Built for real HIPAA compliance work
OnlyHIPAA isn't a checkbox tool. It's a complete risk assessment platform designed by HIPAA experts to guide your team through every requirement of the Security Rule and Privacy Rule — and come out the other side with defensible documentation.
Every safeguard. Every standard. Covered.
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI. OnlyHIPAA structures this into a guided assessment with:
-
Administrative Safeguards — Security management process, assigned security responsibility, workforce training, contingency planning, and more.
-
Physical Safeguards — Facility access controls, workstation use policies, device and media controls with full inventory tracking.
-
Technical Safeguards — Access controls, audit controls, integrity controls, and transmission security for all ePHI systems.
-
Organizational Requirements — Business Associate Agreement management, group health plan requirements.
PHI handling from intake to disposal
The Privacy Rule governs how protected health information is used and disclosed. OnlyHIPAA walks your team through:
- Notice of Privacy Practices — Content requirements, posting obligations, patient acknowledgment tracking.
- Patient Rights — Access, amendment, accounting of disclosures, restrictions, and confidential communications.
- Minimum Necessary Standard — Policies, workforce training, and access controls aligned to the minimum necessary requirement.
- Permitted Disclosures — Treatment, payment, operations, public health, law enforcement, and special categories.
Quantitative risk scoring that holds up to scrutiny
OCR expects a formal risk analysis that identifies threats, vulnerabilities, and the likelihood and impact of each. OnlyHIPAA automates this with:
- Threat & Vulnerability Mapping — Pre-built threat libraries aligned to HHS guidance and NIST SP 800-30.
- Likelihood × Impact Scoring — 5×5 risk matrix with automatic risk level classification (Critical, High, Medium, Low).
- System-level Scoping — Assess risk per ePHI system so findings are targeted and actionable.
- Regulatory Citation Mapping — Every finding links to the specific CFR section it implicates.
Turn findings into a real remediation plan
Finding gaps is only half the battle. OnlyHIPAA turns every finding into a trackable remediation task:
- Task Assignment — Assign remediation items to specific team members with due dates and priority levels.
- Progress Tracking — Real-time dashboard shows open, in-progress, and completed items across all findings.
- Evidence Attachment — Attach policies, screenshots, or documents to close out each remediation item.
- Audit Trail — Every status change and comment is logged with a timestamp and user — exactly what OCR wants to see.
Reports your auditors will actually understand
One-click generation of complete, professionally formatted risk assessment reports.
Executive Summary
Plain-language overview of your risk posture, top findings, and remediation progress — perfect for the board or C-suite.
Technical Detail
Full question-by-question responses, evidence citations, risk scores, and CFR references for compliance staff and auditors.
Gap Analysis
Side-by-side comparison of requirements vs. current state, with severity rankings and recommended remediation steps.
Custom Branding
Add your organization's logo and colors to every exported report — essential for consultants delivering to clients.