Concepts
Severity taxonomy
Severity tells you how seriously to take a finding and how heavily it weighs on the score. It is context-aware: the same observation can be high on a patient-facing page and medium on a marketing page.
critical
Direct, serious PHI-exposure risk.
Examples
- A PHI-shaped intake form submitted over plain HTTP
- Apparent patient data exposed in an open directory listing
high
Strong risk indicator on a patient-facing page that also collects PHI on-page.
Examples
- Analytics on an appointment page that embeds a form collecting date-of-birth and reason-for-visit
- An expired TLS certificate
- An intake form whose action posts to a third-party domain
moderate
A meaningful gap worth addressing, but not an immediate exposure. (Internal key: medium.)
Examples
- Missing Content-Security-Policy or HSTS
- A privacy policy silent on third-party sharing
- Analytics on a patient-classified page where no embedded PHI form was actually observed
minor
Minor hardening gaps. (Internal key: low.)
Examples
- A missing Referrer-Policy or Permissions-Policy header
- A non-sensitive form missing autocomplete hints
advisory
Context worth surfacing that does NOT reduce the score. Used when an indicator is present but the corroborating risk signal is not.
Examples
- Analytics on a page that delegates PHI collection to a HIPAA-eligible form builder (Jotform HIPAA, Formstack, IntakeQ…)
- A tracker whose data path was determined not to touch health-related fields
info
Context, not a problem — surfaced so you have the full picture.
Examples
- A first-party analytics tool detected and correctly scoped
- A privacy policy present and recently updated
Severity is a prioritization signal
Severities are calibrated to risk, not to legal exposure. A “critical” finding is the place to start, not a statement that a violation has occurred — only your own review (and, where appropriate, counsel) can make that call.