How Often Does HIPAA Require Vulnerability Scans? Requirements and Best Practices

HIPAA Vulnerability Scanning Requirements

HIPAA does not prescribe a fixed, universal interval for vulnerability scans. Instead, it requires you to perform ongoing Risk Assessments and manage identified risks to systems that create, receive, maintain, or transmit Electronic Protected Health Information (ePHI). In practice, that means documenting a risk-based vulnerability scanning program, executing it consistently, and proving that issues are remediated in a timely manner.

To meet Covered Entities Compliance expectations—and the parallel Business Associates Obligations—you should adopt clear, written policies that define scan frequency by asset criticality, exposure, and patient-safety impact. Most organizations set stricter cadences for internet-facing systems and any platform that stores or processes ePHI, with separate rules for internal networks and specialty systems.

What regulators expect in substance

• A documented, risk-based scanning policy tied to your enterprise Risk Assessments.
• Routine automated scanning of in-scope assets, plus rescans to verify Vulnerability Scan Remediation.
• Evidence that findings are triaged, assigned, remediated, and re-tested within defined timeframes.
• Coverage of third parties handling your ePHI, aligned with Business Associates Obligations in your BAAs.
• Security Safeguards Documentation showing how scanning supports your administrative, physical, and technical safeguards.

Common baseline cadences (risk-driven, not mandated)

• External, internet-facing systems: monthly to quarterly.
• Internal servers, workstations, and network devices: quarterly to semiannual.
• High-risk clinical applications handling ePHI: monthly or per-release, with prompt rescans after fixes.

These intervals are examples; your policy should justify any cadence based on asset risk, exposure, and the sensitivity of ePHI involved.

2025 HIPAA Security Rule Update

In 2025, the U.S. Department of Health and Human Services (HHS) proposed a significant modernization of the HIPAA Security Rule. The proposal moves from a purely risk-based posture to a more prescriptive model and, among other measures, indicates expectations for automated vulnerability scans at least every six months and annual penetration testing (i.e., Penetration Testing Frequency explicitly called out). It also emphasizes stronger encryption and access-control measures and heightened Security Safeguards Documentation.

As of April 14, 2026, organizations should treat the proposed biannual scanning baseline as a floor, not a ceiling—especially for systems that handle ePHI or face the public internet. Confirm the final rule text and effective dates as you update policies, but begin aligning your program now to avoid rushed changes later.

What the update means for your schedule

• Set a minimum twice-yearly automated scan for all in-scope environments.
• Layer more frequent scans for externally exposed assets and critical ePHI systems.
• Perform at least annual penetration tests, plus tests after material architecture changes.

Triggers for Additional Scans

Beyond your routine cadence, run out-of-cycle scans when risk increases. Build these triggers into policy so your teams act quickly and consistently.

• Major system or application changes: new deployments, upgrades, or configuration overhauls.
• Significant security patches: vendor “patch Tuesday” bundles, emergency fixes, or firmware updates for clinical devices.
• New or actively exploited vulnerabilities that affect your stack.
• Security incidents or suspected compromise involving ePHI or key infrastructure.
• Onboarding of a new Business Associate with network connectivity or data exchange.
• Cloud posture changes: new VPCs/VNETs, security group rule changes, or exposed storage buckets.
• Network segmentation changes, new remote-access pathways, or identity-provider shifts (e.g., MFA rollout).

Define response timelines in policy—for example, trigger scans within 7–14 days of a major change, and sooner (24–72 hours) when a critical, widely exploited vulnerability emerges.

Scope of Vulnerability Scanning

Your scope should match where ePHI lives, moves, or could be exposed. Maintain an accurate asset inventory and data-flow maps so you can prove that scanning covers systems tied to ePHI.

Core in-scope areas

• Perimeter and externally facing services: patient portals, telehealth endpoints, VPN concentrators, email gateways.
• Internal infrastructure: servers (including EHR and imaging), workstations, hypervisors, domain controllers, and network gear.
• Applications: web apps (dynamic testing), APIs, and supporting databases; incorporate pre-release scans for major updates.
• Cloud services: IaaS, PaaS, and SaaS configurations (CSP-native and third-party assessments), container images, and serverless functions.
• Medical/IoMT devices: coordinate with biomedical engineering; use vendor-approved or passive techniques to avoid care disruption.
• Remote endpoints and telework gear with ePHI access.
• Third-party connections: Business Associates that transmit or host your ePHI.

Use authenticated scans wherever feasible to uncover configuration-level weaknesses. Reserve unauthenticated scans for perimeter discovery and safety-constrained devices.

Documentation and Record Retention

HIPAA requires you to retain required documentation for six years from creation or from the date last in effect, whichever is later. Build your Security Safeguards Documentation so auditors can follow the thread from policy to proof.

What to keep on file

• Policies and procedures: vulnerability management policy, roles and responsibilities, escalation paths, and Penetration Testing Frequency.
• Asset and scope artifacts: inventories, data-flow diagrams, and ePHI system lists with risk ratings.
• Scan evidence: raw reports, executive summaries, authenticated vs. unauthenticated status, and coverage metrics.
• Vulnerability Scan Remediation records: ticket IDs, owners, due dates, compensating controls, and formal exceptions with risk acceptance.
• Rescan proof: closure verification showing vulnerabilities are remediated or risk-reduced.
• Business Associate oversight: BAAs with security clauses, attestations, and (where permitted) third-party testing summaries.

Best Practices for Vulnerability Scanning

Build a risk-tuned cadence

• Tie frequency to Risk Assessments: higher risk, higher frequency.
• Prioritize systems that handle ePHI and any internet-facing service.
• Adopt continuous or monthly scans for the perimeter; quarterly for internal networks; increase cadence during major change windows.

Elevate scan quality and safety

• Prefer authenticated scans for depth; throttle or window scans to avoid clinical disruption.
• Coordinate with device owners; follow vendor guidance for medical equipment and safety-critical systems.
• Continuously monitor cloud configurations; scan container images before release.

Make remediation measurable

• Define SLAs by severity and exploitability (e.g., critical: 7 days; high: 30; medium: 60; low: 90) and track mean time to remediate.
• Weigh patient-safety and ePHI exposure when prioritizing fixes; document compensating controls where patching isn’t possible.
• Require rescans to confirm closure; avoid marking items “resolved” without verification.

Integrate with broader testing and governance

• Schedule at least annual penetration testing and after major architectural changes.
• Report coverage and trend metrics to leadership: risk by asset group, SLA performance, exception counts, and residual risk.
• Flow scan outputs into change management and emergency patch procedures.
• Hold Business Associates to equivalent standards through BAAs and vendor risk reviews.

Conclusion

HIPAA expects you to operate a documented, risk-driven scanning program and to prove that vulnerabilities tied to ePHI are remediated promptly. With the 2025 HIPAA Security Rule Update signaling biannual automated scans and annual penetration testing, treat semiannual scanning as the minimum and scale up for higher-risk systems. Clear policies, strong evidence, and disciplined remediation will keep you compliant and materially reduce breach risk.

FAQs

What is the HIPAA requirement for vulnerability scan frequency?

HIPAA historically has not set a single, fixed interval. You must define frequency in policy based on your Risk Assessments, data sensitivity, and exposure. The 2025 HIPAA Security Rule Update indicates a minimum of automated scans every six months and annual penetration testing; many organizations exceed those baselines for internet-facing or ePHI-heavy systems.

When should additional vulnerability scans be performed?

Run out-of-cycle scans after major system changes, emergency patches, or configuration overhauls; when high-severity or actively exploited vulnerabilities affect your stack; after a suspected incident; when onboarding or materially changing a Business Associate connection; and whenever cloud posture changes expose new attack surfaces.

How should vulnerability scan results be documented?

Keep raw reports, executive summaries, and coverage metrics; track each finding through Vulnerability Scan Remediation with owners, due dates, compensating controls, and rescans to verify closure. Retain policies, procedures, asset inventories, and Business Associate evidence as part of your Security Safeguards Documentation, and preserve required documentation for at least six years.