How can we help?

Getting Started

• What does onboarding look like?

  About sixty seconds. A practice administrator enters the practice name, specialty, state, and primary domain. No scripts to install, no analytics IDs to paste, no OAuth handoffs, and no access required to your CMS or hosting. Every check is external — the same posture a cyber insurance underwriter or plaintiff firm uses.

• How long until my first score?

  The instant analysis in the homepage hero returns a score and top finding in under sixty seconds. After you sign up, the full five-surface analysis completes within an hour, and your baseline Digital Presence Security Score and Trust Seal are available the same day.

• Do I need to give Blue Trust access to my CMS or hosting?

  No. Blue Trust is intentionally external-only. We never ask for, and never accept, credentials to your website, hosting account, EHR, email server, or any system holding patient data. If a request to grant access ever appears, it is not from us.

Reading Your Reports

• How is my Digital Presence Security Score calculated?

  Your score is a 0–1000 weighted composite (similar in feel to a credit score) across the surfaces Blue Trust monitors for your tier. Severity-weighted findings reduce the score; resolved findings restore it. The scoring engine is versioned — when we update weights, your historical chart shows which version produced which point.

• What's the difference between the W-SRA and the Technical Risk Assessment?

  The W-SRA (Web Security Risk Assessment) is the monthly evidence document — narrative, methodology, citations to the HIPAA Security Rule, no score or grade, designed to share with your attorney, broker, or an OCR investigator. The Technical Risk Assessment is the on-demand finding-by-finding view inside the dashboard, including severity, remediation, and your current score.

• How do I share my report with my insurance broker?

  Inside the dashboard, every monthly W-SRA can be downloaded as a PDF and shared with your cyber insurance broker, malpractice carrier, or outside counsel. A separate Security Score snapshot is also exportable. Practices routinely share these during renewal cycles as evidence of ongoing vigilance.

Findings & Severity

• What does Critical / High / Medium severity mean?

  Severity reflects three things: the regulatory exposure (does this map to a HIPAA Security Rule citation), the patient-data exposure (does it leak or could it leak PHI), and the attacker-utility (is it actively exploitable today). Critical findings carry both regulatory and exploitability weight; Medium and Low findings are tracked but typically don't warrant emergency action.

• Why is a tracking pixel a HIPAA issue?

  Pixels like Meta Pixel, GA4, and TikTok can transmit identifiers tied to pages a patient visited (appointment scheduling pages, condition-specific pages, intake forms) to third parties without the patient's authorization. OCR's December 2022 bulletin and ongoing enforcement actions treat this as an impermissible disclosure under 45 CFR §164.502(a).

• What's the difference between a finding and an alert?

  A finding is a state — something we currently observe on your surfaces. An alert is an event — something that just changed. Alerts fire when a new finding appears or an existing one is resolved. Daily monitoring runs silently unless something changes.

• What happens when you find something?

  You get an immediate email (or SMS on Pro) with the finding, its HIPAA citation, its exact location, and plain-English remediation guidance your webmaster can act on. Monitoring runs silently unless something actually changes — no noise.

Account & Billing

• What's included on Core vs. Pro?

  Core ($99/mo) monitors Website Security and Email Security weekly, with the monthly W-SRA report, the Security Score, the Trust Seal, and the HIPAA documentation layer. Pro ($199/mo) adds daily monitoring across Patient Reviews, Reputation Management, and Regulatory Intelligence. Same monitoring engine, same monthly artifact; Pro just observes more of your digital presence.

• Can I change tiers?

  Yes. You can move between Core and Pro at any time from the Account area. Upgrades unlock the additional surfaces immediately; downgrades take effect at the next billing cycle so you keep continuity of monitoring.

• How is the Trust Seal billed?

  The Trust Seal is included in every paid tier at no additional cost. There is no per-impression or per-click fee. Your public Trust Center page is hosted by us.

• Cancellation and data retention.

  You can cancel from the Account area; access continues until the end of the current billing cycle. After cancellation, your monitoring artifacts (W-SRA history, score history, finding records) remain available for export for 90 days, after which they are deleted. We never sell or share customer data.

Trust Seal & Sharing

• How do I install the Trust Seal on my site?

  From the dashboard, copy a single line of HTML into your website footer (most CMSes have a footer or theme-edit setting). It renders a small badge that links to your public Trust Center page. No JavaScript trackers, no third-party data — just an embeddable image with a hyperlink.

• What do patients see when they click it?

  Your public Trust Center — a one-page summary of what Blue Trust currently observes about your practice's digital security posture. It does not show specific findings or technical detail; it shows the categories monitored and your current verification status. Designed to reassure patients without becoming a roadmap for attackers.

Compliance & HIPAA

• Is Blue Trust a HIPAA Business Associate?

  No, intentionally. Blue Trust is not a HIPAA Business Associate, no BAA exists or will be signed, and no feature requires PHI to be sent to us. Every check is external. The Review Response PHI Checker, for example, runs entirely in your browser — your draft never reaches our servers.

• Does the W-SRA satisfy my Security Risk Analysis requirement?

  The W-SRA is evidence supporting your Security Risk Analysis under 45 CFR §164.308(a)(1)(ii)(A) — specifically the ongoing review of vulnerabilities to electronic protected health information from your public-facing surfaces. It is not a complete enterprise SRA on its own; most practices pair it with their internal risk assessment and policy work.

• We already pay for a HIPAA compliance platform. Do we need this too?

  Compliance platforms sell policy templates, training modules, and questionnaire-based self-assessments. They don't analyze your site for Meta Pixel, monitor your reviews for PHI disclosures, or watch for typosquatted domains. Blue Trust is the monitoring layer that sits alongside your compliance tooling — the part OCR's Risk Analysis Initiative is penalizing practices for missing.

• Is the monthly W-SRA report defensible?

  It's designed to be. A 10–15 page PDF on the first of each month covering findings, methodology, HIPAA Security Rule citations, and month-over-month trend. It's formatted for the three audiences who might ever request it: your attorney, your cyber insurance broker, and an OCR investigator.