Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Webhooks

Webhooks send a signed JSON POST to your endpoint when subscribed events occur (assessment completed, finding status changed, incident opened, and more).

Verifying deliveries

Every request carries an X-OnlyHIPAA-Signature header of the form sha256=<hex> — the HMAC-SHA256 of the raw body using your webhook secret. Recompute it and compare with a constant-time function before trusting the payload.

Reliability

Respond with a 2xx within 5 seconds. A failed delivery is retried automatically with exponential backoff, and you can replay any delivery from the delivery log. A webhook that fails repeatedly is auto-suspended until you re-enable it.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.