en flag +1 214 306 68 37

HIPAA Compliance Software Testing

Roadmap, Best Practices, Cost Factors

ScienceSoft applies 18 years of experience in healthcare IT to offer expert HIPAA compliance software testing to healthcare providers, pharmaceutical companies, and medical device manufacturers.

HIPAA Compliance Software Testing - ScienceSoft
HIPAA Compliance Software Testing - ScienceSoft

HIPAA Compliance Software Testing: The Essence

HIPAA compliance software testing is a way to ensure that healthcare software complies with all the technical safeguards required by HIPAA and doesn’t pose any threats to ePHI privacy. From a simple web application or a mobile app to an advanced IoT system of connected medical devices – any healthcare software handling ePHI needs HIPAA compliance testing.

Medical software product companies (including SaMD and medical device manufacturers), healthcare providers, and pharmaceutical companies are the most common users of this service. HIPAA compliance testing is performed in the following cases:

  • When new healthcare software is to enter the market.
  • When the existing healthcare software is significantly modified, and the changes may affect its HIPAA compliance.
  • When official HIPAA requirements change.

Key steps: software documentation and requirements analysis, test planning and design, test execution and reporting.

Key team members: a test manager, test engineers, a HIPAA compliance consultant, a security test engineer, and a test automation engineer.

Our Approach to HIPAA Compliance Testing

The HIPAA Security Rule comprises three main safeguards:

  • Administrative (e.g., setting up a security management process and security incident procedures).
  • Physical (e.g., facility access control, workstation use, and device security).
  • Technical (e.g., implementing access control, introducing activity logs and audit controls).

Compliance with administrative and physical safeguards requires setting up organization’s internal processes. It rests upon healthcare providers and business associates, such as IT contractors, billing companies, accounting service providers, and others. If you need to make sure your organization meets HIPAA administrative and physical safeguards, check our HIPAA compliance risk assessment guide.

While testing your healthcare software, ScienceSoft checks its compliance with the following HIPAA technical safeguards:

Access control

  • Unique user identification (required). ScienceSoft checks whether all users are assigned a unique name and/or ID number. This is crucial for identifying and tracking user activities when a user is logged into the system.
  • Emergency access procedure (required). ScienceSoft checks the availability of documented instructions for obtaining access to necessary ePHI during an emergency situation. If the emergency access is granted via the software being tested for HIPAA compliance, ScienceSoft designs relevant test cases for each user role that requires emergency access to ePHI.
  • Automatic logoff (addressable). We make sure the app terminates the session after a specified period of inactivity. This is important to prevent unauthorized users from accessing ePHI on a workstation that is left unattended.
Learn more


ScienceSoft applies positive test cases to verify that the application grants access to authorized users (with passwords, PINs, smart cards, tokens, keys, or biometrics). Applying negative test cases (e.g., an empty ID/password field, an invalid ID or a password, an expired or a blocked account), test engineers make sure the app denies access to unauthorized users.

Learn more

Audit control

ScienceSoft ensures that activity logs record all the activities within the software with a special focus on attempts to access ePHI. Our test engineers also make sure that logs contain sufficient information on users’ activities when they access ePHI, i.e., the detailed description of changes made, information added. In addition, we test activity logs for different user roles attempting to access ePHI.

Learn more


ScienceSoft makes sure the software is equipped with integrity controls that check ePHI for human errors (e.g., accidental changes to ePHI). Other important purposes of integrity controls include ensuring the accuracy of data backups and verifying that ePHI is not altered or destroyed in unauthorized manner.

Learn more

Transmission security

  • Integrity controls (addressable). ScienceSoft’s test engineers compare ePHI sent and received to make sure that the information has not been altered during transmission. They also check if the necessary network communication protocols and data or message authentication codes are in place to prevent the data from being improperly modified during transmission.
  • Encryption (addressable). ScienceSoft employs relevant user scenarios based on the roles matrix and checks if data encryption and decryption work correctly at every transmission point.
Learn more

A Roadmap to HIPAA Compliance Software Testing

Although each IT compliance testing project will differ depending on software specifics, there is a general process that ScienceSoft usually follows. It comprises the four key steps:


Software documentation analysis

QA specialists examine the software-related documentation (software functional and non-functional requirements, recently deployed software features, already implemented security controls, etc.) to create a checklist of technical safeguards applicable to your software and outline a HIPAA compliance test plan.




Creating a roles matrix

QA specialists create a roles matrix to identify the existing user roles and the risk level associated with performing different operations (viewing, adding, deleting, and altering ePHI).




Test planning and test design

  • Defining the testing activities required to check software compliance with HIPAA technical safeguards (e.g., functional testing, vulnerability assessment, penetration testing, etc.).
  • Defining the testing team composition (number of test engineers, test automation engineers, security testers, etc.).
  • Creating relevant test cases and test scenarios.
  • Deciding on the test automation share.
  • Writing test automation scripts, selecting and configuring relevant test automation tools, if needed.
  • Preparing the necessary test data and test environment.

There are cases where healthcare software already in use needs to be tested for HIPAA compliance again after undergoing significant changes (say, you added new features or migrated a legacy solution to the cloud). For increased security, ScienceSoft uses mock test data instead of real ePHI when testing such software for HIPAA compliance.

Software Testing Director at ScienceSoft


Test execution and reporting

  • Running manual and automated tests according to the defined test scenarios.
  • Reporting on the discovered HIPAA compliance gaps.
  • Suggesting the necessary remediation measures.


Consider Professional HIPAA Compliance Testing Services

Setting up HIPAA compliance testing

Not sure where to start with HIPAA compliance testing? Our seasoned healthcare consultants and QA engineers will analyze your software, determine the applicable technical safeguards, and deliver a detailed HIPAA compliance testing plan. We will also prepare a tailored tool stack and help you optimize the testing costs.

Go for consulting

Outsourced HIPAA compliance testing

Take advantage of ScienceSoft’s turnkey offer to ensure prompt and professional HIPAA compliance testing of your software. Our QA and healthcare experts will take charge of the entire testing process — from planning and execution to remediation measures — to reliably protect your software against HIPAA compliance breaches.

Go for testing

Why Choose ScienceSoft for HIPAA Compliance Testing

  • 18 years in healthcare IT.
  • 34 years in software testing and 22 years in test automation.
  • ISO 13485-certified quality management system for medical device software and SaMD.
  • ISO 9001- and ISO 27001-certified processes to ensure world-class service quality and full security of the sensitive data entrusted to us.
  • A top HIPAA consulting company in 2022, according to Atlantic.net.
  • Experience in testing software compliant with HIPAA, HITECH, NCPDP standards, FDA and ONC requirements, IVDR, MACRA, MIPS, CEHRT, SAFER.
  • Expertise in healthcare standards (HL7, ICD-10, LOINC, CPT, XDS/XDS-I, FHIR, DICOM).
  • ScienceSoft is a 3-Year Champion in The Americas’ Fastest-Growing Companies Rating by the Financial Times.

HIPAA Compliance Software Testing: Success Stories by ScienceSoft

HIPAA Compliance Testing of a Patient Portal for a US Healthcare Service Provider

HIPAA Compliance Testing of a Patient Portal for a US Healthcare Service Provider

ScienceSoft performed a comprehensive quality assessment of a US healthcare service provider’s patient portal and conducted vulnerability scanning, malware detection, and penetration testing. After eliminating the defects found by ScienceSoft’s team, the Customer received a secure and HIPAA-compliant application.

HIPAA Compliance Testing for a Healthcare Technology and Research Company

HIPAA Compliance Testing for a Healthcare Technology and Research Company

ScienceSoft conducted penetration testing of Android and iOS mobile devices used by the employees of a healthcare technology and research company that operates in 90+ countries. Our team assessed data transmission and encryption protocols and explored the security of the devices’ OS versions. Relying on the comprehensive report on the found security vulnerabilities, the Customer improved the security of the devices and remained HIPAA-compliant.

Typical Roles on Our HIPAA Compliance Testing Teams

Test manager

  1. Defines the testing scope.
  2. Outlines the test plan and the team structure.
  3. Helps define a feasible share of test automation.
  1. Oversees the testing process and reports to the stakeholders.
  2. Makes sure the project KPIs are met.

HIPAA compliance consultant

  1. Defines the applicable HIPAA requirements.

Makes sure that the testing process is documented in accordance with HIPAA regulations.

Security test engineer

  1. Develops a threat model for the healthcare software.
  2. Performs security testing, reports on the discovered vulnerabilities, and recommends remediation actions.

Conducts retesting to make sure the remediation activities didn’t create any new vulnerabilities.

Test engineer

  1. Designs and maintains test cases needed to cover the necessary HIPAA requirements (e.g., functional testing for the authentication safeguard).
  1. Tests and reports on the defects found.
  2. Validates the fixed defects.

Test automation engineer

  1. Prepares test automation environment and test data.
  2. Writes test automation scripts.
  1. Performs automated testing and reports on the defects found.
  2. Validates the fixed defects.

Sourcing Models for HIPAA Compliance Testing

Tools ScienceSoft Employs in HIPAA Compliance Testing Projects

Factors Affecting the Costs of HIPAA Compliance Testing

  • Healthcare software type and complexity.
  • The number of user roles.
  • Applicable HIPAA technical safeguards.
  • The required testing types.
  • The share of test automation.
  • The number and complexity of test cases.
  • The chosen sourcing model (in-house, partial or full outsourcing).
  • The costs of security testing tools (if testing is performed in-house).

Learn How Much HIPAA Compliance Testing Will Cost You

ScienceSoft’s experts will assess the specifics of your particular case and provide you with a detailed cost estimate for your HIPAA testing project.

About ScienceSoft

About ScienceSoft

Headquartered in McKinney, TX, ScienceSoft is a software testing and QA consulting company that delivers testing services for healthcare IT industry since 2005. ISO 9001- and ISO 13485-certified, we perform high-quality testing of healthcare software, including medical device software and SaMD. Leveraging 20 years of experience in cybersecurity and ISO 27001-approved security processes, we guarantee full protection of the sensitive data entrusted to us. If you need to check your healthcare software for HIPAA compliance, contact our team of healthcare testing experts.