Simple pricing. No surprises.
No per-seat fees that punish collaboration. All plans include a signed BAA and full access to every framework and assessment type during the free trial.
Essentials
For small practices and clinics getting started with formal risk assessments.
- ✓ 1 covered entity / organization
- ✓ Security Rule assessment
- ✓ Privacy Rule assessment
- ✓ Up to 5 users
- ✓ Basic gap analysis reports
- ✓ Evidence library (5 GB)
- ✓ Email support (2 business day SLA)
- ✓ Signed BAA included
Professional
For multi-location health systems, MSOs, and compliance-focused organizations.
- ✓ Unlimited organizations
- ✓ All frameworks: HIPAA, SOC 2, ISO 27001/42001, NIST CSF/AI/Privacy
- ✓ Built-in control libraries + cross-framework mapping
- ✓ Unlimited users
- ✓ Advanced risk scoring & analytics
- ✓ Remediation task tracking
- ✓ BAA tracking for business associates
- ✓ Branded PDF reports
- ✓ Evidence library (50 GB)
- ✓ Priority email + chat support
- ✓ 1 guided review session/year included
Enterprise
For HIPAA consultants managing multiple client organizations and large health systems.
- ✓ Multi-tenant client management
- ✓ White-label branding
- ✓ API & webhook access
- ✓ Custom integrations (EHR, GRC tools)
- ✓ Unlimited evidence storage
- ✓ Dedicated customer success manager
- ✓ SLA guarantees
- ✓ SSO (SAML 2.0 / OIDC)
- ✓ Penetration test reports on request
- ✓ Quarterly compliance reviews
Professional Services
Hands-on engagements led by our certified security, privacy, and compliance team - scoped and priced to your needs.
- ✓ M&A due diligence
- ✓ SOC 2 preparation
- ✓ OCR investigation response
- ✓ Breach mitigation
- ✓ Cloud security reviews
- ✓ IAM access reviews
- ✓ Penetration testing
- ✓ Documentation creation
- ✓ On-site physical security assessments
- ✓ Incident investigation
All plans include a 30-day free trial, no credit card required.
Annual billing available with 2 months free.
Frequently asked questions
Which compliance frameworks does OnlyHIPAA support? +
OnlyHIPAA ships with built-in control libraries for HIPAA (Security and Privacy Rules), SOC 2 (AICPA Trust Services Criteria), ISO/IEC 27001:2022, ISO/IEC 42001:2023 (AI management), the NIST Cybersecurity Framework 2.0, the NIST AI Risk Management Framework, and the NIST Privacy Framework. You can scope each assessment to one or more frameworks, and cross-framework mapping reuses overlapping answers across them.
Do I need to sign a BAA to use OnlyHIPAA? +
Yes. We execute a Business Associate Agreement with every customer before you can store any PHI-related data in our platform. The BAA is available for immediate signature upon account activation.
What counts as an "organization"? +
An organization is a single covered entity or distinct business unit with its own HIPAA compliance program. A hospital and its affiliated physician group that maintain separate risk assessments would count as two organizations.
Can I upgrade or downgrade my plan? +
Yes, at any time. Upgrades take effect immediately; downgrades take effect at the next billing cycle.
Is our data isolated from other customers? +
Yes. We use logical data isolation at the database level (organization-scoped queries with row-level access controls) and encrypt all data at rest with per-organization encryption keys on Enterprise plans.
What MFA options are required? +
All accounts are required to enroll in MFA to access assessment data, per our NIST SP 800-63B compliance. Supported methods: authenticator apps (TOTP), passkeys, and hardware security keys (YubiKey, etc.).
Can we export all our data if we leave? +
Absolutely. You can export all assessment data, evidence, and reports in standard formats at any time, and we provide a full data export within 30 days of account closure.