Built for healthcare agencies — 14-day free trial

A patient portal cert expiry isn't just a downtime event — it's a HIPAA Breach Notification Rule trigger.
Under 45 CFR 164.402, PHI submitted over an expired cert is presumptively unsecured. The covered entity has 60 days to notify. OCR has assessed seven-figure penalties.

Healthcare agencies building patient portals, telehealth platforms, and FHIR API integrations for covered entities deal with cert expiry on the patient portal subdomain triggering the HIPAA Breach Notification Rule (45 CFR 164.402) when PHI is submitted over an unencrypted connection (the covered entity must perform a 4-factor risk assessment under §164.402(2) and may need to notify affected individuals within 60 days under §164.404), telehealth mid-session cert rotation invalidating SOAP-note attachments while audio/video continues via TLS session resumption (the chart entry ends up incomplete, potentially violating state medical board rules requiring contemporaneous documentation), and FHIR API endpoint cert expiry breaking EMR-to-app integrations (the EMR's mTLS client caches the failure for 24+ hours after renewal). Under the BAA, the agency inherits HIPAA-equivalent obligations. Merlonix monitors every HIPAA-attached subdomain so the cert-expiry exposure surfaces 30 days before the failure window opens.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where healthcare agencies get caught out

Three failure modes where SSL expiry creates HIPAA Breach Notification Rule exposure, contemporaneous-documentation gaps under state medical board rules, and EMR-side TLS-failure cache windows that block clinical workflow for 24+ hours after the cert is renewed.

Healthcare agencies operating patient portals, telehealth platforms, and FHIR API integrations for covered entities deal with cert expiry on the patient portal subdomain triggering the HIPAA Breach Notification Rule (45 CFR 164.402) when PHI is submitted over an unencrypted connection, telehealth mid-session cert rotation invalidating SOAP-note attachments while audio/video continues via TLS session resumption (the chart entry ends up incomplete, potentially violating state medical board rules requiring contemporaneous documentation), and FHIR API endpoint cert expiry breaking EMR-to-app integrations where the EMR's mTLS client caches the TLS failure for 24-48 hours after the cert is renewed.

Under 45 CFR 164.402, "unsecured PHI" is PHI not rendered unusable, unreadable, or indecipherable through encryption methods specified by HHS guidance (NIST SP 800-111 for data at rest, SP 800-52 for data in transit). PHI submitted through a patient portal whose cert has expired is presumptively unsecured — the connection falls back to plaintext HTTP if the user clicks through the browser warning, or the cert chain fails to validate against the user's root store. The covered entity must perform a 4-factor risk assessment under §164.402(2): nature/extent of PHI, who received it, whether actually viewed or acquired, and extent of mitigation. If the risk is not "low probability of compromise," the entity must notify affected individuals within 60 days under §164.404 and notify HHS under §164.408 (immediately for 500+ individuals, annually for smaller breaches). OCR has assessed seven-figure penalties: $5.5M against Memorial Healthcare System (2017), $4.3M against Cignet Health (2011). The agency operating the portal under a BAA inherits HIPAA-equivalent obligations under §164.504(e)

A healthcare agency operates a patient portal for a 12-location specialty clinic group. The cert on patientportal.specialtyclinic.com expires due to a Let's Encrypt renewal failure caused by a DNS provider change three months earlier (the DNS provider change moved nameservers but the agency's renewal automation was still hitting the old DNS API for cert validation). The cert expires on a Friday afternoon; the agency's on-call doesn't see the alert because the alerting was wired to the old DNS provider. By Monday morning, an estimated 340 patient sessions have submitted intake forms (containing PHI: DOB, SSN last 4, insurance ID, chief complaint, medication list) over the expired cert. The covered entity's privacy officer is alerted; outside HIPAA counsel is engaged; the 4-factor risk assessment under §164.402(2) concludes that probability of compromise is not low; the covered entity must notify

A healthcare agency operates a patient intake portal at patientportal.specialtyclinicgroup.com for a 12-location specialty clinic group (cardiology, endocrinology, rheumatology). The portal handles new-patient intake (PHI: DOB, full SSN, insurance ID, primary care provider contact, chief complaint, medication list, allergy list, family history), appointment scheduling, and pre-visit forms. The technical stack is a Node.js + Postgres deployment on a cloud platform with Let's Encrypt SSL via the platform's automated provisioning. Three months ago, the covered entity changed DNS providers as part of a cost-optimization project (moved from Route 53 to a budget DNS provider). The agency's LE renewal automation depends on a DNS-01 challenge that requires DNS provider API credentials; the credential was updated by the agency at the time of the migration but the renewal automation still hits a different (cached) DNS API endpoint during validation. The previous cert is still valid for 60 days; the renewal failure doesn't cause an event. Friday afternoon at 4 PM, the cert expires. The agency's alerting is configured against the previous DNS provider's status page (the migration didn't update the alerting endpoint). The agency on-call doesn't see the cert-expiry alert. Patients arrive Monday morning, hit the portal from mobile (most clinic patients are on mobile), and see the browser warning. Most click through (modern mobile browsers make this one-click) and complete intake. By 2 PM Monday, 340+ sessions have submitted PHI over the expired cert. A patient screenshots the warning and forwards to the clinic's front-desk staff; the front-desk staff escalates to the practice manager; the practice manager calls the clinic group's privacy officer. The privacy officer engages outside HIPAA counsel. Outside counsel performs the 4-factor risk assessment under §164.402(2): (1) nature/extent of PHI — high (full SSN, insurance ID, medical history); (2) who could have received it — unknown third parties via network interception during the unencrypted window; (3) whether actually viewed/acquired — cannot rule out; (4) mitigation — cert renewed but data may have been captured. Probability of compromise is not low. The covered entity must notify affected individuals within 60 days under §164.404 and notify HHS OCR via the breach reporting portal under §164.408 (immediately because 340+ exceeds the 500-individual threshold? — close to the line; the privacy officer reports as a precaution). HHS OCR opens an investigation. The clinic group's engagement contract with the agency includes a HIPAA BAA per §164.504(e) and cybersecurity SLAs. The agency is named as a Business Associate; under §164.314(a)(2)(i)(C), the Business Associate has independent reporting obligations and is independently subject to OCR enforcement. The agency's E&O policy is triggered. Reputation exposure with the agency's healthcare-vertical client roster is significant; two clients ask for SOC 2 Type II audit reports before the next renewal cycle.

Telehealth platforms negotiate SSL at the start of a video call session. The provider opens the session, the patient joins, the platform negotiates a TLS connection for the WebRTC data channel and a separate TLS connection for the audio/video media stream. If the cert rotates mid-session (the platform's automated cert renewal during a maintenance window, or a forced rotation after a vulnerability disclosure), the audio/video stream may continue via TLS session resumption (RFC 5077) but the data channel for SOAP notes, file attachments (lab results, imaging reports), and electronic prescription transmission fails because session resumption doesn't cover the data channel. The provider records the encounter without the encrypted notes; the chart entry ends up incomplete. State medical board rules requiring contemporaneous documentation (CA Bus. & Prof. Code §2266, NY Education Law §6530(32), TX Med. Bd. Rule §165) may be violated. Some state medical boards interpret incomplete contemporaneous documentation as professional misconduct

A healthcare agency operates a telehealth platform for a behavioral health practice with 50+ licensed therapists across three states. The platform's cert auto-renews during a Sunday-night maintenance window. Two therapists are conducting sessions at the time (after-hours intake calls for new patients). The audio/video continues via TLS session resumption; the data channel for SOAP notes fails. Both therapists complete the sessions and start documenting in the EMR; the SOAP notes from the in-session attachment uploader were never transmitted. The therapists believe the documentation was captured; the EMR shows the encounter shell but no SOAP note. Three weeks later, one of the patients is admitted to an ER and the admitting hospital requests records; the gap in documentation is surfaced

A healthcare agency operates a telehealth platform for Talk-Path Behavioral Health, a 50-therapist behavioral health practice operating across California, Texas, and Florida. The platform supports video sessions with integrated SOAP-note documentation (the therapist types SOAP notes into the platform UI during the session; the notes are uploaded to the EMR through an HL7 v2 interface at session-end). The platform uses a custom domain (telehealth.talkpathbehavioral.com) with a 90-day Let's Encrypt cert. The platform's underlying cloud provider rotates the cert at 2 AM Sunday during a regular maintenance window. Two therapists are conducting sessions: a CA-licensed LMFT doing an intake call for a new patient (60-min session), and a TX-licensed LCSW doing an emergency follow-up after a patient's after-hours crisis (45-min session). Both sessions start at ~1:45 AM (late-night intake/crisis cadence is normal for behavioral health). The cert rotation fires at 2 AM, halfway through both sessions. The WebRTC audio/video connection continues via TLS session resumption (RFC 5077 ticket-based resumption is enabled on the platform). The therapists notice no interruption. The data channel for SOAP-note uploads requires a fresh TLS handshake on the next upload attempt because the SOAP-note client is a separate browser context (an iframe in the platform UI); the fresh handshake validates against the new cert chain but the in-flight upload that was happening at the moment of rotation fails silently. Both therapists were mid-upload when the rotation fired. The platform's upload retry logic doesn't cover this specific TLS edge case (the retry only fires on HTTP 5xx, not on TLS handshake errors). The session-end save fires; the platform records the encounter shell (provider ID, patient ID, start time, end time) but no SOAP note content because the upload that should have produced the content was lost. The therapists believe documentation is complete because the platform UI showed a "Session saved" toast at end-of-session (the toast was generated by the encounter-shell save, not the SOAP-note save). Three weeks later, one of the patients (the CA-licensed LMFT's new-patient intake) is admitted to an ER following a suicide attempt. The admitting ER requests records from Talk-Path. The Talk-Path operations team pulls the EMR record and discovers the intake-session SOAP note is missing — the encounter shell shows a 60-min session with a CA-licensed LMFT but no documentation of what was discussed, what suicide-risk assessment was performed, what safety plan was created. The CA Medical Board (which licenses LMFTs in addition to LCSWs and physicians) interprets CA Bus. & Prof. Code §2266 (medical records standards) and CA Code of Regs. tit. 16 §1810 (LMFT documentation standards) as requiring contemporaneous documentation. The missing SOAP note from the intake session is a documentation gap during a 60-minute encounter where suicide risk should have been assessed. The patient's family files a complaint with the CA Board of Behavioral Sciences. The Board opens an investigation. The therapist's license is reviewed; the practice's policies and procedures are reviewed; the platform agency is named in discovery. The agency's engagement contract with Talk-Path includes a BAA and a cybersecurity SLA; the agency's E&O policy is triggered. Total cost: licensure defense for the therapist, malpractice claim from the patient's family (settlement six figures), platform agency's legal fees defending the SLA claim, plus reputation exposure across the agency's behavioral-health-vertical client roster.

Modern healthcare data exchange uses FHIR (Fast Healthcare Interoperability Resources) APIs. EMR systems (Epic, Cerner, Allscripts) integrate with third-party apps via FHIR endpoints using OAuth2 + mutual TLS (mTLS) for SMART-on-FHIR authentication. When the FHIR API endpoint cert expires, the EMR's HTTP client rejects the connection at the TLS layer — before any HTTP request goes through. The EMR caches the failure (Epic Bridges caches for 24 hours; Cerner Open Developer Experience caches for 48 hours) so even after the cert renews, integration may not resume until the EMR's cache clears. For provider organizations dependent on the third-party app (med reconciliation, prior authorization automation, eRx, care-coordination platforms), this is a clinical workflow outage. Pharmacies receiving eRx through the integration get blank prescriptions; insurance prior-auth queues stall

A healthcare agency operates a prior-authorization automation platform that integrates with Epic Bridges via SMART-on-FHIR mTLS. The cert on the FHIR endpoint expires due to a 90-day Let's Encrypt renewal failure on a holiday weekend. Epic Bridges caches the TLS failure for 24 hours. The agency renews the cert in 4 hours when the on-call sees the alert. Epic Bridges continues rejecting connections for the remaining 20 hours of the cache window. Prior-authorization requests stall across 8 provider organizations (~200 providers, ~3,000 patients) during a Monday-morning clinical-load window. Several patients have surgery scheduled later in the week pending prior auth

A healthcare agency operates Prior-Auth-Bridge, a prior-authorization automation platform that integrates directly with Epic Bridges via SMART-on-FHIR. The integration handles ~50,000 prior-auth requests per month across 8 provider organizations (orthopedic groups, oncology practices, surgical specialties). The FHIR endpoint is hosted at fhir.priorauthbridge.com with a 90-day Let's Encrypt cert. The cert renewal automation depends on a CAA record that permits Let's Encrypt; six weeks ago, one of the provider organizations (which manages its own DNS) tightened the CAA record on a parent domain that delegates to fhir.priorauthbridge.com as part of an unrelated DNS hardening project. The CAA tightening removed letsencrypt.org from the permitted CA list at the parent zone. Let's Encrypt's renewal validates CAA at the apex level following CAA inheritance rules (RFC 6844 §3); the renewal request hits the tightened CAA record and is rejected. The agency's renewal automation doesn't alert because the renewal API returns a generic 4xx that the automation interprets as "retry in 24 hours." The cert eventually expires on a Saturday morning (Memorial Day weekend). The agency's on-call coverage is reduced for the holiday weekend; the alert doesn't trigger paging until Monday morning. Epic Bridges' FHIR client encounters the TLS handshake failure starting Saturday morning. Epic Bridges caches the failure: every prior-auth request from any of the 8 provider organizations is rejected at the TLS layer before any HTTP request is generated. The 8 provider organizations encompass ~200 providers and ~3,000 prior-auth requests across the weekend (most low-volume, but some critical: pre-op imaging for Monday-morning surgery patients, oncology infusion auths for Tuesday-morning chemo). Monday morning at 7 AM, the agency on-call gets the alert when clinical-volume picks up. The on-call engineer investigates, finds the cert expiry, traces back to the CAA misconfiguration, contacts the provider organization that introduced the CAA tightening, gets the CAA record corrected, re-runs the cert provisioning. Cert is back live by 10 AM Monday. Epic Bridges caches the TLS failure for 24 hours after the last failure was recorded (per Epic's Open Developer documentation); the cache holds rejections until ~7 AM Tuesday. Throughout the 24-hour cache window after the cert is fixed, Epic Bridges continues to reject prior-auth requests at the TLS layer for any provider organization configured to use Prior-Auth-Bridge. The agency engineers cannot force-clear the cache (the cache is Epic-side, not exposed to API consumers). The 24-hour cache window encompasses Monday clinical operations across the 8 organizations. Provider workflow impact: surgery patients whose pre-op auths weren't completed have to be moved or have the surgery proceed without auth (then dispute the claim later). Oncology infusion patients have their Tuesday-morning chemo delayed pending auth. Pharmacies receiving eRx through downstream integrations get blank prescription objects. The agency's engagement contracts with the 8 organizations include BAAs and cybersecurity SLAs with uptime and integration-availability commitments. SLA credits are triggered; the agency's E&O policy is triggered. Reputation exposure with the agency's healthcare-vertical client roster is significant.

How it works

SSL and DNS monitoring for healthcare agencies across patient portals (HIPAA Breach Notification Rule exposure under 45 CFR 164.402), telehealth platform subdomains (state medical board contemporaneous-documentation exposure), and FHIR API endpoints (EMR-side mTLS failure cache exposure under Epic Bridges, Cerner Code, and Allscripts Developer Program).

Merlonix monitors SSL expiry and DNS integrity across every HIPAA-attached subdomain — patientportal.* (patient portal), telehealth.* (telehealth platform), fhir.* (FHIR API endpoint), intake.* (online intake), and the covered entity's primary domain — and catches cert expiry on regulated subdomains before patients can submit PHI over an unencrypted connection and trigger the §164.402 Breach Notification Rule, before a telehealth session can mid-session-rotate and lose a SOAP note creating a state-medical-board documentation gap, and before a FHIR endpoint cert expiry can be rejected by the EMR's mTLS client and cached for 24-48 hours after renewal. Each regulated subdomain gets independent monitoring because each one carries independent HIPAA-side and state-medical- board exposure that flows back to the agency under the BAA.

Add every HIPAA-attached subdomain — patientportal., telehealth., fhir., intake., plus the covered entity's primary domain — with DNS TXT verification that catches cert expiry on regulated infrastructure 30 days before any patient can submit PHI over an unencrypted connection

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — patientportal.* (patient portal), telehealth.* (telehealth platform), fhir.* (FHIR API endpoint), intake.* (online intake form), apex (covered entity marketing site) — are added without additional verification. Monitoring every HIPAA-attached subdomain catches cert expiry on the regulated subdomains 30 days before the failure window opens — well before any patient can submit PHI over an expired cert and trigger the §164.402 Breach Notification Rule, well before any telehealth session can mid-session-rotate and lose a SOAP note, and well before any FHIR endpoint can be rejected by Epic Bridges' 24-hour TLS failure cache. Under two minutes per covered entity.

CNAME and CAA monitoring across DNS provider migrations, parent-zone CAA tightening by other parties, and platform credential rotations — surfacing the CAA-inheritance failures that silently break Let's Encrypt renewal on FHIR API endpoints

Three independent DNS resolvers check every CNAME and CAA record on every monitoring interval, walking the CAA inheritance chain per RFC 6844 §3 from the apex up. When a parent-zone CAA record is tightened (often by an unrelated DNS hardening project at the covered entity, or by an upstream domain owner the agency doesn't control), the change is detected in the first check cycle — well before the FHIR endpoint's next 90-day cert renewal attempts to issue against the now-tightened CAA list and silently fails. Each failure mode has a different DNS dependency (patientportal.* depends on its own zone's CAA, fhir.* may depend on a parent zone's CAA via inheritance) and each is monitored separately.

SSL monitoring 30 days before expiry across patient portals, telehealth platform subdomains, FHIR API endpoints, and intake forms — independent per-subdomain checks because each one has independent HIPAA-side exposure

Full SSL chain validation on every HIPAA-attached subdomain — patientportal.*, telehealth.*, fhir.*, intake.*. Independent checks per-subdomain catch cert expiry 30 days before the failure window opens — enough time to renew the cert, validate the new cert serves correctly across mobile browsers (where most patient-portal traffic originates), and confirm the FHIR endpoint's new cert is accepted by the EMR's mTLS client before the previous cert expires. The 30-day lead time is also enough to coordinate a FHIR endpoint cert rotation with the EMR vendor (Epic, Cerner, Allscripts) to flush the EMR-side TLS failure cache proactively rather than reactively.

Vendor status for Epic, Cerner, Allscripts, AthenaHealth, Let's Encrypt, plus the major telehealth backends (Doxy.me, Zoom Health, Twilio Video) to distinguish vendor-side incidents from per-tenant SSL configuration failures

Merlonix monitors the EMR vendors (Epic Open Developer Experience, Cerner Code, Allscripts Developer Program, AthenaHealth Marketplace) and major telehealth backend vendors alongside the covered entity's cert state — so when Epic has a Bridges platform-wide incident, you see the vendor event clearly rather than spending an hour investigating whether the FHIR endpoint's cert is the failure root cause or whether Epic-side mTLS is degraded for all consumers. The vendor status integration also helps with the EMR-side TLS failure cache: when Epic acknowledges a platform-wide cache flush window, that's relevant to whether the agency's FHIR endpoint can be considered re-integrated or still in the cache window.

What the numbers mean for healthcare agencies

Monitoring built for healthcare agencies where one client portfolio means a covered entity's patient portal (HIPAA Breach Notification Rule exposure), telehealth platform (state medical board contemporaneous-documentation exposure), FHIR API endpoint (EMR-side mTLS failure cache exposure), and intake form — each with independent regulatory implications when a cert silently expires and the agency's BAA inherits HIPAA-equivalent obligations.

Healthcare agencies operating patient-facing tech for covered entities need monitoring that recognizes each regulated subdomain has independent HIPAA-side and state-medical-board exposure — because a patient-portal cert expiry is silent (patients click through the browser warning on mobile and submit PHI; the §164.402 Breach Notification Rule clock starts at the moment of discovery), a telehealth mid-session cert rotation is silent (the audio/video continues via TLS session resumption while the SOAP-note upload fails; the chart entry ends up incomplete and the gap is discovered weeks or months later when the patient's records are requested by another provider), and a FHIR endpoint cert expiry is silent and self-extending (the EMR-side mTLS failure cache holds rejections for 24-48 hours after the cert is renewed, so the clinical workflow outage extends beyond the cert-expiry window).

< 10 min

Time from DNS change to alert — catches CAA-record tightening at parent zones (introduced by unrelated DNS hardening projects at the covered entity or upstream domain owner) that silently break Let's Encrypt renewal on FHIR API endpoints 60+ days before the next renewal cycle, plus DNS provider migrations and registrar nameserver changes that strip cert validation records

30 days

SSL expiry warning lead time — enough time to renew the cert, validate the new cert serves correctly across mobile browsers (most patient portal traffic), and proactively coordinate a FHIR endpoint cert rotation with Epic Bridges, Cerner Code, or Allscripts to flush the EMR-side TLS failure cache before the previous cert expires

11 vendors

Upstream services monitored — Epic Open Developer Experience, Cerner Code, Allscripts Developer Program, AthenaHealth Marketplace, Doxy.me, Zoom Health, Twilio Video, Let's Encrypt, and the cloud platforms the covered entity's infrastructure runs on. Distinguishes a vendor-side EMR or telehealth-backend incident from a per-covered-entity SSL configuration failure

200 assets

Maximum monitored domains on the Agency plan — covers a full healthcare-vertical portfolio: 25+ covered entities each with patientportal.*, telehealth.*, fhir.*, intake.*, and apex subdomains. Multi-state provider organizations with separate subdomains per region (patientportal.east.healthsystem.com, patientportal.west.healthsystem.com) are absorbed without per-domain fees

Pricing

Flat monthly fee. Every HIPAA-attached subdomain, every FHIR endpoint, every telehealth platform included.

No per-entity charges. No per-subdomain fees. Pick the tier that fits your healthcare-vertical portfolio and monitor every regulated subdomain (patientportal.*, telehealth.*, fhir.*, intake.*) under each covered entity's apex without billing surprises.

See full feature comparison →

Starter

For solo developers or two-person agencies operating a single covered entity's patient portal, telehealth platform, and FHIR endpoint under one apex domain.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For healthcare agencies managing 5-10 covered entity clients with separate patientportal.*, telehealth.*, fhir.*, and intake.* subdomains per organization, plus the entity's primary marketing domain.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full healthcare-vertical client roster including multi-state provider organizations with separate subdomains per region, FHIR API integrations with Epic Bridges, Cerner Code, and Allscripts, plus telehealth platforms with high-volume after-hours session load.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when patientportal.coveredentity.com is approaching cert expiry — 30 days before patients can click through the browser warning and trigger the §164.402 Breach Notification Rule clock.

Add your first covered entity subdomain in under two minutes. Patient portals, telehealth platform subdomains, FHIR API endpoints, and intake forms across every covered entity in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

A patient portal cert expiry isn't just a downtime event — it's a HIPAA Breach Notification Rule trigger.Under 45 CFR 164.402, PHI submitted over an expired cert is presumptively unsecured. The covered entity has 60 days to notify. OCR has assessed seven-figure penalties.