPAA Gap Report with pass / partial / fail per Security Rule control, BAA coverage matrix, prioritised remediation roadmap, and HHS OCR / HITRUST mapping - within 1-2 business days, plus a 45-minute live walkthrough.
What You Get
Your report will include the following deliverables.
Find the HIPAA gaps before HHS OCR or your auditor does.
Get a senior-engineer-verified HIPAA gap report with BAA coverage matrix, prioritised remediation backlog, and live debrief - read-only access only, no ePHI exposed, completely free.
Get My HIPAA Gap ReportHow We Handle Your ePHI and Cloud Configuration
A HIPAA audit must never become a HIPAA incident. Here is exactly what we read - and what never leaves your environment.
Read-Only, Time-Limited Access
We use a read-only IAM Role (AWS), App Registration (Azure), or Service Account (GCP) scoped strictly to compliance-relevant configuration APIs and time-limited to the audit window. We can never read ePHI, modify resources, change IAM, or trigger any workflow.
No ePHI Read or Exfiltrated
The audit reads cloud configuration and metadata only - IAM policies, encryption settings, backup posture, network rules, log coverage. We never read database rows, object contents, FHIR resources, or any payload that could contain ePHI. A signed BAA and confidentiality NDA are available on request before access is granted.
Auto-Revoked & Destroyed After Audit
As soon as your gap report is delivered, every credential is revoked, the analysis sandbox is destroyed, and your configuration export is deleted. Only aggregate, anonymised findings are retained for QA - never account, resource, or workload identifiers.
Frequently Asked Questions
The most common questions we hear from teams running this assessment.
What access do you actually need? Will you ever see our patient data?
No. We use a read-only IAM Role (AWS), App Registration (Azure), or Service Account (GCP) scoped strictly to compliance-relevant configuration APIs - IAM, KMS, CloudTrail, Config, Security Hub, Macie findings, Azure Defender, GCP Security Command Center, and similar. The role explicitly cannot read S3 / Blob / GCS object contents, database rows, FHIR resources, or any payload that may contain ePHI. We work entirely from configuration metadata.
Do you align with the HHS OCR Audit Protocol and HITRUST CSF?
Yes. Every finding is mapped to the relevant control in the HHS OCR Audit Protocol and to HITRUST CSF (e1 and r2 where in scope), plus NIST 800-66 (the HIPAA Security Rule implementation guide) and SOC 2 CC controls. The report is designed so your compliance team or auditor can drop it directly into an evidence pack.
Do we need a signed BAA with our cloud provider before the audit?
We strongly recommend it. A signed BAA with AWS, Azure, or GCP is required before any ePHI is processed in the cloud at all - and the audit is most useful once you have one in place because the report includes a BAA coverage matrix showing which controls the cloud provider takes responsibility for under their BAA versus which you must implement yourself. If you do not yet have a BAA, we can still run the audit and the report will explicitly flag the BAA gap.
Which clouds and HIPAA-eligible services do you support?
AWS, Azure, and Google Cloud - including HIPAA-specific services such as Amazon HealthLake and HealthLake Imaging, Azure Health Data Services and DICOM Service, and the Google Cloud Healthcare API. The audit covers compute, storage, databases, networking, identity, logging, and backup posture across all three providers.
How is this different from running AWS Audit Manager, Azure Defender, or GCP Security Command Center ourselves?
Those tools produce raw findings. This audit interprets them. A senior compliance engineer triages every finding for actual ePHI exposure and OCR audit risk, removes false positives, combines results across Audit Manager, Config, Security Hub, GuardDuty, Macie, Azure Policy, Defender for Cloud, Microsoft Purview, GCP Security Command Center, and DLP with manual review of architecture, BAA coverage, and breach-notification readiness - into a prioritised remediation plan rather than a 4,000-line raw finding list.
Can you also assess Privacy Rule and Breach Notification Rule readiness?
Yes. The technical audit focuses on the Security Rule, but the report also reviews configuration evidence relevant to the Privacy Rule (audit logs to support accounting of disclosures, access minimisation, retention) and the Breach Notification Rule (encryption safe harbour status per ePHI store, log immutability, SIEM detection coverage, and incident-response readiness). Policy and workforce-training elements remain your responsibility but the report tells you exactly what additional evidence is required.
Will the audit affect production workloads?
No. The audit is fully read-only and runs against configuration APIs at a controlled rate. Nothing we do can modify resources, change IAM, restart workloads, or affect ePHI availability. You can run the audit during normal business hours with zero risk to delivery.
How long until we receive the report?
Typical turnaround is 1-2 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your compliance and engineering leads. Larger multi-account or multi-cloud estates can take a little longer; we confirm the timeline as soon as we see the scope.
Register for Your Free HIPAA Compliance Audit
Fill out the form below and our team will get back to you within 2 business days.
You Might Also Be Interested In
SOC 2 Readiness Assessment
Free SOC 2 Type I and Type II readiness assessment across AWS, Azure, and Google Cloud - every control mapped to the AICPA Trust Services Criteria (CC1-CC9, A1, C1, PI1, P1) and verified by a senior compliance engineer, with a prioritised gap report and observation-period plan before you spend a dollar with an auditor.
DevOps DORA Checklist
See where your delivery performance stands against Elite, High, Medium, and Low performers - automatically scored, expert-verified.
Pipeline Inspector
Find every weak link in your CI/CD - automated scanning across GitHub Actions, GitLab, Jenkins, Bitbucket, and Azure DevOps, verified by a senior platform engineer.