Assessments
An assessment is a structured walk through a set of HIPAA questions. Each question is answered Yes, No, Partial, or N/A, with optional notes and supporting evidence.
Running an assessment
- Create an assessment and name it. The core HIPAA question set is always included; optionally scope in one or more frameworks (e.g. NIST CSF, SOC 2) to also map your answers onto their controls. You can change the frameworks later.
- Work through the questions, answering Yes / No / Partial / N/A with optional notes. Answers save as you go — you don't need to finish in one sitting. Scope-aware questions repeat per location or per ePHI system so you answer them where they actually apply. Marking a question **N/A requires a short justification** (e.g. "we operate no on-prem servers") so an auditor can tell a deliberate scoping decision from a skipped question — the note saves automatically once you enter it. You can also mark a whole section N/A with one shared justification.
- Attach evidence to questions that an auditor would expect to see documented.
- Optionally mark the assessment Under Review — an interim state that signals it's ready for an internal check while answers stay editable and no findings are generated yet. Then Complete when finished: completing locks answers and turns every gap (a "no" or "partial") into a tracked finding. You can reopen a completed assessment later.
Assignment
Org admins can assign whole sections or individual questions to a teammate. Assigned users can edit only their slots; everyone else sees the assessment read-only. The "Assigned to me" filter narrows the list to your work.
Renewal & comparison
Completed assessments can be renewed into a new run that carries prior answers and section assignments forward. On a renewal, use Compare to prior run to see exactly what improved or regressed since last time.
While answering, each question shows a Prior assessment panel when a previous answer exists — the verdict (Yes/No/Partial/N/A), the date, and the prior note — with a Use this answer button that carries it forward in one click. The source is the renewal parent if set, otherwise your most recent completed assessment of the same type. The panel opens automatically on questions you haven't answered yet, so a year-over-year reassessment is mostly review-and-confirm.
AI help on a question (when AI is enabled)
Two Sherpa helpers appear on each question:
- Explain this requirement — a plain-language explanation of what the cited control asks for, examples of evidence that satisfy it, and the common pitfalls. It is grounded strictly in the requirement's stored regulatory text and recommended solution, and is cached per question so your whole team reuses one generation.
- Draft answer — a non-binding starting point: a suggested answer value, editable draft notes, and the evidence you'd need to support it. It reflects an honest reading of what you've shown (it won't claim compliance you haven't demonstrated). You decide how to use it:
- Fill the fields drops the draft into the answer box for you to edit before saving — nothing is written until you click an answer.
- Apply to this answer saves the suggested answer and notes in one step. It asks you to confirm first, is recorded in the activity log, and can be edited or re-evaluated afterward — it's a faster path to the same save, not an automatic one.
Both spend AI quota when run and never send patient data to the model — only the requirement text, your own prior notes, and the AI summaries of evidence already attached to that control (so the draft reflects what's actually on file).
After an AI evaluation, if the answer already has a finding (findings are generated from "no"/"partial" answers), the result offers a Draft remediation for this finding → link that takes you to the finding, where Sherpa can draft the remediation tasks to close it.