How We Built a HIPAA Compliance Scanner in 4 Weeks Using 0nMCP

Most compliance products are sold by lawyers and built by enterprises. We built ours in four weeks with one engineer and an MCP server. Here is the build log.

The 4-Week Sprint

Week 1 — Audit. We listed every observable HIPAA Security Rule signal that an outside HTTP request could detect. That cut 164.300-318 down to 63 binary checks across three buckets: 28 public-URL checks, 28 dashboard-URL checks, 7 universal policy checks.

Week 2 — Scanner engine. ~770 lines of TypeScript. Pure HTTP GET/HEAD, no auth attempts, no scraping. Each check returns pass/fail/warning + cited rule section + remediation copy.

Week 3 — AI report generator. This is where 0nMCP earned its keep. Instead of writing 63 hand-tuned prompts, we registered each check as a tool definition and let Claude orchestrate the report from JSON output.

Week 4 — Stripe + magic-link delivery + four-tier pricing + the public landing page.

What 0nMCP Replaced

A traditional build of this product would have needed:

• A separate prompt-engineering layer (we used MCP tools)
• A queue worker (0nMCP routes inline)
• Stripe integration code (one MCP service call)
• Email delivery (Resend tool)
• Database persistence (Supabase tool)
• Vercel deploy hooks (catalog tool)

All seven concerns collapsed into one orchestration file. The scanner emits a JSON result, the orchestrator hands it to Claude with a system prompt, Claude calls back with cited findings, the orchestrator persists + sends.

Architecture

Customer URL pair → runHIPAAScan() → 63 checks emit pass/fail/warning
↓ JSON result with severity tags ↓ 0nMCP orchestrator hands to Claude ↓ Claude streams cited paragraphs back ↓ Stripe webhook fires → magic-link email → /hipaa/reports/[id] 

The scanner is at lib/hipaa/scanner.ts. The 2026 weighted scoring engine is at lib/hipaa/scoring-engine-2026.ts (executive roll-up across 5 domains: auth 30%, encryption 20%, web-privacy 20%, integrity 20%, resilience 10%).

The Hard Parts

1. Citation accuracy. Every finding must reference a specific 45 CFR section. We couldn't let Claude hallucinate — so each check pre-binds its rule section before it ever reaches the model. The model's job is to translate the violation into plain English, not invent the rule.

2. Stack-aware code fixes. Tier 2 ($399) ships pasteable developer code per finding — but the fix for "missing HSTS header" looks different on Apache vs Nginx vs Vercel. We detect the stack from response headers, then route Claude to the right code template. Vendor-agnostic curl verification is the fallback.

3. The 2026 NPRM overlay. The proposed update to the Security Rule adds 17 new requirements (mandatory MFA, encryption at rest, network segmentation, etc.). Tier 3+ flags every finding that will become required even if it's currently passing. That gives buyers an audit-ready posture for the 2026 enforcement window.

4. Supply chain checks. We integrated Spectra Assure (secure.software) Community API to flag malware, CVEs, embedded secrets, tampering, license issues, and SBOM gaps in customer dependencies. That maps cleanly to HIPAA 164.308(a)(1)(ii)(A) Risk Analysis.

Pricing That Works

Four tiers, $149 to $899:

What 0nMCP Made Easy

0nMCP is the universal MCP orchestrator — 1,554 tools across 96 services. For this build we used: Stripe checkout/webhook, Resend for delivery, Supabase for persistence, Spectra Assure for supply chain. One config file (~/.0n/connections/), seven services wired.

If we had built this with traditional integrations, week 1 would have been spent on the Stripe integration alone. Instead, week 1 was scanner logic and we reached "it works" by Friday.

What's Next

• Tier 5 — full audit engagement with documented Risk Analysis
• Partner program for compliance consultancies and MSPs (Q3 2026)
• White-label reports for agencies
• API access for embedding scans into existing compliance workflows

The scanner is live at rocketopp.com/hipaa. Free scan in 60 seconds. Paid report in 15 minutes.