Polaris HIPAA Compliance Platform

Assessment Configuration

Answer these 6 questions to customize your HIPAA Security Risk Assessment. This determines which questions apply to your organization.

1. What type of HIPAA entity is your organization?

Covered Entity - Healthcare Provider (clinic, hospital, practice)

Covered Entity - Health Plan

Covered Entity - Clearinghouse

Business Associate (SaaS, vendor, service provider)

Business Associate Subcontractor

BAs have fundamentally different obligations than CEs. This is the primary branching point.

2. Does your organization have physical locations where workforce members access ePHI?

Yes - Multiple clinical/office sites

Yes - Single office/location

No - Fully remote/cloud-based

Cloud-only organizations skip most physical safeguards questions.

3. Does your organization develop or maintain software that processes ePHI?

Yes - We build the application

No - We use vendor software

Software developers receive enhanced technical depth questions (API security, encryption, SDLC).

4. How many workforce members access ePHI?

1-50 (Small Practice/Startup)

51-250 (Medium Organization)

251+ (Large Organization/Hospital)

A 5-person practice vs a 500-bed hospital have fundamentally different SRA needs.

5. Does your organization use cloud infrastructure for ePHI?

Yes - Public cloud (AWS/Azure/GCP)

No - On-premises only

Hybrid (both cloud and on-premises)

Cloud users inherit physical security from provider. On-prem owns everything.

6. What is your primary reason for this assessment?

Annual/periodic requirement

New product/market entry

Customer/partner requirement

OCR audit preparation

This affects output format and urgency, not question selection.