Onna is now HIPAA compliant

We're happy to share that Onna has expanded its services to offer HIPAA-compliant environments!

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how healthcare organizations, their business associates, and subcontractors manage Protected Health Information (PHI). 

Following a successful third-party audit, a HIPAA Security Risk Assessment, and a HIPAA Privacy Assessment, Onna has officially met the compliance standards for HIPAA's Security, Privacy, and Breach Notification Rules.  

In light of this, Onna can enter into a Business Associate Agreement (BAA) with any customer who requires it or wishes to manage PHI using the Onna platform. This allows healthcare organizations and businesses that deal with Electronic Protected Health Information (ePHI) to effectively manage their data in Onna while meeting regulatory requirements.

In addition to supporting HIPAA compliance, we maintain several third-party certifications that demonstrate our commitment to data security and privacy. We recognize the immense trust our customers place in us to support their critical workflows, and we continuously strive not just to meet but to exceed those expectations.

Our ongoing commitment to data security, privacy, and compliance

We take a proactive approach to safeguarding data by adopting a wide spectrum of compliances and practices designed to protect our customers' information, including:

• SOC 2 Type 2 and ISO 27001: Onna consistently maintains SOC 2 Type 2 and ISO 27001 compliance. This commitment is validated annually by extensive third-party audits, ensuring that our controls for the privacy, security, availability, and processing integrity of your data are effective and robust.
• EU-US Data Privacy: Our operations align with the high standards of the EU-US Data Privacy Framework, ensuring that data transfers between the European Union and the United States adhere to the strictest data privacy standards. This includes implementing Standard Contractual Clauses (SCCs) and adhering to the principles of data minimization and purpose limitation.
• WORM environments: In addition to HIPAA-compliant environments, we offer the option for Write Once, Read Many (WORM) storage, which prevents data alteration or deletion after it has been written. Our WORM storage solutions meet the data retention requirements set by the Financial Industry Regulatory Authority (FINRA), making them ideal for companies in the financial sector looking to comply with regulatory standards.

To ensure the integrity and effectiveness of our security measures, we also collaborate with third-party experts for penetration testing and maintain an active bug bounty program.

“A strong focus on data security and compliance with data protection regulations makes [Onna] a reliable choice for handling sensitive information.” 
– G2, Verified User in Information Technology and Services, Mid-Market (51-1000 employees)

Going beyond compliance

Achieving compliance is a significant milestone; however, maintaining a high standard of data security extends beyond meeting regulatory requirements. Along with Single Sign-On (SSO), two-factor authentication, granular access controls, and full audit logs, we implement extensive measures to ensure that your data is as secure as possible. Some of these measures include:

• Real-time monitoring, threat detection, and incident response mechanisms for proactive risk mitigation
• A commitment to transparency and trust by providing full visibility into our security practices and compliance measures
• Regular security assessments and audits to maintain high standards of security and compliance
• Encryption of data in transit and at rest to safeguard against unauthorized access
• Visibility into data processing throughout the platform to monitor and control data flow effectively

While achieving HIPAA compliance reaffirms our commitment to providing customers with the highest levels of safeguards, we also know that security and compliance are ever-evolving. We will continue to invest and pursue further measures to guarantee the safety, reliability, and usability of your most valuable asset: your data.

For more information, please visit our HIPAA documentation. For general security information, please visit our Trust Center.

If you're an Onna customer and would like to obtain a copy of our reports detailing our HIPAA compliance, SOC 2 Type II compliance, or other security measures, please reach out to your Customer Success Manager.