Legal classification of the Assessed party.

Type of organization as interpreted by HIPAA.

Count of sensitive records within the scope of the Assessment.

Count of sensitive records received or transmitted yearly within the scope of the Assessment.

Count of individuals enrolled in health insurance plans.

Count of people that were provided care for in the past year.

Count of hospital beds available within the facilicites of the scope.

Count of prescription orders fulfilled yearly.

Count of people that were provided care for in the past year.

Count of Physicians employed by the Assessed organization.

Count of sensitive transactions processed yearly.

Count of TBs of sensitive data stored.

Count of MBs of sensitive data processed yearly.

Geographic reach of the systems and facilities being Assessed.

An information system or application to which users are able to gain access from a public network (e.g., Internet). Applies whether the application is publicly exposed or is behind a firewall accessible only after first establishing access to an internal domain (e.g., VPN).

An information system or application to which approved third-parties are provided access. A third-party is any entity that is separate from the organization, that has been authorized for physical and/or logical access to the scoped system. This includes cloud service providers as the provider would have the physical access to the organization's systems. Furthermore, third-party accessibility does not depend on the means of access and occurs regardless of whether it is over a public network or whether the application is specifically hosted for customer use, for the purpose of operation, administration, or maintenance. Customers are considered "second-parties," not "third-parties;" and therefore, should not be considered when answering this question.

An information system or application that exchanges information (interactively or through system-to-system connectivity) with a third-party (e.g., business partners, vendors, cloud service providers).

The host organization has positioned the information system or application in a public location (e.g., a kiosk in the welcome area of a hospital wing that lacks strict visitor control), which is distinct from a person using their own laptop to access their online bank account from a coffee shop.

Connects with or otherwise conducts transactions with or through an HIE, where a transaction is defined as the electronic movement of health-related information among organizations according to nationally recognized standards, e.g., X12 EDI or HL7.

The number of interconnections (whether or not persistent) a system or application has with other systems, regardless of location, for the purpose of sharing data where the responsibility for security control lies outside the boundary of the existing system (whether with another part of the same organization or a third-party).

The number of users that have access to an information system, application, or service.

The average number of transactions per day (i.e., in a 24-hour period), computed annually, where a transaction is defined as a discrete event between a user and a system that supports a business or programmatic purpose. A digital system may have multiple categories or types of transactions, where risk would need to be evaluated and the response adjusted based on the degree to which a transaction happens within a discrete environment (e.g., entirely within a virtual server), internal to a segment or network domain (e.g., entirely within a company network), or routes externally (e.g., over leased lines, a VPN, or a public network). It should be noted that all online transactions are transactions, but not all transactions are online, and e-commerce exchanges would fall within the scope of online transactions, by definition.

This question pertains to situations where users can connect to the organization's internal network from a remote/external network that is not controlled by the organization through the use of VPN, SSH proxy, telnet, or similar.

Hardware tokens are physical devices that provides a one-time key or nonce (e.g., PIV card, USB dongle, or fob). The use of mobile apps, email, and similar applications for two- or multi-factor authentication are not hardware tokens.

Bring your own device (BYOD) include any devices outside of the organization's control that can be used to connect to organizational assets.

Wireless access points outside of the control of the organization, such as home and public wireless networks, are excluded from this factor.

Information systems development refers to the practice of creating, testing, constructing, and/or introducing new computer systems, including, but not limited to, application, interface, database, and application programming interface (API) development.

The use of electronic signatures includes, but not limited to, e-prescription.

Applicable when the scope of the assessment includes the processing (use, storage, transmission, etc.) of payment card (“credit card”) information.

Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).

Required if the organization, in the regular course of business, obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with a credit transaction, or advances funds to or on behalf of a person, in certain cases.

According to 201 CMR 17.01(2), the provisions of this regulation apply to all persons that own or license personal information about a resident of the Massachusetts Commonwealth.

Applicable to “data collectors” in the State of Nevada, which according to Chapter 603.030 includes any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information (e.g., name, SSN, medical ID number; see NRS 603A.040).

Applies to all “covered entities,” which according to TX Health & Safety Code Title 2, Subtitle I, § 181.001(2) includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site in the State of Texas; or any person that (1) comes into possession of protected health information of a Texas resident; (2) obtains or stores protected health information of a Texas resident under this chapter; or (3) is an employee, agent, or contractor of an entity or person so described.

Applies to many types of health care organizations, including hospitals, doctor offices, nursing homes, office-based surgery centers, behavioral health treatment facilities, and providers of home care services that are accredited by the Joint Commission or seek to become accredited by the Joint Commission.

Generally applies to Federal Agencies; NIST SP 800-53 control requirement MAY also apply to Federal contractors if the contract specifies adherence to FISMA security requirements, NIST control requirements, and/or requires a System Security Plan (contact your contract’s contracting officer representative, COR, for more information).

Applies only to Health Insurance Exchanges (HIXs) and requires compliance with the Minimum Acceptable Risk Safeguards for Health Insurance Exchanges (MARS-E).

Applies to recipient agencies, agents, or contractors of Federal Tax Information (FTI); generally applies to organizations that use personal tax information to determine benefits or subsidies (e.g., welfare agencies, Health insurance Exchanges (HIXs)).

Is intended to apply to any profit or non-profit organization located anywhere in the world that collects personal information about a California resident; supports the CA Attorney General’s interpretation of “reasonable security” as, at a minimum, meeting the requirements specified in the Center for Internet Security (CIS) Critical Security Controls (CSC).

Generally used to assess the protections afforded a de-identified data set in its intended use environment (e.g., processed, stored, transmitted) based on the criteria outlined in the HITRUST De-identification Framework.

Applies to organizations such as, but not limited to, electronic health networks, hospitals, physicians, financial services firms state regulators, and vendors that are accredited or seeking to become accredited by the Electronic Healthcare Network Accreditation Commission (EHNAC).

Applies to organizations that are evaluating the operational resilience and cybersecurity capabilities within Critical Infrastructure and Key Resources sectors, as well as State, Local, Tribal, and Territorial governments.

Applicable to state member banks, bank and savings and loan holding companies (including their nonbank subsidiaries), and U.S. operations of foreign banking organizations that must assess their level of information security risk and evaluate the adequacy of controls and applicable risk management practices.

Applies to cloud providers that are required to obtain a security assessment from a third-party assessment organization (3PAO) to sell government cloud services to a federal agency; may also be used voluntarily by cloud services providers and other entities that use their services to demonstrate a minimum level of due care and due diligence.

Applies to records required for clinical investigations of medical products that are maintained in electronic format in place of paper format, including all records that are necessary for FDA to reconstruct a study; records required for clinical investigations of medical products that are maintained in electronic format and where the electronic record is relied on to perform regulated activities; records for clinical investigations submitted to FDA in electronic format under predicate rules, even if such records are not specifically identified in FDA regulations; and electronic signatures required for clinical investigations intended to be the equivalent of handwritten signatures, initials, and other general signings.

Applies to all organizations processing the personal data of data subjects residing in the European Union, regardless of the organization’s location.

Applicable to all companies within the state of New York that are operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

Applies to all organizations that collect, use, and disclose personal data in Singapore, and to all organizations collecting, using, or disclosing personal data from individuals in Singapore, whether or not the organization has a physical presence in Singapore.