$ pentest --compliance=hipaa
HIPAA Security Rule requires a risk analysis; a pen test is one accepted input to that risk analysis, not an independently mandated activity.
A HIPAA pen test for a healthcare covered-entity or business-associate runs $10,000 to $45,000 in 2026 from a healthcare-experienced vendor. The Security Rule (45 CFR 164.308) mandates a risk analysis, which pen test commonly feeds; the rule does not name pen test as a discrete requirement.
Last verified June 2026
$ drivers --price
- Covered-entity vs business-associate
Different scope shapes. BAs typically narrower.
- EHR / PHI system count
Number of systems storing or transmitting PHI.
- Cloud-hosted vs on-prem
AWS / Azure / GCP HIPAA-eligible services need provider-authorisation steps.
- Medical-device scope
If networked medical devices are in scope, specialist vendor required.
- Risk-analysis bundling
Some vendors bundle the broader risk analysis (the actual mandated activity) with the pen test.