Developers and HIPAA

Scanning and Penetration Testing

Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compliance? Reading §164.312(e)(2)(i) it seems that 'security measures' could include these tests, but does not specify a requirement for it.


Additionally, a risk analysis could identify that these services would help to reduce the risk, threats and vulnerabilities in-scope systems, but I cannot find anywhere that these tests are mandatory.

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant


2 votes
2 up votes
0 down votes
Question No. 45