AI in OnlyHIPAA — overview
OnlyHIPAA's AI features are collectively called Sherpa. They're woven through the app to take the busywork out of compliance — drafting, summarizing, explaining, and triaging — while always leaving the decision to you.
This page is the map. Each capability has its own help page linked below.
The one rule everything follows
AI proposes; a human reviews and applies. No AI output is ever applied to your program automatically. Every draft, summary, and verdict is a suggestion you accept, edit, or dismiss.
Two more guarantees behind every feature:
- No patient data is sent to the model. AI works from aggregate figures and short labels — counts, scores, dates, question codes — never the contents of an individual's record. (Evidence summarization is the one place a document you uploaded is read; you choose which file, and it's treated as untrusted input.)
- Every AI action is logged (metadata only — never the prompt or output text) and counts against your organization's daily AI limit.
What Sherpa can do
Ask & plan
- Sherpa Q&A — ask plain-language questions about your program; answers cite the figures they used and stream in as they're written.
- Next actions & Daily Brief — the highest-leverage things to do next, grounded in your data, with one-click deep links.
Assess & evaluate
- Answer evaluation — checks an assessment answer against the requirement and your evidence, with a 95%-confidence bar; you can accept or override.
- Answer drafting — suggests a starting answer for a question (suggest-only).
- Explain a requirement — plain-language explanation of what a control is asking for.
- Assessment executive summary — a board-level summary of a completed assessment.
Draft the work
- Policy drafting · Risk drafting · Remediation drafting — turn a gap or finding into reviewable draft text or tasks.
- Cross-framework coverage & crosswalk suggestions — map your HIPAA work onto other frameworks.
Evidence & posture
- Evidence summarization & intake — summarize an uploaded document and suggest which questions it supports.
- Compliance score & posture trend narrative — explains how your program moved over time.
Audit & breach
- Mock OCR interview — a rehearsal of the questions an OCR investigator would ask, weighted to your weakest areas.
- Incident triage — a draft HHS 4-factor breach risk assessment plus the deterministic notification deadlines.
- Auditor packet narrative — a cover narrative for the export.
Stay on top of it
- AI Suggestions inbox — one place for every AI draft waiting on you, with open-and-review or dismiss.
Tell us when it's wrong
Most AI output carries a 👍 / 👎 "Was this helpful?" control. Your ratings are private to your organization and surface on the AI Usage page (Settings → AI Usage), alongside token spend and per-feature breakdowns — so an admin can see which features are landing and which need attention.
Turning AI on or off
AI is included in every plan but is off until an org admin opts in (and accepts the data-sharing disclaimer), in Settings → Organization. On Settings → AI Usage an admin can see spend and set two ceilings: a daily call limit (how often) and a monthly token budget (how much). The token budget shows a warning as you approach it and blocks further calls once reached, resetting on the 1st. When AI is off, the AI surfaces show a short explainer instead of a dead button.