📊 Executive Summary
Findings Breakdown
💡 Recommendations
- Address 7 critical issue(s) immediately - these pose severe HIPAA compliance risks
- Resolve 13 high severity issue(s) as soon as possible
- Your compliance score is below acceptable levels. Consider a comprehensive security audit
📋 Findings Summary
27 findings grouped into 22 locations
— multiple controls flagged at the same file & line are shown together,
but each is counted individually. The chip counts below match the
Executive Summary.
+ 1 upcoming requirement (NPRM — proposed rule) — listed separately below, excluded from the counts above.
| Severity | Finding | File | HIPAA Ref |
|---|---|---|---|
| critical | Missing Multi-Factor Authentication for PHI Access | src/app/api/patients/route.ts:12 | 45 CFR §164.312(a)(2)(i) — Access Control (Required) |
| critical |
src/app/api/patients/route.ts:36 · 4 controls flagged at this location
|
||
| critical | Missing Multi-Factor Authentication for PHI Access | src/app/api/patients/route.ts:55 | 45 CFR §164.312(a)(2)(i) — Access Control (Required) |
| critical | ePHI Stored Without Encryption at Rest | src/app/dashboard/page.tsx:25 | 45 CFR §164.312(a)(2)(iv) — Encryption (Required) |
| critical | PHI stored in localStorage | src/app/dashboard/page.tsx:25 | 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary |
| critical | PHI Data in Error Logs or Thrown Errors | src/app/dashboard/page.tsx:27 | 45 CFR §164.312(c) — Integrity Controls |
| critical |
src/app/dashboard/page.tsx:31 · 2 controls flagged at this location
|
||
| high | No audit logging framework detected | package.json:N/A | 45 CFR §164.312(b) — Audit Controls |
| high | PHI Data Access Without Role/Permission Verification | src/app/api/patients/route.ts:21 | 45 CFR §164.312(a)(1) — Access Control |
| high |
src/app/api/patients/route.ts:37 · 2 controls flagged at this location
|
||
| high | PHI Data Access Without Role/Permission Verification | src/app/api/patients/route.ts:62 | 45 CFR §164.312(a)(1) — Access Control |
| high | Unsanitized Error Details Sent to User | src/app/api/patients/route.ts:67 | 45 CFR §164.312(b) — Audit Controls |
| high | Encryption issue: Unencrypted HTTP URL | src/app/dashboard/page.tsx:20 | 45 CFR §164.312(e)(1) — Transmission Security |
| high | Missing Automatic Session Timeout | src/app/dashboard/page.tsx:35 | 45 CFR §164.312(a)(2)(iii) — Session Control (Required) |
| high | Missing Vulnerability Scanning Configuration | project-level:1 | 45 CFR §164.308(a)(8) — Evaluation (Required) |
| medium | Database Without Backup Configuration | src/app/api/patients/route.ts:10 | 45 CFR §164.308(a)(7)(ii)(A) — Data Backup Plan |
| medium | SELECT * on PHI Tables Violates Minimum Necessary Principle | src/app/api/patients/route.ts:22 | 45 CFR §164.502(b) — Minimum Necessary Requirement |
| medium | Patient address handling detected | src/app/api/patients/route.ts:51 | 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary |
| medium | Data deletion without apparent logging | src/app/api/patients/route.ts:63 | 45 CFR §164.530(j) — Documentation |
| medium | PHI caching detected | src/app/dashboard/page.tsx:25 | 45 CFR §164.530(j) — Documentation |
| info | ePHI Technology Asset Inventory Generated | ASSET-INVENTORY:1 | 45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required) |
| info | ePHI Flow Map Generated | PHI-FLOW-MAP:1 | 45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required) |
🕓 Upcoming Requirements (NPRM — proposed rule, not yet in effect)
These reference the proposed 2026 HIPAA Security Rule (NPRM). They are not current obligations and are excluded from the severity counts above. They will apply if and when the rule is finalized — treat them as forward-looking guidance.
| Status | Requirement | File | HIPAA Ref |
|---|---|---|---|
| Proposed | Authentication Configuration Without MFA Enabled | src/app/api/patients/route.ts:10 | 45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule) |
📜 Report Integrity
This report was generated by vlayer - an automated HIPAA compliance scanner. The SHA256 hash above can be used to verify the integrity of this document.