Built for real compliance work, accelerated by AI

OnlyHIPAA is a complete risk assessment platform designed by security and compliance experts. Sherpa, the AI compliance guide, reviews your evidence, drafts your findings and remediation, and answers questions about your posture, guiding your team through HIPAA, SOC 2, ISO 27001, the NIST frameworks, and 17 built-in libraries in all to defensible, audit-ready documentation.

HIPAA, and every framework around it

Start with HIPAA, then extend the same evidence and controls to the standards your customers, partners, and auditors ask about. OnlyHIPAA ships with complete, built-in control libraries for:

  • HIPAA Security & Privacy Rules Administrative, physical, and technical safeguards plus PHI handling.
  • SOC 2 The full AICPA Trust Services Criteria across all five categories.
  • ISO/IEC 27001:2022 & ISO/IEC 42001:2023 All 93 Annex A controls, plus the AI management system controls.
  • NIST CSF 2.0, AI RMF, Privacy Framework & SP 800-53 Govern, map, measure, and manage risk across cyber, AI, and privacy.
  • ISO/IEC 27701, HITRUST CSF, HHS 405(d) HICP & CIS Controls v8 Privacy information management and healthcare-specific control sets.
  • PCI DSS v4.0, FedRAMP, CMMC 2.0 & consumer-privacy law (GDPR / CCPA / state) Payment, federal, and data-subject-rights coverage.

17 built-in frameworks in all. Cross-framework mapping links overlapping requirements, so you answer a question once and satisfy it everywhere it applies, and scope each assessment to exactly the frameworks you need.

HIPAA Security & Privacy Rules
SOC 2 Trust Services Criteria (61)
ISO/IEC 27001:2022 Annex A (93)
ISO/IEC 42001:2023 AI controls (38)
NIST CSF 2.0 (31)
NIST AI RMF (72)
NIST Privacy Framework (100)
NIST SP 800-53, HITRUST, HICP, CIS v8
PCI DSS, FedRAMP, CMMC, ISO 27701, GDPR/CCPA

Every safeguard. Every standard. Covered.

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. OnlyHIPAA structures this into a guided assessment with:

  • Administrative Safeguards. Security management process, assigned security responsibility, workforce training, and contingency planning.
  • Physical Safeguards. Facility access controls, workstation use policies, and device and media controls with full inventory tracking.
  • Technical Safeguards. Access controls, audit controls, integrity controls, and transmission security for all ePHI systems.
  • Organizational Requirements. Business Associate Agreement management and group health plan requirements.
Administrative Safeguards 78%
Physical Safeguards 91%
Technical Safeguards 64%
High Audit controls not implemented on 3 systems
Medium Workforce training documentation incomplete

PHI handling from intake to disposal

The Privacy Rule governs how protected health information is used and disclosed. OnlyHIPAA walks your team through:

  • Notice of Privacy Practices. Content requirements, posting obligations, and patient acknowledgment tracking.
  • Patient Rights. Access, amendment, accounting of disclosures, restrictions, and confidential communications.
  • Minimum Necessary Standard. Policies, workforce training, and access controls aligned to the minimum-necessary requirement.
  • Permitted Disclosures. Treatment, payment, operations, public health, law enforcement, and special categories.
Right of Access procedures documented
Amendment request process defined
Accounting of disclosures log maintained
Restriction request tracking: Needs attention
Confidential comms policy: Not documented

Quantitative risk scoring that holds up to scrutiny

OCR expects a formal risk analysis that identifies threats, vulnerabilities, and the likelihood and impact of each. OnlyHIPAA automates this with:

  • Threat and Vulnerability Mapping. Pre-built threat libraries aligned to HHS guidance and NIST SP 800-30.
  • Likelihood × Impact Scoring. A 5×5 risk matrix with automatic risk-level classification (Critical, High, Medium, Low).
  • System-level Scoping. Assess risk per ePHI system so findings are targeted and actionable.
  • Regulatory Citation Mapping. Every finding links to the specific CFR section it implicates.
Risk Matrix
CRITICAL
HIGH
HIGH
MED
LOW

Turn findings into a real remediation plan

OnlyHIPAA turns every finding into a trackable remediation task:

  • AI-Drafted Tasks. Sherpa generates concrete, prioritized remediation steps from a finding, which you review, edit, and assign instead of writing from scratch.
  • Task Assignment. Assign remediation items to specific team members with due dates and priority levels.
  • Progress Tracking. A live dashboard shows open, in-progress, and completed items across all findings.
  • Evidence Attachment. Attach policies, screenshots, or documents to close out each remediation item.
  • Team Collaboration. Discuss the work in context with threaded comments — on findings, assessment questions, and tasks — with @mentions that notify the right teammate and live updates as the thread moves.
  • Audit Trail. Every status change and comment is logged with a timestamp and user, exactly what OCR wants to see.
Done Deploy MFA across all admin accounts
In Progress Update workforce security training curriculum
Open Implement audit logging on EHR system
Open Review and update BAA with billing vendor

An AI guide with healthcare compliance expertise

Sherpa reads your evidence, judges it against the regulation, and tells you what to fix. Every AI action is grounded in your own data and presented for your review, and nothing is applied automatically.

  • Evidence-Aware Answer Review. Sherpa reads each answer plus its attached evidence, compares it to the cited requirement, and returns a clear verdict, passing only what it is at least 95% confident in and adding a short, specific suggestion when something falls short.
  • Evidence Summarization. Upload a policy or document and Sherpa summarizes what it demonstrates and which assessment questions it supports, with no manual cross-referencing.
  • Drafted Risks and Remediation. Sherpa turns an assessment's deficiencies into risk-register entries and a sequenced remediation plan, ready for you to review and assign.
  • Policy Drafting. Sherpa drafts the HIPAA policies your program needs — incident response, sanctions, contingency, device and media, and more — seeded from your own organization context, with clear placeholders where only you can fill in the details.
  • Mock OCR Interview. Rehearse an audit before it happens: Sherpa poses investigator-style questions weighted toward your weakest areas and rates how ready each answer is, so you fix the gaps on your own schedule.
  • Breach Triage. On a suspected incident, Sherpa computes the Breach Notification Rule deadlines from the discovery date and affected count, and drafts the HHS four-factor risk assessment for your team to finalize.
  • Executive Summaries. Generate a board-ready, plain-language summary of posture, top risks, and recommended actions from the assessment data.
  • Ask Your Compliance Program. Ask plain-language questions like "Are we ready for an OCR audit?" or "Which vendors are missing a BAA?" and get answers, plus your three highest-impact next actions, grounded only in your organization's data. A daily brief surfaces what changed and the one thing to do next.

Every suggestion — answer review, drafted policy, risk, remediation, or framework mapping — lands in one AI Suggestions inbox for review on its native page. Nothing is ever applied without a person accepting it.

Built for healthcare: AI processing runs under a Business Associate Agreement with zero data retention, every action is audit-logged, and a person always reviews before anything is accepted.

Access control policy: Pass (97% confidence)
Encryption at rest: Pass (96% confidence)
Needs info Attach the signed BAA to evidence the vendor control.
1Collect BAAs from 2 vendors
2Close 3 overdue critical findings
3Document the contingency plan

The whole compliance program, in one place

A risk assessment is the start, not the finish. OnlyHIPAA runs the ongoing operations that keep you compliant between audits — and tracks a live compliance score so you always know where you stand.

📈

Compliance Score & Posture

A live 0–100 score across findings, policies, training, incidents, and business associates, snapshotted daily so you can see the trend and catch drift before an auditor does.

🤝

Vendors & BAAs

A register of every business associate with BAA status and expiry, a built-in vendor risk questionnaire, and review reminders so no agreement lapses unnoticed.

🚨

Incidents & Breach Tracking

Log security incidents, run the Breach Notification Rule deadline clock, and document the four-factor risk assessment — the record OCR expects when something goes wrong.

🎓

Workforce Training

Track security-awareness and HIPAA training by person and course, with renewal intervals and a completion matrix you can export for an auditor.

🔑

Access Reviews

Run periodic reviews of who can reach ePHI, log a keep/remove/modify decision per person, and lock the review as a dated, defensible record.

🗺️

Data Flow Map

Inventory the systems that hold PHI and the flows between them, with encryption-in-transit and at-rest flags that highlight any unprotected path.

💻

Physical Safeguards

Track devices that touch ePHI — encryption, screen lock, auto-logoff, and review dates — so workstation and device controls are demonstrable, not assumed.

📅

Compliance Calendar

Every recurring deadline — assessment renewals, BA reviews, policy reviews, training, device checks — in one view, with iCal export to your own calendar.

📦

Auditor Packet

Hand an auditor a single point-in-time export — findings, policies, the risk register, and evidence files with a manifest — or a time-limited read-only link to the live program.

Reports your auditors will actually understand

One-click generation of complete, professionally formatted risk assessment reports.

📋

Executive Summary

A plain-language overview of your risk posture, top risks, and recommended actions, written by Sherpa for the board or C-suite.

🔍

Technical Detail

Full question-by-question responses, evidence citations, risk scores, and CFR references for compliance staff and auditors.

📊

Gap Analysis

Side-by-side comparison of requirements vs. current state, with severity rankings and recommended remediation steps.

🏷️

Custom Branding

Add your organization's logo and colors to every exported report, essential for consultants delivering to clients.

Fits the stack you already run

Connect identity, alerting, and your own tooling. Everything is standards-based, so there's nothing proprietary to lock into.

SAML 2.0 SSO Single sign-on with your identity provider
OAuth Sign in with Google or Microsoft
SCIM provisioning Automated user provisioning and deprovisioning
Webhooks Subscribe to events with signed, retried delivery
Slack Compliance notifications in your channels
SIEM export Stream the immutable audit log to your SIEM
REST API A versioned, scoped API for findings, assessments, remediation, and more
Custom integrations Build on the API and webhook catalog

See the API reference and webhook event catalog for details.

See OnlyHIPAA in action

Start a free assessment or schedule a live demo with our team.