Healthcare compliance, done right and done faster
Sherpa, OnlyHIPAA's AI compliance guide, reviews your evidence, drafts your findings and remediation, and answers questions about your posture. It guides your team through HIPAA, SOC 2, ISO 27001, the NIST frameworks, and 14 more built-in libraries — 17 in all — so assessments stay accurate and audit-ready.
30-day free trial · Cancel anytime · Signed BAA included
Everything you need for compliance
From risk assessment to remediation, OnlyHIPAA pairs structured, healthcare-specific workflows with AI that reviews evidence, drafts findings, and recommends your next action. Assessments move faster, score more accurately, and stay audit-ready.
Sherpa, your AI compliance guide
Sherpa reads each answer and its evidence against the cited requirement, then passes it or drafts the fix, only clearing what it is highly confident in. Ask plain-language questions about your posture and get your three highest-impact next actions, grounded only in your own data.
Security Rule Assessment
Guided workflows cover every HIPAA Security Rule safeguard: administrative, physical, and technical, with automated scoring. Sherpa reviews each answer against the cited standard and flags what falls short.
Privacy Rule Assessment
Evaluate PHI handling, your Notice of Privacy Practices, patient rights procedures, and minimum-necessary policies. Sherpa checks your evidence against each requirement and drafts a suggestion where it sees a gap.
Risk Analysis & Scoring
Quantitative scoring by likelihood and impact, with gaps mapped to the regulatory citation they implicate. Sherpa drafts your risk-register entries from an assessment's deficiencies, ready for you to review and accept.
Evidence Collection
Upload, tag, and reuse policies, procedures, and documentation across assessments. Sherpa summarizes each document and suggests which questions it satisfies, so evidence lands where it belongs.
Remediation Planning
Sherpa drafts concrete, prioritized tasks from your findings, which you review and assign with owners, due dates, and status. Your team discusses the work in context with comments and @mentions. Show auditors a complete remediation history in one click.
Ongoing Compliance Operations
Compliance is a program, not a one-time report. Track a live compliance score, business associates and BAAs, security incidents and breach timelines, workforce training, access reviews, your PHI data-flow map, and a calendar of every recurring deadline.
Audit-Ready Reports
Generate complete risk assessment reports in one click, with custom branding and detailed technical findings. Sherpa writes the plain-language executive summary your board and auditors read first.
Multi-Framework Coverage
Map one assessment to 17 built-in frameworks — HIPAA, SOC 2, ISO 27001/27701/42001, the NIST CSF/Privacy/AI RMF/800-53, HITRUST, HICP, CIS, PCI DSS, FedRAMP, CMMC, and consumer-privacy law. Built-in control libraries and Sherpa's cross-framework mapping let you answer once and satisfy many.
Built by Compliance Experts
Certified healthcare security and privacy practitioners build and maintain OnlyHIPAA, holding CISSP, CISA, and AI-governance credentials. Every question, citation, and AI judgment reflects real OCR, Security Rule, and Privacy Rule expertise, so your assessment holds up under audit scrutiny.
From kickoff to compliance in weeks, not months
Set up your organization
Define your locations, ePHI systems, and business associates. OnlyHIPAA automatically tailors the assessment scope to your environment.
Complete the assessment
Work through guided question sets as a team. Assign sections to the right people across IT, HR, compliance, and operations, and track progress in real time.
Review findings and risks
The platform scores each risk area and cites the exact regulation. Sherpa reviews your answers and evidence against each requirement, flags what falls short with a concrete suggestion, and writes a board-ready executive summary, so review is faster and more consistent.
Remediate and report
Let Sherpa draft your remediation tasks from the findings, then assign owners and track progress. Ask what to tackle next, and export your complete risk assessment report for your board, auditors, or OCR.
Trusted by compliance teams
"OnlyHIPAA cut our annual risk assessment time from three months to three weeks. The structured workflows and built-in regulatory citations make it easy to get the whole team aligned."
"We'd been dreading our first formal risk assessment. OnlyHIPAA made it structured, manageable, and even educational. The gap analysis report came together in an afternoon."
"As a HIPAA consultant working with dozens of clients, OnlyHIPAA gives me a scalable way to run consistent, defensible assessments. The evidence reuse feature alone saves me hours per engagement."
Less time on the paperwork, more on the program
Structured workflows, reusable evidence, and grounded AI turn a months-long scramble into a repeatable process.
Frameworks in one assessment
HIPAA, SOC 2, ISO 27001/27701/42001, NIST CSF/Privacy/AI RMF/800-53, HITRUST, HICP, CIS, PCI DSS, FedRAMP, CMMC, and consumer-privacy law — answers reused across them.
To a defensible assessment
Guided questions, built-in control libraries, and team assignment compress the first formal assessment from a quarter to a few weeks.
Data retained by the AI
Sherpa runs under a BAA with zero data retention, never trains on your content, and never applies anything without a human review.
A structured platform, not another spreadsheet
The difference between answers in a file and an assessment that holds up to an audit.
Fits the stack you already run
Connect identity, alerting, and your own tooling. Standards-based, so there's nothing proprietary to lock into.
Simple, transparent pricing
No per-seat fees that punish collaboration. Pay for what your organization needs.
Starter
Perfect for small practices and clinics
- ✓ 1 organization, up to 5 users
- ✓ Security Rule and Privacy Rule assessments
- ✓ Sherpa AI compliance guide, included
- ✓ Evidence library and gap-analysis reports
- ✓ Signed BAA included
- ✓ Email support
Professional
For growing health systems and MSOs
- ✓ Includes everything in Starter, plus:
- ✓ Unlimited organizations and users
- ✓ All frameworks: HIPAA, SOC 2, ISO, NIST
- ✓ Advanced risk scoring and analytics
- ✓ BAA tracking and branded reports
- ✓ Priority support and guided review
Enterprise
For consultants and large health systems
- ✓ Includes everything in Professional, plus:
- ✓ Multi-tenant client management
- ✓ White-label reports and SSO
- ✓ API access and custom integrations
- ✓ Dedicated success manager
- ✓ SLA guarantees
All plans include a 30-day free trial and a signed Business Associate Agreement (BAA).
Questions, answered
How is this different from doing our risk assessment in a spreadsheet? +
A spreadsheet captures answers but not the structure auditors expect: regulatory citations, threat-and-vulnerability scoring, evidence linkage, a tracked remediation plan, and an audit trail of who changed what and when. OnlyHIPAA builds all of that as you work, so the output is a defensible assessment, not a static file that goes stale the moment you close it.
How long does a risk assessment take? +
Most teams complete a first formal Security Rule assessment in days rather than weeks. Guided questions, built-in control libraries, and cross-framework mapping mean you answer once and reuse it everywhere, and you can assign sections across your team and track progress as you go.
Do we need to sign a BAA? +
Yes, and it is included with every plan. We execute a Business Associate Agreement before you store any PHI-related data, available for signature as soon as your account is active.
Will our data be safe? +
Tenants are isolated with organization-scoped, row-level access controls; data is encrypted with AES-256 at rest and TLS 1.3 in transit; sessions are server-side and revocable; and every action is written to an immutable, six-year audit log. AI runs under a BAA with zero data retention and never sees PHI. See the security page for the full posture.
What happens after the free trial? +
The 30-day trial needs no credit card. If you continue, pick the plan that fits; if you do not, you can export all of your assessment data, evidence, and reports at any time in standard formats.
More on plans and data handling in our pricing FAQ and security overview.