Review healthcare code for potential HIPAA-related issues.
PHI detection, risk scoring, auto-remediation, and audit reports — for local review in your terminal, AI coding agent, or CI/CD pipeline. Informational only; not legal advice or compliance certification.
Why HipaaLint?
Healthcare and health-adjacent codebases can accidentally expose PHI, use insecure transport, or miss basic access-control and audit-logging safeguards. AI-assisted development can increase that risk if generated code is merged without focused review.
HipaaLint is a local static-analysis tool that scans your codebase against 266 rules across HIPAA, HITRUST CSF, and SOC 2 Health, produces a 0-100 risk-oriented score, and auto-fixes a limited set of simple violations in the CLI and editor integrations.
It is designed to help teams review code and prioritize remediation. It does not guarantee compliance, provide legal advice, or replace formal legal, privacy, security, or compliance review.
Quick Start
# Install
npm install -g @hipaalint/ai
# Scan your project
hipaalint scan .
# Get your compliance score
hipaalint score .
# Auto-fix simple violations
hipaalint scan . --fix --dry-run # preview first
hipaalint scan . --fix # apply fixes
# Generate a PDF audit report
hipaalint report . --format pdf
See It In Action
HipaaLint Web API & Playground
Integrate our powerful detection engine into your own web interfaces, or use our standalone interactive playground to audit compliance in real-time.
HipaaLint Terminal CLI
Scan your entire codebase, calculate your compliance score, and auto-fix violations directly from your terminal workflow.
1. Scan — Find violations instantly
hipaalint scan ./src
🛡️ HipaaLint AI — Scanning...
Path: ./src
Framework: hipaa
Sensitivity: balanced
📊 Results:
Files scanned: 128
Rules evaluated: 266
Duration: 869ms
🔴 Critical: 31
🟠 High: 1502
🟡 Medium: 199
🔵 Low: 0
🔴 HIPAA-ENC-001: Unencrypted HTTP Usage
📍 src/api/client.ts:15
📋 45 CFR §164.312(e)(1) — Transmission Security
💡 Use https:// for all data transmission. Configure TLS 1.2+ minimum.
🔴 HIPAA-ENC-004: Hardcoded Encryption Key
📍 src/config/secrets.ts:40
📋 45 CFR §164.312(a)(2)(iv) — Encryption and Decryption
💡 Use environment variables or a secrets manager.
Every finding includes the HIPAA citation, file location, and actionable remediation.
2. Score — Quantify your compliance posture
hipaalint score ./src
🛡️ HipaaLint Score
🔴 Overall: 3.7/100 (critical)
Domain Breakdown:
🟠 phi Protection: 0/100 (25% weight)
🟠 encryption: 0/100 (20% weight)
🟠 access Control: 0/100 (20% weight)
🟠 audit Logging: 0/100 (15% weight)
🟠 infrastructure: 0/100 (10% weight)
🟠 ai Governance: 37/100 (10% weight)
| Band | Score | Meaning |
|---|
| Strong | 90-100 | Meets baseline HIPAA technical safeguards |
| Needs Improvement | 70-89 | Minor gaps to address |
| At Risk | 40-69 | Significant compliance gaps |
| Critical | 0-39 | Immediate remediation required |
Critical violations automatically clamp the score — exposed PHI caps you at 69, no encryption caps at 59.
3. Fix — Auto-remediate simple violations
hipaalint scan ./src --fix --dry-run
🔧 Dry Run — 6 fix(es) would be applied:
✅ HIPAA-ENC-001 — src/api/tests/conftest.py:16
Upgraded http:// to https://
- return AsyncClient(transport=transport, base_url="http://test")
+ return AsyncClient(transport=transport, base_url="https://test")
✅ HIPAA-ENC-001 — src/api/tests/test_auth.py:15
Upgraded http:// to https://
- return AsyncClient(transport=transport, base_url="http://test")
+ return AsyncClient(transport=transport, base_url="https://test")
