Concepts
Remediation catalog
A finding without a fix is just a complaint. Every finding code maps to a catalog entry with a plain-language explanation, step-by-step remediation, and references — so you (or your developer) know exactly what to change.
What each entry contains
The remediation catalog is version-controlled YAML, not a database table, so it evolves transparently alongside the signature catalog. Each finding code resolves to an entry shaped like this:
yaml
tracking.pixel_on_intake:
title: "Third-party tracking pixel on a patient-facing page"
description: >
A third-party advertising/analytics pixel was detected on a page
classified as an intake or appointment page, where it may transmit
information about a visitor seeking care.
remediation_md: |
1. Remove the pixel from intake, appointment, and portal pages.
2. If analytics are required, use a server-side, BAA-covered
configuration and strip identifiers and URL parameters that
could reveal the reason for a visit.
3. Re-scan to confirm the indicator is gone.
references:
- "HHS OCR — Use of Online Tracking Technologies by HIPAA Covered Entities"Representative entries
| Finding code | Remediation summary |
|---|---|
| tracking.pixel_on_intake | Remove the pixel from patient-facing pages, or gate it behind consent and confirm there's no PHI in the data it sends. Prefer server-side, BAA-covered analytics. |
| forms.phi_form_over_http | Serve the form page over HTTPS and post to an HTTPS endpoint on a domain you control. Redirect HTTP to HTTPS site-wide. |
| headers.missing_hsts | Add a Strict-Transport-Security header with a sufficient max-age once you've confirmed HTTPS works everywhere. |
| privacy.no_third_party_disclosure | Update the privacy policy to disclose analytics/advertising use and third-party data sharing, with a last-updated date. |
In a report, each finding renders its catalog entry inline — you don’t look codes up by hand. The codes are stable, so you can build your own automation around them (for example, the CI gate in the telehealth recipe).
Remediation guidance is not legal advice
Catalog references point to primary sources such as HHS OCR guidance. They’re a starting point for your team, not a determination that following them makes a site compliant. For compliance questions, consult qualified counsel.