We Open-Sourced a HIPAA Gap Auditor for AI Coding Tools

AI coding assistants write code fast. They don't check whether that code handles patient data correctly.

If you're building healthcare software, your AI assistant will generate API endpoints that log PHI in error messages, pass SSNs through URL parameters, skip audit trails, and miss the session timeout HIPAA requires. You catch these during code review — if you catch them at all.

We built a HIPAA gap auditor to find them earlier. It works in Claude Code, Cursor, GitHub Copilot, and Windsurf — a three-phase compliance assessment on your existing codebase: automated static scan, a guided interview to surface process gaps, and a merged scored report with a blunt verdict — Not Compliant, Partially Compliant, or Compliant. Free and open source.

Key Takeaways

1. 1Most teams first hear about HIPAA gaps from a paid auditor. An automated pre-audit scan can surface around 75% of technical violations before you spend money on a compliance firm.
2. 2HIPAA's 18 PHI identifiers include things engineers routinely overlook — IP addresses, appointment dates, device serial numbers. The auditor checks all 18 in your logs, URLs, and test fixtures.
3. 3Static analysis only covers about 62% of HIPAA obligations. Phase 2 is a guided interview that surfaces the process gaps code scanning cannot detect: no risk analysis doc, no incident runbook, vendors without BAAs.
4. 4Twelve categories are each scored 0–100. The report surfaces must-fix items first, not a raw checklist, with a remediation roadmap split across Week 1, Sprint 1, and Manual tracks.
5. 5A Compliant verdict means your automated checks passed. It is not a legal certification. Always pair with a qualified third-party auditor before clinical go-live.

What Does the HIPAA Gap Auditor Check?

Twelve categories, each with rules cited to HHS, NIST 800-66, or OCR guidance.

• Encryption at rest — AES-256 on every database, backup, object store, and log volume.
• Encryption in transit — TLS 1.2+, HSTS enforced, plaintext HTTP and disabled TLS verify flagged.
• Access control — auth framework present, MFA, wildcard CORS, RBAC, least-privilege enforcement.
• Audit logging — who accessed which record, when, from where. Immutable storage. 6-year retention.
• PHI in logs — scans log statements for all 18 identifiers. Checks whether a PHI scrubber is present.
• PHI in URLs — flags SSNs, MRNs, dates of birth, or other identifiers in query strings or path parameters.
• Secrets management — hardcoded API keys, committed .env files, exposed tokens in source.
• Input validation — injection prevention, schema validation at system boundaries.
• Session management — idle timeout, automatic logoff after inactivity.
• Vendor BAA coverage — classifies your dependencies as BAA-signable, enterprise-only, or blocked. Google Analytics and Meta Pixel are blocked. Vercel, Sentry, and Datadog are enterprise-only.
• De-identification — checks dev and test fixtures for Safe Harbor identifiers. No real PHI in non-prod.
• Breach readiness — risk analysis document, incident runbook, DR plan, NPP, patient rights procedures.

How Does the Three-Phase HIPAA Audit Work?

Three phases. Each builds on the previous.

1. 1Phase 1 — Automated scan (~30 seconds). Runs across your source code, infrastructure files (Dockerfile, Terraform, YAML, .env), and dependency manifests. Prints severity-tagged findings, outputs an HTML dashboard in your project root.
2. 2Phase 2 — Guided interview (~30–45 minutes, pausable). Your AI assistant asks 3–5 questions per turn in severity order. Covers administrative, physical, and process controls that static analysis cannot see. Skipping and unknown answers are accepted. Resumable across sessions.
3. 3Phase 3 — Merged report. Combines scan findings and interview answers into a single scored verdict. Walks through the top must-fix items and offers to generate tickets for each.

How to Install

Claude Code

One command, one symlink:

git clone git@github.com:Global-Software-Consulting/hipaa-audit-skill.git ~/hipaa-audit-skill
bash ~/hipaa-audit-skill/install.sh

Creates a symlink at ~/.claude/skills/hipaa-audit. Restart Claude Code — the skill auto-loads. Then run:

/hipaa-audit /path/to/your/project

Or use any trigger phrase: "hipaa audit /path", "phi leak check on /path", "is /path hipaa compliant?", "baa audit on /path".

Cursor

Copy the adapter files into your project root:

cp -r ~/hipaa-audit-skill/.cursor /your/project/.cursor

Then in Cursor: run /hipaa-audit <path> from the command palette, or just ask for a HIPAA audit in chat — the rule loads automatically.

GitHub Copilot

Copy the prompt file into your project:

cp -r ~/hipaa-audit-skill/.github /your/project/.github

In Copilot Chat, run the hipaa-audit prompt from the prompt picker and provide your project path.

Windsurf

Copy the workflow file into your project:

cp -r ~/hipaa-audit-skill/.windsurf /your/project/.windsurf

Run /hipaa-audit from Windsurf's workflow menu and provide the project path when prompted.

What Does the HIPAA Audit Report Look Like?

The HTML dashboard drops into your project root as hipaa-audit-report.html. It includes:

• Verdict badge (Not Compliant / Partially Compliant / Compliant) and an overall 0–100 score
• Per-category score bars — red for failing, amber for at-risk, green for passing
• Severity breakdown chart across Critical, High, Medium, and Low findings
• Vendor BAA risk table — blocked, enterprise-only, and signable vendors identified
• Filterable findings table by status, severity, and source (code scan vs. interview)

The Markdown report includes an executive summary, must-fix detail cards with rule citations, and a remediation roadmap split across three tracks: Week 1 for critical blockers, Sprint 1 for high-severity items, and Manual for policy and process work.

Where Does the HIPAA Audit Rule Set Come From?

GSoft builds software for healthcare clients across the UK, Netherlands, Australia, and North America. HIPAA compliance is a recurring part of delivery — not a one-time launch checkbox. We have worked on medication management platforms, patient data pipelines, EHR-integrated applications, and clinical tooling where a compliance gap has real consequences.

We built this tool to automate the pre-audit work: the checks that should happen before you engage a compliance firm, before your code review, before your launch. The same technical checks we run for healthcare clients, packaged as a Claude Code skill that runs in your terminal in under a minute.

The rule set lives in a human-readable rules.yaml file with citations on every rule. Adding a new rule, updating a vendor BAA status, or contributing an interview question follows a documented process in CONTRIBUTING.md. Community contributions keep it current as requirements evolve.

What Does the HIPAA Gap Auditor Not Cover?

False positives are expected. Regex catches namespace URLs like http://www.w3.org/2000/svg, route constants like PASSWORD: '/auth/forgot-password', and .env files already in .gitignore. Review each finding before acting on it. The vendor BAA list is a point-in-time snapshot — confirm current status on each vendor's HIPAA page before signing. Interview answers are self-reported; the tool cannot verify that a risk analysis document actually exists or is current.

Frequently Asked Questions

Does using this tool make my application HIPAA compliant?

No. It catches technical gaps and surfaces process gaps through the guided interview. Full HIPAA compliance also requires organisational policies, physical safeguards, staff training, signed Business Associate Agreements, and a formal risk assessment — none of which a code tool can replace.

Which AI coding tools does it support?

Claude Code (via SKILL.md), Cursor (via .cursor/rules/ and .cursor/commands/), GitHub Copilot (via .github/prompts/), and Windsurf (via .windsurf/workflows/). Any tool that supports the AGENTS.md convention also works — copy AGENTS.md into your project root. All adapters drive the same Python scanner engine.

Which project types does it support?

Single web apps (React, Next.js, Vue, Svelte), mobile apps (React Native, Flutter), backends (Node, Python, Go, Java, Rails), and monorepos. For monorepos, run it at the root for a combined report or per-package path for separate reports.

Do I still need a compliance officer or legal counsel?

Yes. This is a pre-audit engineering tool, not legal advice. Formal risk assessments, BAA negotiation, and audit readiness require human compliance expertise. This tool reduces the number of technical findings that reach a paid auditor — it does not replace one.

Is the rule set up to date with the 2025 HIPAA Security Rule updates?

The rule set is maintained in rules.yaml with citations to current HHS and NIST guidance. The 2025 updates — mandatory network segmentation, vulnerability scanning every 6 months, penetration testing every 12 months, and 72-hour incident notification — are included. Open an issue on the repo if something is missing or outdated.

What is the best free HIPAA audit tool for developers?

The GSoft HIPAA Gap Auditor is one of the few fully free, open-source options that integrates directly into AI coding editors. Unlike commercial tools (Tugboat Logic, Drata, Vanta), it requires no subscription and runs against your actual source code rather than questionnaires. It covers 12 HIPAA categories via static analysis and a guided interview, and produces a scored remediation report. Install by cloning github.com/Global-Software-Consulting/hipaa-audit-skill.

How do I check if my healthcare app is HIPAA compliant?

Start with technical controls: run the HIPAA Gap Auditor against your codebase to catch PHI in logs, missing encryption, secrets in source, and weak session management. Then address process controls: a written risk analysis, Business Associate Agreements with every cloud vendor that touches patient data, an incident response runbook, and staff training records. Finally, engage a qualified third-party auditor or pursue HITRUST CSF certification before clinical go-live. The gap auditor covers the first step.

What is the difference between a HIPAA audit and HIPAA certification?

HIPAA has no official government certification program. The HHS Office for Civil Rights (OCR) enforces compliance through investigations and audits, not certificates. What healthcare organisations pursue instead is HITRUST CSF certification or a SOC 2 Type II report with HIPAA criteria — both produced by accredited third-party assessors. The GSoft HIPAA Gap Auditor is a pre-audit engineering tool: it finds technical gaps so your team can fix them before spending $20,000–$100,000 on a formal assessment.