Help Center › Completing the assessment
Completing the assessment
The question flow, the four answer states, how to rate a gap, how the risk score is computed, how saving works, and the Risk Register & heatmap.
1. The seven sections (108 questions)
Ward’s assessment covers 108 questions across the seven areas of the HIPAA Security Rule. The Assessment tab shows one section at a time; the Dashboard shows your progress in each.
| Section | Area | Covers |
|---|---|---|
| S1 | Security Management | Risk analysis, risk management, sanctions, activity review, the Security Official. |
| S2 | Policies & Documentation | Written policies, documentation retention, the asset inventory link. |
| S3 | Workforce & Training | Authorization, access management, termination, security-awareness training. |
| S4 | Technical Safeguards | Encryption (at rest & in transit), MFA, unique IDs, automatic logoff, audit logs, integrity. (23 questions — the largest section.) |
| S5 | Physical Safeguards | Facility access, workstation placement, device & media disposal/reuse. |
| S6 | Vendors & BAAs | Business associate agreements, BA verification, cyber-obligation clauses. |
| S7 | Contingency & Incident | Backups, restoration testing, incident response, breach handling. |
Of the 108 questions, 24 carry a “2026: now required” flag — these are the ones that drive the 2026 readiness meter. Every other question is marked Required.
2. Anatomy of a question
Each question card shows:
- The CFR citation — the exact regulation, e.g.
45 CFR 164.312(a)(2)(iv). - A short title — e.g. “Encryption of ePHI at Rest.”
- A flag — either Required or 2026: now required.
- A safeguard badge — Administrative, Physical, or Technical.
- The question itself — a plain-language yes/no question.
- “What this means & what to do” — click to expand beginner-friendly guidance with concrete examples (e.g. “FileVault on Mac, BitLocker on Windows”).
3. The four answer states
For each question, click one of four buttons:
| Answer | Meaning | Effect |
|---|---|---|
| Yes — in place | The safeguard is fully implemented. | Counts as “in place.” No gap. Credits the readiness meter for any linked 2026 mandate. |
| Partially | Partly implemented or inconsistent. | Counts as a gap. Opens the risk-rating box. Linked mandate becomes “Partial.” |
| No / not yet | Not implemented. | Counts as a gap. Opens the risk-rating box. Linked mandate becomes a “Gap.” |
| N/A | The control genuinely does not apply to you. | Counts as “in place” for scoring (treated like resolved). Use sparingly and document why in the notes. |
Be honest. Marking everything “Yes” produces a high score but a worthless assessment. The point of an SRA is to find gaps so you can fix them before a breach — or before an auditor does. A realistic 60% with a clear POA&M is far more defensible than a hollow 100%.
4. Notes & rationale
Every question has a Notes / rationale box. Use it to record your “reasonable and appropriate” justification — why you answered the way you did, what evidence supports it, or why a control is N/A. These notes flow into your full SRA report and audit binder.
Privacy note: notes are free-text and are the one place you could type PHI. Like everything else, they stay only in your browser. They are never sent to the optional AI assistant or the optional cloud sync — see Security & privacy → The PHI boundary. Best practice: keep notes free of patient identifiers anyway.
5. Rating a gap (likelihood × impact)
When you answer Partially or No, a risk-rating box appears under the question. Fill in:
- Threat / vulnerability — pick from a catalog of 23 threats (human, technical, environmental). Ward star-marks (★) the threats most relevant to that specific question, so the likely ones float to the top.
- Likelihood — how likely is it to happen? Rare, Unlikely, Possible, Likely, or Frequent.
- Impact on patient data — how bad if it does? Limited, Moderate, Serious, Major, or Catastrophic.
You can also fill in a Remediation action, an Owner, and a Target date right here — these feed the POA&M and Risk Register.
6. How the Low / Moderate / High score is computed
Ward uses the same NIST-aligned method as the ONC SRA Tool. Each scale is 1–5, and the score is likelihood × impact (a number from 1 to 25):
| Likelihood | Value |
|---|---|
| Rare | 1 |
| Unlikely | 2 |
| Possible | 3 |
| Likely | 4 |
| Frequent | 5 |
| Impact | Value |
|---|---|
| Limited | 1 |
| Moderate | 2 |
| Serious | 3 |
| Major | 4 |
| Catastrophic | 5 |
The resulting score maps to a rating:
| Score | Rating |
|---|---|
| 1 – 5 | Low |
| 6 – 12 | Moderate |
| 13 – 25 | High |
Example: “Likely” (4) × “Major” (4) = 16 → High. “Possible” (3) × “Moderate” (2) = 6 → Moderate.
Note: HIPAA/NIST terminology uses “Moderate,” not “Medium.” A rating only appears once both likelihood and impact are chosen.
7. Filtering and searching
On the Assessment tab you can narrow the list by section, by answer status (e.g. show only unanswered, or only gaps), and by a search box that matches the question ID, title, or text. This is how you quickly return to “everything I still need to answer” or “every gap I’ve found.”
8. How saving works
There is no Save button. Ward writes your changes to the browser automatically:
- Button choices (answers, dropdowns) save immediately.
- Typed fields (notes, owner, dates) save a fraction of a second after you stop typing (a short “debounce”).
Each saved record also gets an integrity checksum so Ward can warn you if the data was altered outside the app — see Security & privacy → Integrity checksums. Because data is per-browser, see where data lives and back up regularly with Export JSON.
9. The Risk Register & heatmap
The Risk Register tab pulls together every open gap:
- A likelihood × impact heatmap — a 5×5 grid (green/amber/red) showing how many of your rated risks fall in each cell.
- A ranked table — every gap sorted by risk score (highest first), with its threat, L×I score, rating, owner, and target date.
- Two exports: risk register (CSV) and POA&M (Markdown).
This register is your formal HIPAA risk-management record. Gaps you haven’t rated yet show as “unrated” — rate them on the Assessment tab to place them in the register and heatmap.
10. Tips for an accurate, defensible assessment
- Answer every question. The readiness meter is marked “provisional” until you do — OCR expects a thorough analysis.
- Use the notes field for evidence. “Verified BitLocker enabled on all 6 laptops, 2026-06-10” is far stronger than a bare “Yes.”
- Rate every gap. An unrated gap has no priority. Rating drives the register, heatmap, and POA&M order.
- Re-baseline at least annually, and after any material change (new EHR, new location, a security incident). Capture each baseline as a Snapshot for year-over-year evidence.