Getting started

Glossary

Sift Health uses deliberate, careful vocabulary. We say risk score, indicator, observation, and recommendation — never 'compliant', 'certified', or 'audit'. Here's what each term means.

Risk score
A 0–100 number summarizing the publicly observable risk indicators found on a site. Higher is better. It is a relative measure, not a compliance pass/fail.
Grade
An A–F letter mapped from the risk score, in the style of SSL Labs / SecurityHeaders.com, for quick comparison over time.
Risk indicator
An observable signal that correlates with PHI-exposure risk — for example, a third-party analytics tag on an appointment page. An indicator is a signal, not a proof of a violation.
Observation
A neutral statement of something the scanner saw — e.g. 'no Strict-Transport-Security header was present'. Observations underlie findings.
Finding
A scored item in a report: a category, a severity, a stable code, a title, a description, the evidence behind it, and a remediation recommendation.
Severity
How serious a finding is: critical, high, medium, low, or info. Severity is context-aware — the same tracker scores higher on a patient-facing page.
Category
One of the six weighted buckets: Tracking & Third-Party Exposure, Privacy Policy & Disclosures, Forms & PHI Exposure, Transport Security, Security Headers, and Infrastructure Hygiene.
Recommendation
The concrete next action attached to a finding — what to change, and why — drawn from the remediation catalog.
PHI
Protected Health Information: individually identifiable health information governed by HIPAA. Sift Health looks for signals that public pages could leak or mishandle PHI; it never collects PHI itself.
Page type
The scanner's heuristic classification of a crawled page: privacy_policy, intake_form, appointment, portal, general, or unknown. Page type decides which analyzers run and how findings are weighted.
Tracker
A third-party script or pixel (analytics, advertising, or session replay) that sends visitor data off-site. On patient-facing pages these are the highest-weighted risk indicators.
Monitored site
A domain you've verified and registered for recurring rescans, with alerting on changes.
Domain verification
Proving you control a domain via a DNS TXT record or a meta tag, required before enabling recurring monitoring.
Disclaimer
The structured statement included in every report (UI and API) clarifying that the scan covers only public pages and is not a HIPAA compliance audit or legal determination.

Why the vocabulary matters

The word choices aren’t cosmetic. An automated external scan cannot determine HIPAA compliance, so describing results as “compliant” or a “pass” would be inaccurate and potentially misleading. Sticking to indicators, observations, and recommendations keeps the product honest about what it can and cannot know.

Read a report

See the vocabulary in context.

Categories

The six buckets, defined.

Severity taxonomy

Critical through info, with examples.

Trust & legal

Scope, disclaimer, and data handling.