Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Control Frameworks

Frameworks are the control libraries your assessments map onto. OnlyHIPAA ships 17 built-in libraries and you can add your own.

Built-in frameworks: HIPAA, SOC 2 (incl. SOC 2 Privacy), ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 42001, NIST Cybersecurity Framework, NIST Privacy Framework, NIST AI RMF, NIST SP 800-53, HITRUST CSF, HHS 405(d) HICP, CIS Controls v8, PCI DSS v4.0, FedRAMP, CMMC 2.0, and consumer-privacy law (GDPR / CCPA / US state). Every one of the question bank's controls maps to several of these at once, so a single HIPAA assessment reports against your whole standards portfolio.

Custom frameworks are a Professional plan feature. The built-in libraries
are available to view on every plan.

Built-in vs. custom

Built-in frameworks come pre-populated with their controls and are read-only — you can scope them into an assessment but not edit them. Custom frameworks are yours to build: create one with a name, description, source, and version, then add controls to it (each has a reference like AC-1, a title, an optional category, and a required flag). Mark a framework active to make it available for scoping; deactivate one you're not using.

How frameworks are used

Frameworks don't do anything on their own — you put them to work by scoping them into an assessment. The core HIPAA questions are always present; adding a framework maps your answers onto that framework's controls too, so one assessment can report against several standards. (See Assessments for scoping, and Cross-Framework Coverage for the AI that suggests where one answer satisfies controls in other frameworks.)

Who can do what

Managing frameworks (create, edit, add/remove controls, activate) is org-admin only. Everyone can see the built-in libraries. A custom framework belongs to your organization and can be deleted by an admin.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.