Help Center › Getting started
Getting started
What Ward is, why “local-first” matters, what a HIPAA Security Risk Assessment is, and exactly what to do on your first run.
1. What Ward is
Ward is a free tool that walks a small healthcare practice — or a business associate, or an IT/managed-service provider (MSP) serving them — through a complete HIPAA Security Risk Assessment (SRA). It also shows a live 2026 Security Rule readiness meter so you can see how prepared you are for the changes in the proposed 2026 HIPAA Security Rule.
In plain English, Ward helps you answer the question OCR (the HHS Office for Civil Rights, which enforces HIPAA) asks first in almost every investigation: “Show me your current, written risk analysis.” Ward gives you that analysis, a prioritized to-do list (a POA&M), and a printable audit binder.
Ward runs as a single-page web app in your browser. There is no installer, no account, and no monthly fee for the core SRA.
Not legal or compliance advice. Ward is a self-assessment aid — not legal advice and not an official OCR audit. The 2026 content is based on the proposed rule (the December 2024 NPRM) and may change. Confirm your obligations with qualified counsel. See the Security & privacy page for the full statement.
2. The local-first promise
This is the single most important thing to understand about Ward:
Your patient data never leaves your machine. Everything you type — answers, notes, vendor names, asset inventory, policies — is stored only in your own browser, on your own computer, using a built-in browser feature called localStorage. The core SRA makes zero network calls. There is no server to send your data to, no account, and no sign-in required.
What this means in practice:
- You can run the entire assessment offline (after the page has loaded once).
- Nobody at DosanjhLabs — or anyone else — can see your answers. We literally never receive them.
- Your data lives only in the browser profile you used. If you switch browsers, computers, or clear your browser data, it won’t follow you automatically — you move it with the Export/Import feature.
There are optional features (an opt-in cloud sync tier and a bring-your-own-key AI assistant) that do use the network — but they are off by default, never carry PHI, and you have to deliberately turn them on. See Security & privacy → Optional cloud/AI.
3. What a Security Risk Assessment (SRA) is
The HIPAA Security Rule (45 CFR Part 164) requires every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to electronic protected health information (ePHI) — and to keep it current. This is called a Security Risk Analysis or Security Risk Assessment.
A good SRA answers three questions for every safeguard:
- Do we have this control in place? (Yes / Partially / No / N/A)
- If not, what threat could exploit the gap, and how bad would it be? (likelihood × impact = a risk rating)
- What are we going to do about it, who owns it, and by when? (the POA&M)
Ward models its question set on the well-known ONC/HHS SRA Tool: 108 questions across the seven areas of the HIPAA Security Rule (administrative, physical, and technical safeguards). Each question is tagged to its exact 45 CFR §164 citation, carries plain-English guidance, and is flagged Required or 2026: now required.
4. What you need to run it
| You need | Details |
|---|---|
| A modern browser | Chrome, Edge, Firefox, or Safari (desktop recommended). No plugins. |
| Nothing else | No account, no install, no payment for the core SRA. |
| (Self-hosting only) a static web server | If you run the files from your own folder, serve them over HTTP — see below. The hosted version needs nothing. |
If you are running the files yourself from a folder: open the app over http://, not by double-clicking the file (file://). Browsers block the data files from loading on file://. Any static server works, e.g. from the ward folder run python3 -m http.server 8000 and open http://localhost:8000/app/index.html. If you see “Couldn’t load the SRA content,” this is the cause — see Troubleshooting.
5. Your first run, step by step
- Open the app. Click Launch the free SRA (top right) or open
app/index.html. You land on the Dashboard. - Name your entity. At the top is a Client / entity selector. A default entity exists; rename it to your practice with the Rename button, or add a new one with + New. (MSPs: add one entity per client — see section 7.)
- Click “Start the assessment →” on the Dashboard. This opens the Assessment tab.
- Work through the seven sections. For each question, read the question, open “What this means & what to do” for plain-English guidance, and pick one of four answers: Yes — in place, Partially, No / not yet, or N/A.
- Rate any gaps. When you answer Partially or No, a risk-rating box appears. Pick a threat, then choose a likelihood and an impact. Ward computes a Low / Moderate / High rating. (Full detail on the assessment page.)
- Watch the readiness meter. As you answer 2026-flagged questions, the 2026 readiness meter on the Dashboard updates live, and the Top 2026 blockers chips show what is costing you the most readiness.
- Build the supporting modules as you go: Asset Inventory, Policies, Scan/IR Cadence, Vendors / BAAs, and Training.
- Track remediation. Open the POA&M tab to assign an owner, target date, and status to each gap.
- Export. When you are ready, the Reports tab produces your reports and the one-click audit binder ZIP.
You can stop and resume any time. Ward saves automatically as you type (within a fraction of a second). Just reopen the app in the same browser and your work is there. There is no “Save” button to forget.
6. The tabs, at a glance
The app is organized into tabs across the top. Here is what each one does and where to read more:
| Tab | What it does |
|---|---|
| Dashboard | The 2026 readiness meter, top blockers, cadence reminders, progress by section, and key counts. Your home base. |
| Assessment | The 108 questions, answers, guidance, and gap risk-rating. Read more → |
| Risk Register | All rated gaps ranked by score, plus a likelihood × impact heatmap. Read more → |
| POA&M | Every gap as a tracked remediation item (owner / target / status / overdue). Read more → |
| 2026 Readiness | The ten mandates in detail, with per-mandate POA&M and rule-status labels. Read more → |
| Asset Inventory | Inventory every ePHI system and map data flows (a 2026 requirement). Read more → |
| Policies | Editable policy templates with versioning and attestation. Read more → |
| Scan/IR Cadence | Recurring 2026 obligations with locally-computed due dates. Read more → |
| Vendors / BAAs | Track vendors with ePHI access and their Business Associate Agreement status. |
| Training | Workforce security-awareness training records, courses, and completion tracking. |
| Snapshots | Freeze a dated, read-only snapshot and compare year over year. |
| Reports | All exports and the audit binder ZIP. Read more → |
| MSP console | Cross-client portfolio view (Pro/cloud feature). Read more → |
| Integrations | Import a posture export or migrate from the ONC SRA Tool. Read more → |
| AI assist | Optional, off by default. Bring your own provider key to draft remediations. Read more → |
| Data | Export/import your assessment as JSON, or reset the current entity. Read more → |
| Sign in / Cloud | Optional, opt-in cloud tier. Off by default; PHI never syncs. Read more → |
7. Multiple practices (MSP / multi-client mode)
Ward supports more than one practice in the same browser. This is built for MSPs and consultants who serve several clients, but it works for anyone managing multiple entities.
- Use the Client / entity selector at the very top of the app.
- + New creates a fresh, separate assessment. Each entity has its own answers, risks, vendors, assets, policies, cadence, and reports — completely isolated from the others.
- Rename changes the current entity’s name. Delete removes the current entity and its data (you must keep at least one).
- Switch entities at any time from the dropdown; your work in each is saved independently.
There is also an MSP console tab that gives a cross-client portfolio view (average readiness, total open gaps, per-client status table, bulk reports). The portfolio view reads each client’s local data; some MSP-console conveniences (white-label branding, clone-as-template) are part of the opt-in Pro/cloud tier. See Security & privacy → Optional.
8. Where to go next
- Completing the assessment → — the question flow and risk scoring in depth.
- The 2026 readiness meter → — how the percentage is calculated.
- Exports & the audit binder → — get a printable, OCR-ready package.