About Us

We've lived the HIPAA compliance pain firsthand.

OnlyHIPAA was founded by healthcare IT veterans who spent years doing HIPAA risk assessments the hard way — with spreadsheets, Word docs, and manually cross-referencing the CFR. We built the tool we always wished existed.

Our Mission

HIPAA compliance shouldn't require an army of consultants.

45 CFR Parts 160 and 164 are complex, but compliance shouldn't be inaccessible. Every covered entity and business associate — from a solo practice to a regional health system — deserves the tools to conduct a thorough, defensible risk assessment without breaking the bank or burning out their team.

We're on a mission to democratize HIPAA compliance infrastructure, the same way modern tools democratized security scanning and legal document management.

500+
Assessments completed
200+
Organizations served
0
OCR findings for our customers
30 days
Avg. time to first report
Our Values

What we stand for

🔒

Security-First

We apply the same standards to our own platform that we help our customers meet. SOC 2 Type II certified, HIPAA compliant infrastructure, end-to-end encryption.

📖

Regulatory Accuracy

Every question, every citation, every remediation recommendation is reviewed by certified HIPAA compliance professionals. We never oversimplify at the expense of accuracy.

🤝

Customer Partnership

We're not just a software vendor — we're your compliance partner. Our team includes former healthcare CISOs, privacy officers, and OCR investigators who've seen the real-world consequences of gaps.

⚖️

Accessibility

A critical access hospital shouldn't have worse compliance tools than a large health system. We price and design for organizations of all sizes.

Leadership

Built by people who've been in your shoes

MR

Michael R.

Co-Founder & CEO

Former CISO at a 12-hospital health system. 15+ years in healthcare IT security. CHC, CISSP, CISM.

AL

Amanda L., JD

Co-Founder & Chief Compliance Officer

Healthcare attorney with 10+ years specializing in HIPAA regulatory matters. Former HHS Office for Civil Rights regional advisor.

JP

James P.

CTO

Previously led engineering at a healthcare data analytics company. Expert in HIPAA-compliant cloud architecture and secure application development.

SC

Sarah C., CHC, CHPC

VP of Compliance Operations

Certified healthcare compliance professional with experience conducting 200+ HIPAA risk assessments across provider and payer organizations.

Our Security

We hold ourselves to the same standard

We're a SaaS platform that handles sensitive compliance data. Here's what we do to protect it:

SOC 2 Type II Certified

Annual third-party audit covering security, availability, and confidentiality of customer data.

HIPAA Business Associate

We sign a BAA with every customer. We handle PHI-adjacent compliance data with the same rigor we ask of you.

Encryption at Rest & in Transit

AES-256 at rest, TLS 1.3 in transit. Database-level encryption for all sensitive fields.

NIST-Compliant Authentication

Argon2id password hashing, passkey/hardware key support, TOTP MFA — aligned to NIST SP 800-63B.

Penetration Testing

Annual third-party penetration tests with findings remediated within 30 days. Results available to enterprise customers under NDA.

Immutable Audit Logs

Every action on the platform is logged with user, timestamp, and IP — tamper-evident and retained for 7 years.

Want to learn more?

We're happy to walk you through the platform or answer compliance questions.

Get in touch Start free trial