Does HIPAA Require a Penetration Test?
If you run a medical or dental practice in Arizona and someone has asked whether HIPAA requires a penetration test, here is the honest answer: not by name. The HIPAA Security Rule never uses the words “penetration test.” What it does require is a risk analysis and a periodic evaluation of your security, and a penetration test is one of the most credible ways to handle that evaluation part. So the law does not list it as a checkbox, but in practice it is often how a practice proves its systems were actually tested, instead of just assumed to be fine.
That distinction matters, because it decides whether you are buying a test to satisfy a rule or buying one because it genuinely tells you something. Usually it is both.
So, does HIPAA require a penetration test?
No, not as a named requirement. Yes, in the sense that the rule expects you to evaluate your security, and a pentest is a strong way to do it.
The HIPAA Security Rule is a set of safeguards for electronic protected health information, the patient data your systems store and send. It is written to be flexible on purpose, because a ten-person dental office and a regional clinic group do not have the same setup. So instead of naming specific tools, it names outcomes you have to be able to show. Two of those outcomes are where testing comes in.
What HIPAA actually says
The two parts that matter here both live in the Security Rule’s administrative safeguards. Neither one says “penetration test,” but both point straight at the work a test does.
| What the HIPAA Security Rule says | What it means for your practice |
|---|---|
| Run a risk analysis: assess the risks to the confidentiality, integrity, and availability of your electronic health information (45 CFR 164.308(a)(1)(ii)(A)) | Know where patient data lives and what could realistically go wrong with it. This is broad, and bigger than any single test. |
| Run a periodic evaluation of your safeguards (45 CFR 164.308(a)(8)) | Actually check whether your protections work, not just that they exist on paper. This is where hands-on testing earns its keep. |
| The rule never names a “penetration test” | You get to choose how you evaluate. A pentest is one of the most credible ways, and not the only one. |
You can read both requirements in the official text from the HHS Security Rule overview and the federal regulation itself. The short version: HIPAA tells you to look honestly at your risks and to test whether your defenses hold. It leaves the “how” to you.
Where a penetration test fits in
A penetration test is authorized, scoped testing where a real person tries to get into your systems the way an attacker would, then writes up what they found and how to fix it. That maps almost word for word to the “evaluation” part of the rule: checking whether your safeguards actually work.
Federal guidance backs this up. NIST’s guide for implementing the HIPAA Security Rule, SP 800-66 Revision 2, points to testing techniques like penetration testing as a way to evaluate whether your controls do what you think they do. It is guidance, not law, but it is the same guidance auditors and assessors lean on.
One honest caveat, because it saves you money: a penetration test is not the whole risk analysis. The risk analysis is the wider exercise of mapping where your data is and what threatens it. The pentest is the hands-on proof that the technical controls hold up. You want both, and they are different jobs. Anyone who tells you a single scan satisfies all of HIPAA is overselling.
Why most practices get one anyway
Even though the rule does not name it, most practices we talk to end up getting a penetration test for one of a few plain reasons:
- Cyber insurance asks for it. This is the single most common trigger. The questionnaire asks whether you have had a penetration test, and a clean, dated report is the easiest way to answer yes. We wrote a whole piece on the cyber-insurance angle if that is what brought you here.
- A partner or client requires it. Hospitals, larger health systems, and business associates increasingly run vendor security reviews. If you handle their patient data, your contract or business associate agreement may ask for proof of testing.
- Something prompted a closer look. A new practice management system, a move to the cloud, a staff member who clicked the wrong link, or a recent audit. Any of these is a fair reason to check where you stand.
- You simply want to know. Plenty of owners get tested for peace of mind, full stop. Healthcare has been the most expensive industry for a data breach for well over a decade, according to IBM’s Cost of a Data Breach Report, and a test is a cheap way to find the gaps before someone else does.
What HIPAA does not require, so you don’t overspend
This is the part fear-based marketing skips. A few things worth saying plainly:
You do not need the largest, most expensive test on the menu to satisfy HIPAA. You need a test scoped to your actual environment. A small practice with a couple of servers and a cloud-based records system does not need the same engagement as a multi-site group.
Having systems reachable from the internet is not, by itself, a HIPAA problem. Your patient portal, your remote access, your email are supposed to be reachable. The question a good test answers is whether they are patched, configured correctly, and behind multi-factor authentication, not whether they exist. We do not cry wolf about normal infrastructure.
And you do not have to test on some punishing schedule. The rule says “periodic” and “in response to environmental or operational changes,” which most practices read as once a year plus after any major change. That is a reasonable rhythm, not a monthly tax.
If cost is the thing you are weighing, our pricing is published openly: external testing starts at $4,000, and a retest of whatever you fix is included on every tier, not billed back as an upsell.
What a HIPAA-minded test looks like with us
Nothing exotic. For most practices it means external testing of what faces the internet, often paired with internal testing of what an attacker could reach once inside, both done with manual work and not just an automated scan. Automated tools catch the obvious things. A person finds the chain of small things that actually gets someone in.
You walk away with a plain-English report that maps to the evaluation HIPAA expects: what we tested, what we found, ranked by what actually matters, and a clear fix list your IT person or MSP can act on. If you already have an IT provider, that is fine. We are an independent second opinion, not here to replace anyone.
Not sure whether your practice needs the small version or something broader? Tell us a little about your setup and what is prompting the test, whether it is insurance, a client requirement, or just wanting to know, and we will come back with a fair, fixed quote. Request a quote.
FAQ
Is a vulnerability scan enough for HIPAA?
A scan helps, but it is not the same as a penetration test. A scan lists known weaknesses automatically. A pentest has a person confirm what is actually exploitable and how the pieces chain together. For the “evaluation” HIPAA expects, the hands-on test is far more convincing. See our scan vs pentest breakdown.
How often should a medical practice get a penetration test?
HIPAA does not set a number. It says test periodically and after significant changes. In practice, most practices do it once a year and again after any major change, like a new records system or a move to the cloud. Annual testing also lines up with what most cyber-insurance renewals expect.
Does HIPAA apply the same way to a small dental office?
Yes. The Security Rule applies regardless of size, so a solo dental practice has the same core obligations as a large clinic. What changes is scope, not whether the rule applies. A smaller environment simply means a smaller, less expensive test.
What does a HIPAA penetration test cost?
There is no special “HIPAA” price. The work is the same testing scoped to your environment. Our external testing starts at $4,000, with internal and broader options above that, and a retest of your fixed findings included on every tier. The final number depends on the size of your setup.
The honest bottom line
Does HIPAA require a penetration test? Not in those words. It requires you to understand your risks and to actually evaluate whether your security works, and a penetration test is one of the clearest, most defensible ways to do the second part. Add in cyber insurance and client requirements, and that is why most Arizona practices end up getting one even though the rule never names it.
If a test is on your radar, the fastest way to know what you need is a short scoping conversation. Request a quote and we will figure out the right scope with you.
Want to know where you stand?
Tell us a little about your business and what is prompting the test. We will come back with a fair, fixed quote.
Request a quote