Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

AI in OnlyHIPAA — overview

OnlyHIPAA's AI features are collectively called Sherpa. They're woven through the app to take the busywork out of compliance — drafting, summarizing, explaining, and triaging — while always leaving the decision to you.

This page is the map. Each capability has its own help page linked below.

The one rule everything follows

AI proposes; a human reviews and applies. No AI output is ever applied to your program automatically. Every draft, summary, and verdict is a suggestion you accept, edit, or dismiss.

Two more guarantees behind every feature:

  • No patient data is sent to the model. AI works from aggregate figures and short labels — counts, scores, dates, question codes — never the contents of an individual's record. (Evidence summarization is the one place a document you uploaded is read; you choose which file, and it's treated as untrusted input.)
  • Every AI action is logged (metadata only — never the prompt or output text) and counts against your organization's daily AI limit.

What Sherpa can do

Ask & plan

  • Sherpa Q&A — ask plain-language questions about your program; answers cite the figures they used and stream in as they're written.
  • Next actions & Daily Brief — the highest-leverage things to do next, grounded in your data, with one-click deep links.

Assess & evaluate

  • Answer evaluation — checks an assessment answer against the requirement and your evidence, with a 95%-confidence bar; you can accept or override.
  • Answer drafting — suggests a starting answer for a question (suggest-only).
  • Explain a requirement — plain-language explanation of what a control is asking for.
  • Assessment executive summary — a board-level summary of a completed assessment.

Draft the work

  • Policy drafting · Risk drafting · Remediation drafting — turn a gap or finding into reviewable draft text or tasks.
  • Cross-framework coverage & crosswalk suggestions — map your HIPAA work onto other frameworks.

Evidence & posture

  • Evidence summarization & intake — summarize an uploaded document and suggest which questions it supports.
  • Compliance score & posture trend narrative — explains how your program moved over time.

Audit & breach

  • Mock OCR interview — a rehearsal of the questions an OCR investigator would ask, weighted to your weakest areas.
  • Incident triage — a draft HHS 4-factor breach risk assessment plus the deterministic notification deadlines.
  • Auditor packet narrative — a cover narrative for the export.

Stay on top of it

  • AI Suggestions inbox — one place for every AI draft waiting on you, with open-and-review or dismiss.

Tell us when it's wrong

Most AI output carries a 👍 / 👎 "Was this helpful?" control. Your ratings are private to your organization and surface on the AI Usage page (Settings → AI Usage), alongside token spend and per-feature breakdowns — so an admin can see which features are landing and which need attention.

Turning AI on or off

AI is included in every plan but is off until an org admin opts in (and accepts the data-sharing disclaimer), in Settings → Organization. On Settings → AI Usage an admin can see spend and set two ceilings: a daily call limit (how often) and a monthly token budget (how much). The token budget shows a warning as you approach it and blocks further calls once reached, resetting on the 1st. When AI is off, the AI surfaces show a short explainer instead of a dead button.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.