Sample report — generated by VLayer against a demo Next.js healthcare app. Download PDF · White-label this for your agency →
VL

HIPAA Compliance Audit Report

Northwind Health - June 2026
Prepared by Northwind Health
Report Generated
6/17/2026, 11:33:08 PM
Auditor
VLayer Automated Scan
Target Path
vlayer-demo-nextjs
Files Scanned
4

📊 Executive Summary

🎯
Compliance Score
0/100
Grade F - critical
⚠️
Total Issues
27
7 critical, 13 high
📁
Files Scanned
4
in 139ms
📉
Penalty Points
-155
from 27 findings
0 /100
F
CRITICAL

Findings Breakdown

Critical
7
High
13
Medium
5
Low
0

💡 Recommendations

  • Address 7 critical issue(s) immediately - these pose severe HIPAA compliance risks
  • Resolve 13 high severity issue(s) as soon as possible
  • Your compliance score is below acceptable levels. Consider a comprehensive security audit

📋 Findings Summary

27 findings grouped into 22 locations — multiple controls flagged at the same file & line are shown together, but each is counted individually. The chip counts below match the Executive Summary.
+ 1 upcoming requirement (NPRM — proposed rule) — listed separately below, excluded from the counts above.

Severity Finding File HIPAA Ref
critical Missing Multi-Factor Authentication for PHI Access src/app/api/patients/route.ts:12 45 CFR §164.312(a)(2)(i) — Access Control (Required)
critical
src/app/api/patients/route.ts:36 · 4 controls flagged at this location
  • critical PHI Data in Error Logs or Thrown Errors 45 CFR §164.312(c) — Integrity Controls
  • high Patient name in console output 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
  • high PHI data in console output 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
  • high PHI in template literal log 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
critical Missing Multi-Factor Authentication for PHI Access src/app/api/patients/route.ts:55 45 CFR §164.312(a)(2)(i) — Access Control (Required)
critical ePHI Stored Without Encryption at Rest src/app/dashboard/page.tsx:25 45 CFR §164.312(a)(2)(iv) — Encryption (Required)
critical PHI stored in localStorage src/app/dashboard/page.tsx:25 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
critical PHI Data in Error Logs or Thrown Errors src/app/dashboard/page.tsx:27 45 CFR §164.312(c) — Integrity Controls
critical
src/app/dashboard/page.tsx:31 · 2 controls flagged at this location
  • critical PHI Data in Error Logs or Thrown Errors 45 CFR §164.312(c) — Integrity Controls
  • high Patient name in console output 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
high No audit logging framework detected package.json:N/A 45 CFR §164.312(b) — Audit Controls
high PHI Data Access Without Role/Permission Verification src/app/api/patients/route.ts:21 45 CFR §164.312(a)(1) — Access Control
high
src/app/api/patients/route.ts:37 · 2 controls flagged at this location
  • high PHI data in console output 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
  • high PHI in template literal log 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
high PHI Data Access Without Role/Permission Verification src/app/api/patients/route.ts:62 45 CFR §164.312(a)(1) — Access Control
high Unsanitized Error Details Sent to User src/app/api/patients/route.ts:67 45 CFR §164.312(b) — Audit Controls
high Encryption issue: Unencrypted HTTP URL src/app/dashboard/page.tsx:20 45 CFR §164.312(e)(1) — Transmission Security
high Missing Automatic Session Timeout src/app/dashboard/page.tsx:35 45 CFR §164.312(a)(2)(iii) — Session Control (Required)
high Missing Vulnerability Scanning Configuration project-level:1 45 CFR §164.308(a)(8) — Evaluation (Required)
medium Database Without Backup Configuration src/app/api/patients/route.ts:10 45 CFR §164.308(a)(7)(ii)(A) — Data Backup Plan
medium SELECT * on PHI Tables Violates Minimum Necessary Principle src/app/api/patients/route.ts:22 45 CFR §164.502(b) — Minimum Necessary Requirement
medium Patient address handling detected src/app/api/patients/route.ts:51 45 CFR §164.502 — Uses and Disclosures of PHI: General Rules; 45 CFR §164.514 — De-identification and Minimum Necessary
medium Data deletion without apparent logging src/app/api/patients/route.ts:63 45 CFR §164.530(j) — Documentation
medium PHI caching detected src/app/dashboard/page.tsx:25 45 CFR §164.530(j) — Documentation
info ePHI Technology Asset Inventory Generated ASSET-INVENTORY:1 45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required)
info ePHI Flow Map Generated PHI-FLOW-MAP:1 45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required)

🕓 Upcoming Requirements (NPRM — proposed rule, not yet in effect)

These reference the proposed 2026 HIPAA Security Rule (NPRM). They are not current obligations and are excluded from the severity counts above. They will apply if and when the rule is finalized — treat them as forward-looking guidance.

Status Requirement File HIPAA Ref
Proposed Authentication Configuration Without MFA Enabled src/app/api/patients/route.ts:10 45 CFR §164.312(d) — Person or Entity Authentication (NPRM — proposed rule)

📜 Report Integrity

Digital Signature: SHA256 hash of this report
Computing...

This report was generated by vlayer - an automated HIPAA compliance scanner. The SHA256 hash above can be used to verify the integrity of this document.