HIPAA

Profile name: hipaa

Vulkro covers the technical-safeguards subset of the HIPAA Security Rule, Sec.164.312. Administrative and physical safeguards (Sec.164.308, Sec.164.310) are out of scope.

Run it

vulkro compliance . --profile hipaa

High-traffic mappings

Vulkro finding	HIPAA Security Rule
`BrokenAuthentication`	Sec.164.312(d) Person or Entity Authentication
`BrokenObjectLevelAuth`	Sec.164.312(a)(1) Access Control
`Hardcoded secret`	Sec.164.312(a)(2)(i) Unique User ID
`Weak crypto`	Sec.164.312(a)(2)(iv) Encryption and Decryption
`Insecure transmission`	Sec.164.312(e)(1) Transmission Security
`Insecure logging`	Sec.164.312(b) Audit Controls
`PHI exposure`	Sec.164.312(c)(1) Integrity

PHI detection

The privacy engine detects PHI-shaped fields in request and response shapes:

medical_record_number, mrn, patient_id
diagnosis, icd10, icd_code
prescription, rx
dob + name co-occurrence
Biometric IDs (fingerprint_hash, face_id)

Findings on these fields are tagged with HIPAA control citations even when the underlying issue is generic (e.g. "PII passed to logger"). The desktop console's Privacy tab surfaces these as a HIPAA-specific view.

Audit packaging

vulkro report . --profile hipaa -o hipaa-report.html

Single-page HTML, ready for a covered entity's risk-analysis file.

Compliance overview ->

Run it​

High-traffic mappings​

PHI detection​

Audit packaging​

Related​

Run it

High-traffic mappings

PHI detection

Audit packaging

Related