Compliance and Security
HIPAA Compliance Score
The HIPAA Compliance Score is a 0–100 number that summarizes your organization's HIPAA posture across four domains. It is available to organizations that have activated the HIPAA Basic or HIPAA Enhanced add-on and is visible in the compliance dashboard. The score updates when you take an action in any of the four domains or when the 24-hour cache expires.
What you'll learn
- How the compliance score is calculated
- What each of the four scoring domains covers
- How to take actions that improve your score
- Where to view the score in the platform
Scoring domains
The compliance score is made up of four domains, each worth up to 25 points:
| Domain | Max points | What it measures |
|---|---|---|
| BAA Status | 25 | Whether active BAAs are in place. Points are allocated as: 5 for having at least one BAA, up to 10 proportional to active BAA coverage rate, 5 for no BAAs expiring within 60 days, and 5 for having the platform BAA signed. |
| Training Compliance | 25 | Whether staff have completed HIPAA training. Up to 15 points are awarded proportionally based on completion rate, 5 points for no overdue renewals, and 5 bonus points for 100% completion. Available under HIPAA Enhanced only. |
| Risk Assessment | 25 | Whether a risk assessment has been completed within the past 12 months (10 points), the risk level is low or medium rather than high or critical (5 points), remediation is in progress or complete (up to 5 points), and the score is trending stable or improving (5 points). |
| Policy and Controls | 25 | Whether there are no open critical or high security incidents (up to 10 points, with deductions per unresolved incident), active user access hygiene with no accounts inactive for 90+ days (up to 8 points), and no unresolved open incidents overall (up to 7 points). |
Risk level thresholds
The overall score maps to a risk level as follows:
| Score range | Risk level |
|---|---|
| 90–100 | Low |
| 75–89 | Medium |
| 60–74 | High |
| 0–59 | Critical |
Improvement actions
The compliance dashboard lists specific improvement actions for any domain where your score is incomplete. Examples include: adding a missing vendor BAA, signing the platform BAA, enrolling staff in HIPAA training, running an overdue risk assessment, resolving open security incidents, or reviewing user accounts inactive for 90 or more days.
Viewing the score
The compliance score is displayed as the headline metric on the HIPAA Compliance dashboard (Settings menu → HIPAA Compliance). The score is cached for 24 hours and can be recalculated on demand using the recalculate button (rate-limited to 10 requests per hour). Only users with the tenant_admin role can view and manage the compliance dashboard.
Related articles
Can't find what you're looking for? Contact Support