Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Findings

A finding is a documented gap — something an assessment showed isn't fully in place. Findings are how you track what needs fixing and prove to an auditor that you're managing it.

Where findings come from

  • Generated automatically when you complete an assessment: every question answered No or Partial becomes an open finding, carrying its risk level and the requirement it relates to.
  • Created manually for gaps you discover outside an assessment (use **Create finding**).

A generated finding links back to its source assessment — open it to see the exact question and your answer.

Working a finding

  • Risk level (critical → informational) drives prioritization.
  • Status: open → in progress → resolved (or accepted as risk / false positive). Set a risk treatment (mitigate / accept / transfer / avoid) to record your decision.
  • Assign a finding to a teammate; they're notified.
  • Evidence: attach the artifacts that prove the gap is closed.
  • Remediation tasks: break the fix into tracked tasks — see the Remediation tasks panel on the finding. Sherpa can draft them for you.

Tips

  • Resolve a finding only when you have evidence the control is implemented and operating — that's what an auditor checks.
  • The compliance score weights open findings heavily, so closing them is the fastest way to raise your posture.
OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.