Product

Built for real compliance work

OnlyHIPAA isn't a checkbox tool. It's a complete risk assessment platform designed by security and compliance experts to guide your team through HIPAA, SOC 2, ISO 27001, ISO 42001, and the NIST frameworks, and come out the other side with defensible documentation.

Frameworks

HIPAA, and every framework around it

Start with HIPAA, then extend the same evidence and controls to the standards your customers, partners, and auditors ask about. OnlyHIPAA ships with complete, built-in control libraries for:

  • HIPAA Security & Privacy Rules Administrative, physical, and technical safeguards plus PHI handling.
  • SOC 2 The full AICPA Trust Services Criteria across all five categories.
  • ISO/IEC 27001:2022 & ISO/IEC 42001:2023 All 93 Annex A controls, plus the AI management system controls.
  • NIST CSF 2.0, AI RMF, and Privacy Framework Govern, map, measure, and manage risk across cyber, AI, and privacy.

Cross-framework mapping links overlapping requirements, so you answer a question once and satisfy it everywhere it applies, and scope each assessment to exactly the frameworks you need.

Built-in control libraries
HIPAA Security & Privacy Rules
SOC 2 Trust Services Criteria (61)
ISO/IEC 27001:2022 Annex A (93)
ISO/IEC 42001:2023 AI controls (38)
NIST CSF 2.0 (31)
NIST AI RMF (72)
NIST Privacy Framework (100)
HIPAA Security Rule

Every safeguard. Every standard. Covered.

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. OnlyHIPAA structures this into a guided assessment with:

  • Administrative Safeguards - Security management process, assigned security responsibility, workforce training, contingency planning, and more.
  • Physical Safeguards - Facility access controls, workstation use policies, device and media controls with full inventory tracking.
  • Technical Safeguards - Access controls, audit controls, integrity controls, and transmission security for all ePHI systems.
  • Organizational Requirements - Business Associate Agreement management, group health plan requirements.
Administrative Safeguards 78%
Physical Safeguards 91%
Technical Safeguards 64%
High Audit controls not implemented on 3 systems
Medium Workforce training documentation incomplete
HIPAA Privacy Rule

PHI handling from intake to disposal

The Privacy Rule governs how protected health information is used and disclosed. OnlyHIPAA walks your team through:

  • Notice of Privacy Practices - Content requirements, posting obligations, patient acknowledgment tracking.
  • Patient Rights - Access, amendment, accounting of disclosures, restrictions, and confidential communications.
  • Minimum Necessary Standard - Policies, workforce training, and access controls aligned to the minimum necessary requirement.
  • Permitted Disclosures - Treatment, payment, operations, public health, law enforcement, and special categories.
Patient Rights Checklist
Right of Access procedures documented
Amendment request process defined
Accounting of disclosures log maintained
Restriction request tracking - Needs attention
Confidential comms policy - Not documented
Risk Analysis

Quantitative risk scoring that holds up to scrutiny

OCR expects a formal risk analysis that identifies threats, vulnerabilities, and the likelihood and impact of each. OnlyHIPAA automates this with:

  • Threat & Vulnerability Mapping - Pre-built threat libraries aligned to HHS guidance and NIST SP 800-30.
  • Likelihood × Impact Scoring - 5×5 risk matrix with automatic risk level classification (Critical, High, Medium, Low).
  • System-level Scoping - Assess risk per ePHI system so findings are targeted and actionable.
  • Regulatory Citation Mapping - Every finding links to the specific CFR section it implicates.
Risk Matrix
CRITICAL
HIGH
HIGH
MED
LOW
Remediation

Turn findings into a real remediation plan

Finding gaps is only half the battle. OnlyHIPAA turns every finding into a trackable remediation task:

  • Task Assignment - Assign remediation items to specific team members with due dates and priority levels.
  • Progress Tracking - Real-time dashboard shows open, in-progress, and completed items across all findings.
  • Evidence Attachment - Attach policies, screenshots, or documents to close out each remediation item.
  • Audit Trail - Every status change and comment is logged with a timestamp and user - exactly what OCR wants to see.
Done Deploy MFA across all admin accounts
In Progress Update workforce security training curriculum
Open Implement audit logging on EHR system
Open Review and update BAA with billing vendor
Reporting

Reports your auditors will actually understand

One-click generation of complete, professionally formatted risk assessment reports.

📋

Executive Summary

Plain-language overview of your risk posture, top findings, and remediation progress - perfect for the board or C-suite.

🔍

Technical Detail

Full question-by-question responses, evidence citations, risk scores, and CFR references for compliance staff and auditors.

📊

Gap Analysis

Side-by-side comparison of requirements vs. current state, with severity rankings and recommended remediation steps.

🏷️

Custom Branding

Add your organization's logo and colors to every exported report - essential for consultants delivering to clients.

See OnlyHIPAA in action

Start a free assessment or schedule a live demo with our team.

Start Free Trial Request demo