D3rx SRA Binder Studio
The honest HIPAA Security Risk Assessment tool for small practices.
Source-grounded answers and a living evidence binder, free while we're in beta. We do not market this as a certification, an audit-protection guarantee, or a substitute for your attorney.
- Source-grounded citations
- Every question maps to a public HHS, OCR, NIST, or eCFR reference. Your privacy officer can defend each answer with the exact section number.
- Free while we're in beta
- The full SRA — readiness analysis, control matrix, risk register, remediation plan, and binder exports — is free during the beta, with no card required. Pricing arrives at public launch.
- Living evidence, not a one-shot wizard
- Asset, vendor, BAA, training, policy, and remediation registers persist across annual cycles. Reminders fire when a BAA or training cert is about to lapse.
- Honest scope, deliberately narrow
- D3rx organizes evidence. Your practice produces and adopts it. Your counsel reviews it. We do not pretend to do any of those three jobs.
What is inside the binder
A review-ready documentation package, not a wizard PDF.
The binder ships as a single ZIP: detailed PDF, summary PDF, CSV registers, an XLSX rollup, the evidence manifest, and the source index. The PDF reports have dated cover pages, and the archive carries the canonical disclaimer.
No signup required. See the report shape, source index, evidence manifest, and ZIP contents before you trust the workflow with your own practice data.
Yours is computed deterministically from your answers.
- Readiness gauge
- 0-100
- Mapped controls
- 68
- CSV registers
- 8 files
- Evidence manifest
- Markdown
- Citation index
- Source index
- Safety checks
- Claim scan
Weighted across 68 Security Rule controls
Coverage of 164.308, 310, 312, 314, and 316
Controls, assets, vendors, access, training, risk, remediation, sources
Question and control anchors cross-referenced to supporting documents
HHS / OCR / NIST / eCFR sources cited by active controls and risks
Generated exports are scanned for forbidden certification language
Why the output is credible
Built around sources, evidence, and conservative gates.
The product is intentionally narrower than a managed compliance service. Its job is to organize a small practice's SRA evidence into a source-cited package a reviewer can inspect.
Last source review
2026-05-22
- 68 mapped controls
- The matrix covers the Security Rule safeguards at 45 CFR 164.308, 310, 312, 314, and 316.
- Evidence gate
- A control marked partial or met does not count in the reconciled readiness view until evidence is attached.
- Claim scanner
- Marketing copy, report text, and generated exports are scanned so forbidden certification and guarantee language fails before release.
- Export artifacts
- The ZIP includes dated PDF reports, CSV registers, an XLSX rollup, a source index, and an evidence manifest.
What's included
Free while we're in beta.
The full SRA Binder Studio is free during the beta — no tiers, no card, no checkout. Pricing arrives at public launch.
Free during beta
Everything is included, free
Run the full assessment and build a living evidence binder without a card. You get the complete tool while we're in beta.
- Full 25-question readiness analysis against 68 Security Rule controls
- Control matrix with per-question HHS / OCR / NIST / eCFR citations
- Risk register and prioritized remediation plan
- Binder exports: detailed PDF, summary PDF, CSV registers, XLSX, and ZIP
Create a free account to save your progress and generate your binder. No card required.
Frequently asked
Honest answers about what this is — and isn’t.
Is this a HIPAA certification?
No. HHS and OCR do not recognize private HIPAA certifications. Any product that markets one is selling a marketing artifact, not a regulatory status. D3rx ships a dated, evidence-linked documentation package designed to organize the artifacts reviewers commonly ask for — a payer security questionnaire, a Business Associate diligence packet, an OCR inquiry response. It is your team's package, not a regulatory finding.
Will this guarantee I pass an audit?
No. D3rx is a documentation aid; it is not an audit-protection guarantee. We do not have lawyers on retainer and we will not promise to handle an OCR inquiry on your behalf. The point of the binder is to make a fair audit defensible: every answer traces to a public citation and every evidence item is linked to a control row.
Does the binder replace my attorney?
No. The binder is not legal advice and we are not your attorneys. Review the output with your own counsel or your privacy officer before adopting any policy text, vendor decision, or remediation timeline.
Who is this built for?
Small primary care, dental, behavioral, and specialty practices in the 1-15 provider range. If you run an outsourced privacy officer, a multi-location workflow, or a Mac/iPad/Chromebook stack, the single-device HHS desktop tool falls down in ways D3rx is designed to cover.
How does this compare to the free HHS SRA Tool?
The HHS SRA Tool is free and federally produced; we recommend it for solo Windows shops with a single device. D3rx exists for the multi-device, multi-reviewer cases the HHS tool was not designed for: cloud workspace, role-based access, persistent registers across annual cycles, BAA and training reminders, and a single binder ZIP.
How does this compare to Accountable or Compliancy Group?
Those vendors target growth-stage health-tech and price accordingly. D3rx is positioned for clinical practices and is free while we're in beta. We deliberately do not offer AI-authored policy text, certification-style website badges, or audit-protection bundles. We match the organizational workflow; we do not match the trust-laundering features.
How current is the rule set?
The 68 mapped controls come from 164.308, 310, 312, 314, and 316 in the eCFR HIPAA Security Rule, the OCR audit protocol, and NIST SP 800-66 Rev. 2. We re-scrape and version the source corpus on a documented cadence so the citation index never drifts away from the published rule text.
Can my privacy officer or outside counsel review the output?
Yes. The binder is structured for a reviewer first: each answer is paired with its citation, each risk is paired with its source rule, and each remediation item has an owner and a due date. Forward the ZIP, the CSV registers, or a single PDF section — the citation index makes it possible to validate the work without reverse-engineering it.
What is actually inside the binder?
A detailed PDF with reviewer brief, a summary PDF for executive readers, eight CSV registers, an XLSX rollup, a source index, and an evidence manifest that links uploads to specific questions or controls. The PDF reports carry dated cover pages; the README and manifest carry the canonical disclaimer.
What happens to my data?
Practice-scoped storage in Supabase with row-level security; encryption at rest and in transit. No protected health information is required to complete the assessment. You can export and delete on request. The security posture and data-handling details live at /security.
What we deliberately do not do.
The honest list. Every item below is a feature we have refused to ship — because shipping it would be a regulatory or ethical claim we can’t defend.
Not a HIPAA certification
OCR does not recognize private HIPAA certifications. We will not ship a website badge that pretends otherwise.
Not your attorney
The binder is not legal advice. We do not draft contracts and we do not interpret regulations for you; your counsel does.
Not an audit-protection guarantee
We do not promise to handle an OCR inquiry on your behalf. We make the documentation defensible; the response is on your team.
Not a substitute for human review
Every binder must be reviewed and adopted by your privacy officer. The product surfaces evidence; it does not adopt policy for you.
Not a security service
No penetration testing, vulnerability scanning, or phishing simulation. We describe the practice's security posture; we do not test or improve it.
Not an AI policy author
AI may decorate deterministic output. AI will not author your policies. That boundary is enforced in code, not in marketing.
Practice-scoped storage with row-level security, encryption at rest and in transit, no protected health information required to complete the assessment.
How D3rx handles your dataTake 12 minutes
Run the free readiness check.
No card required. You get a readiness gauge, aggregate control counts, the source index, and the asset and vendor lists. The full binder is free while we're in beta — create an account when you're ready to save your work.