Simple pricing. No surprises.

No per-seat fees that punish collaboration. Every plan includes Sherpa, our AI compliance guide, a signed BAA, and full access to every framework and assessment type during the free trial. Each tier builds on the one before it.

Starter

$99/month

For small practices and clinics getting started with formal risk assessments.

  • ✓ 1 covered entity or organization
  • ✓ Security Rule and Privacy Rule assessments
  • Sherpa AI compliance guide, included
  • ✓ Up to 5 users
  • ✓ Gap-analysis reports
  • ✓ Evidence library (5 GB)
  • ✓ Email support (2 business day SLA)
  • ✓ Signed BAA included
Start free trial

Enterprise

Custom

For HIPAA consultants managing multiple client organizations and large health systems.

  • Includes everything in Professional, plus:
  • ✓ Multi-tenant client management
  • ✓ White-label branding
  • ✓ API and webhook access
  • ✓ Custom integrations (EHR, GRC tools)
  • ✓ Unlimited evidence storage
  • ✓ SSO (SAML 2.0 / OIDC)
  • ✓ Dedicated customer success manager
  • ✓ SLA guarantees
  • ✓ Penetration test reports on request
  • ✓ Quarterly compliance reviews
Contact sales

Professional Services

Custom

Hands-on engagements led by our certified security, privacy, and compliance team, scoped and priced to your needs.

  • ✓ M&A due diligence
  • ✓ SOC 2 preparation
  • ✓ OCR investigation response
  • ✓ Breach mitigation
  • ✓ Cloud security reviews
  • ✓ IAM access reviews
  • ✓ Penetration testing
  • ✓ Documentation creation
  • ✓ On-site physical security assessments
  • ✓ Incident investigation
Contact sales

All plans include a 30-day free trial.
Annual billing available. Enterprise is sold direct — contact sales for a quote.

Frequently asked questions

Which compliance frameworks does OnlyHIPAA support? +

OnlyHIPAA ships with built-in control libraries for HIPAA (Security and Privacy Rules), SOC 2 (AICPA Trust Services Criteria), ISO/IEC 27001:2022, ISO/IEC 42001:2023 (AI management), the NIST Cybersecurity Framework 2.0, the NIST AI Risk Management Framework, and the NIST Privacy Framework. You can scope each assessment to one or more frameworks, and cross-framework mapping reuses overlapping answers across them.

Do I need to sign a BAA to use OnlyHIPAA? +

Yes. We execute a Business Associate Agreement with every customer before you can store any PHI-related data in our platform. The BAA is available for immediate signature upon account activation.

How do the AI features handle our data? +

AI processing runs under a Business Associate Agreement with our model provider, with zero data retention. Your content is used only to generate the response and is never retained or used to train models. AI is opt-in per organization, every AI action is audit-logged, and nothing the AI produces (verdicts, drafted risks, remediation, summaries) is ever applied automatically. A person always reviews before it counts, and AI answers are grounded only in your own assessment data.

What counts as an "organization"? +

An organization is a single covered entity or distinct business unit with its own HIPAA compliance program. A hospital and its affiliated physician group that maintain separate risk assessments would count as two organizations.

Can I upgrade or downgrade my plan? +

Yes, at any time. Upgrades take effect immediately; downgrades take effect at the next billing cycle.

Is our data isolated from other customers? +

Yes. We use logical data isolation at the database level (organization-scoped queries with row-level access controls) and encrypt all data at rest with per-organization encryption keys on Enterprise plans.

What security controls protect our data? +

OnlyHIPAA holds itself to the standard it helps you meet. Authentication is NIST SP 800-63B aligned: Argon2id password hashing, a breached-password check, and required MFA via authenticator apps (TOTP), passkeys, or hardware security keys (FIDO2/WebAuthn). Data is encrypted with AES-256 at rest and TLS 1.3 in transit. Tenants are isolated with organization-scoped, row-level access controls, and Enterprise plans add per-organization encryption keys. Sessions are server-side and revocable. Every action is written to an immutable, tamper-evident audit log retained for six years. The platform is SOC 2 Type II audited and penetration-tested annually, with findings remediated within 30 days, and we sign a BAA with every customer. Reports are available to Enterprise customers under NDA.

Can we export all our data if we leave? +

Absolutely. You can export all assessment data, evidence, and reports in standard formats at any time, and we provide a full data export within 30 days of account closure.

Questions? Talk to our team.

We're happy to walk you through the right plan for your organization.