HIPAA TLS Audits
Transmission Security Evidence for Covered Entities

HIPAA’s transmission security rule (§164.312(e)) is an addressable specification, but OCR expects encryption that meets the NIST SP 800-52 standard in practice. Weak TLS isn’t a theoretical risk: a breach involving ePHI on a non-compliant transport loses the encryption safe harbor, triggering mandatory breach notification. SSLBoard gives you the TLS evidence to show your transmission layer meets the standard.

One scan covers the requirements that matter

Enter a domain and SSLBoard discovers every hostname and TLS endpoint across your infrastructure using Certificate Transparency logs and active server probing. Each finding maps to the §164.312(e) checklist:

  • §164.312(e) via NIST SP 800-52, transmission security: Full TLS version and cipher suite analysis across every endpoint. TLS 1.0, TLS 1.1, SSL, weak ciphers, and outdated protocols are flagged, each one a potential safe harbor disqualifier if ePHI traverses the connection during a breach.
  • §164.312(e), certificate integrity: Revoked certificates undermine the transmission security baseline. OCSP revocation status is checked across every endpoint and any certificate that should not be serving traffic is flagged.
  • Certificate inventory for risk assessment: Full inventory of issuers, key strength, SAN coverage, and expiry dates across the domain. Shadow and forgotten subdomains discovered via Certificate Transparency logs. Unknown endpoints handling ePHI are a liability you can’t manage if you don’t know they exist.

Why this evidence holds up

When OCR investigates a breach, one of the first questions is whether ePHI in transit was encrypted and whether that encryption met the NIST standard. The evidence they want is exactly what this report produces: which TLS versions were active, which endpoints were reachable, which certificates were valid at the time.

CT logs are an append-only public record. If a CA issued a certificate for your domain, it’s in there, including the dev subdomain your team stood up two years ago and forgot about. Those unknown endpoints handling ePHI are the ones that show up in breach post-mortems.

The scan runs from outside your network with no agents or configuration changes. What it finds is what OCR would find.

From scan to evidence

  1. Enter the apex domain. SSLBoard finds every hostname and probes every TLS endpoint.
  2. The summary report shows your TLS score and a ranked list of every issue found. It’s free.
  3. Unlock the full report for host-level detail. Download CSV data or share a link with your compliance officer or auditor.

The full report covers certificate chains, issuer distribution, protocol versions, cipher suites, key strength, HSTS status, OCSP revocation, and adjacent-domain discovery, all mapped to specific hostnames and IP:port combinations.

Fits the compliance workflow

Share a link with your compliance officer, privacy counsel, or Business Associates who need to see it. No screenshots to take, no data to email around.

Hospital networks with hundreds of subdomains, telehealth platforms, EHR vendors: the scan handles them all the same way. Results are ready in seconds.

One email confirmation unlocks the full report. Share it with whoever is handling the audit or BAA review.

Info

Need to see what the report looks like for your domain? Run a free scan — the summary report is instant, and the full report unlocks after email confirmation.

Run a free scan Read the FAQ