Simple pricing. No surprises.
No per-seat fees that punish collaboration. All plans include a signed BAA and full access to all assessment types during the free trial.
Essentials
For small practices and clinics getting started with formal risk assessments.
- ✓ 1 covered entity / organization
- ✓ Security Rule assessment
- ✓ Privacy Rule assessment
- ✓ Up to 5 users
- ✓ Basic gap analysis reports
- ✓ Evidence library (5 GB)
- ✓ Email support (2 business day SLA)
- ✓ Signed BAA included
Professional
For multi-location health systems, MSOs, and compliance-focused organizations.
- ✓ Unlimited organizations
- ✓ All assessment types
- ✓ Unlimited users
- ✓ Advanced risk scoring & analytics
- ✓ Remediation task tracking
- ✓ BAA tracking for business associates
- ✓ Branded PDF reports
- ✓ Evidence library (50 GB)
- ✓ Priority email + chat support
- ✓ 1 guided review session/year included
Enterprise
For HIPAA consultants managing multiple client organizations and large health systems.
- ✓ Multi-tenant client management
- ✓ White-label branding
- ✓ API & webhook access
- ✓ Custom integrations (EHR, GRC tools)
- ✓ Unlimited evidence storage
- ✓ Dedicated customer success manager
- ✓ SLA guarantees
- ✓ SSO (SAML 2.0 / OIDC)
- ✓ Penetration test reports on request
- ✓ Quarterly compliance reviews
All plans include a 30-day free trial, no credit card required.
Annual billing available with 2 months free.
Frequently asked questions
Do I need to sign a BAA to use OnlyHIPAA? +
Yes. We execute a Business Associate Agreement with every customer before you can store any PHI-related data in our platform. The BAA is available for immediate signature upon account activation.
What counts as an "organization"? +
An organization is a single covered entity or distinct business unit with its own HIPAA compliance program. A hospital and its affiliated physician group that maintain separate risk assessments would count as two organizations.
Can I upgrade or downgrade my plan? +
Yes, at any time. Upgrades take effect immediately; downgrades take effect at the next billing cycle.
Is our data isolated from other customers? +
Yes. We use logical data isolation at the database level (organization-scoped queries with row-level access controls) and encrypt all data at rest with per-organization encryption keys on Enterprise plans.
What MFA options are required? +
All accounts are required to enroll in MFA to access assessment data, per our NIST SP 800-63B compliance. Supported methods: authenticator apps (TOTP), passkeys, and hardware security keys (YubiKey, etc.).
Can we export all our data if we leave? +
Absolutely. You can export all assessment data, evidence, and reports in standard formats at any time, and we provide a full data export within 30 days of account closure.