Is OneLogin HIPAA Compliant? BAA Requirements and Security Features
OneLogin's HIPAA Compliance Solution Brief
OneLogin can be configured to support HIPAA obligations when you pair its identity and access management controls with your organization’s policies, procedures, and a signed Business Associate Agreement. It centralizes authentication, authorization, and auditing for applications that create, receive, maintain, or transmit ePHI, helping you enforce consistent safeguards across your workforce and vendors.
The platform’s controls map to core HIPAA Security Rule expectations and align with the NIST Cybersecurity Framework, giving you practical levers to reduce risk: Multi-Factor Authentication, least-privilege access policies, encryption controls, and comprehensive audit controls. Vigilance AI adds continuous, risk-based monitoring to detect anomalous sign-in activity before it becomes an incident.
- Business Associate Agreement support for covered services and documented responsibilities.
- Data Processing Addendum options where GDPR or other privacy regimes also apply.
- Multi-Factor Authentication and conditional access to harden account security.
- Least-Privilege Access via roles, groups, and fine-grained administrator scopes.
- Encryption Controls for data in transit and strong cryptography for tokens and assertions.
- Audit Controls with detailed, exportable event logs for investigations and audits.
- Alignment with the NIST Cybersecurity Framework to structure governance and controls.
Identity tooling does not make you “HIPAA compliant” on its own; compliance depends on your full program. Use OneLogin to implement the Security Rule’s administrative, physical, and technical safeguards in a coordinated way.
Executing a Business Associate Agreement
If OneLogin will create, receive, maintain, or transmit ePHI as part of your workflows, you must execute a Business Associate Agreement. The BAA defines permitted uses and disclosures, required safeguards, breach notification duties, subcontractor flow-downs, and termination provisions. It ensures both parties understand responsibilities for protecting PHI and cooperating during incidents or audits.
What to confirm in the BAA
- Scope: which services and environments are in scope for ePHI, including data residency and support interactions.
- Safeguards: administrative, physical, and technical protections, including encryption controls and access restrictions.
- Breach and incident handling: timelines, content of notices, investigation cooperation, and remediation steps.
- Subcontractors: requirements to bind subprocessors to equivalent HIPAA obligations.
- Termination: return or destruction of PHI, continued protections, and transition assistance.
- Audit and documentation: right to receive security documentation and to validate controls during assessments.
Relationship to a Data Processing Addendum
A Data Processing Addendum addresses personal data under privacy laws such as the GDPR. A BAA addresses PHI under HIPAA. Many healthcare organizations need both. Ensure the BAA governs ePHI protections, while the DPA governs broader personal data—avoiding overlaps or gaps between the two agreements.
Practical steps to execute
- Map where ePHI may flow through identity, logs, or support channels and determine the covered services.
- Review the provider’s standard Business Associate Agreement and request any necessary addenda for your risk profile.
- Limit PHI in tickets and logs; designate secure channels for support and incident coordination.
- Document the accountable owner, renewal cycle, and evidence needed for audits.
Core Security Features Overview
Identity lifecycle and least-privilege access
Automated provisioning and deprovisioning enforce Least-Privilege Access by assigning only the roles and apps a user needs. Group-based policies and approval workflows reduce entitlement creep, while scoped administrator roles separate duties for higher-risk tasks like policy edits or app catalog changes.
Multi-Factor Authentication
OneLogin supports a range of MFA factors and step-up challenges based on risk, device posture, network, or app sensitivity. Enforce phishing-resistant methods for administrators and ePHI apps, require MFA re-prompt on privilege elevation, and set recovery processes that avoid insecure bypasses.
Encryption controls and transmission security
All console and user access occurs over TLS, and SAML/OIDC tokens are signed (and optionally encrypted) using strong cryptography. Configure certificate rotation, strict protocol ciphers, and HSTS for connected applications to maintain robust Encryption Controls across the sign-in path.
Audit controls and reporting
Audit Controls include detailed logs of user sign-ins, factor changes, policy modifications, app launches, API usage, and admin actions. Retain and export these events to your SIEM for correlation with endpoint and network telemetry, and maintain evidence for investigations and compliance audits.
Application access policies
Conditional access enables device, location, and risk-based rules per application. Set session lifetimes, restrict high-risk networks, and require step-up MFA for apps that handle ePHI. Use app tags and groups to keep regulated resources clearly segregated from general productivity tools.
Vigilance AI Risk Analysis
Vigilance AI analyzes authentication behavior to surface risky events in real time. Signals such as impossible travel, atypical device fingerprints, new geographies, repeated failures, and suspicious IP reputation feed a risk score that can silently block access or trigger step-up MFA.
Configurable, action-oriented policies
- Block high-risk sign-ins outright for ePHI applications and privileged admin roles.
- Require stronger MFA factors when risk is elevated or when users change sensitive settings.
- Quarantine unfamiliar devices until verified by an administrator or via device trust checks.
Feeding your risk management process
Use Vigilance AI findings in your ongoing HIPAA risk analysis to quantify threats, evaluate control effectiveness, and prioritize remediation. Forward alerts and events to your SIEM to unify detection and response, then document outcomes for audits and security committee reviews.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Alignment with NIST Cybersecurity Framework
Function-by-function mapping
- Identify: app inventory via the catalog, role definitions, and access mapping support asset and risk identification; BAAs and DPAs clarify third-party risk.
- Protect: MFA, policy-based access, encryption controls, and least-privilege entitlements reduce the blast radius of compromised credentials.
- Detect: Vigilance AI and continuous sign-in monitoring highlight anomalies; audit logs provide forensic visibility.
- Respond: Automated lockouts, step-up challenges, and admin workflows enable rapid containment and notification.
- Recover: Break-glass accounts, configuration backups, and documented procedures expedite identity service restoration and post-incident reviews.
Referencing the NIST Cybersecurity Framework gives you a common language for leadership and auditors, while OneLogin supplies the technical enforcement points to turn policy into practice.
Administrative Safeguards Support
HIPAA’s Administrative Safeguards call for risk analysis and management, assigned security responsibility, workforce security, information access management, security awareness and training, contingency planning, and periodic evaluation. OneLogin supports these processes by standardizing how users get, use, and lose access to regulated applications.
Workforce security and access management
Automate onboarding, transfers, and offboarding to minimize dormant accounts. Apply approval workflows for privileged roles and schedule regular access reviews to validate least-privilege. Segregate duties by using narrowly scoped admin roles for tasks like factor resets or policy maintenance.
Security management process
Use risk analytics, policy exceptions, and log trends to inform your formal risk register. Capture evidence of control operation—MFA enrollment rates, blocked anomalies, and access review outcomes—to support evaluations and audits under your compliance calendar.
Contingency and operations
Create break-glass credentials with limited scope and strong protections, test recovery procedures, and define support paths that avoid sharing PHI. Document configuration baselines and change control so identity policies recover predictably after incidents or rollbacks.
Technical Safeguards and Audit Controls
HIPAA’s Technical Safeguards focus on access control, unique identification, emergency access, automatic logoff, encryption and decryption, integrity, authentication, and transmission security—augmented by robust Audit Controls. OneLogin provides policy-based mechanisms to enforce these expectations consistently across integrated applications.
Access controls
- Enforce unique user IDs with SSO; prohibit shared accounts for ePHI apps.
- Apply role-based and attribute-based policies to ensure Least-Privilege Access.
- Configure automatic session timeouts and re-authentication for sensitive operations.
- Maintain emergency access procedures via tightly controlled break-glass accounts.
Encryption and integrity
Protect data in transit with modern TLS and sign (optionally encrypt) identity assertions to prevent tampering. Rotate certificates and keys on a defined cadence, and monitor for weak ciphers or protocol downgrades as part of your Encryption Controls.
Person or entity authentication
Require Multi-Factor Authentication for all users, with stronger, phishing-resistant methods for administrators and ePHI applications. Use device trust and risk scoring to verify that entities are who—and what—they claim to be.
Transmission security
Restrict legacy protocols, enforce HTTPS for all apps behind SSO, and apply conditional network policies. For remote access tools integrated via SSO, require step-up MFA and short session lifetimes to limit exposure.
Audit controls
Enable comprehensive logging for sign-ins, policy changes, app launches, factor events, and API calls. Export immutable, time-stamped logs to your SIEM, define retention aligned to your records policy, and rehearse search queries you will need during investigations.
Recommended HIPAA configuration checklist
- Execute a Business Associate Agreement that clearly defines covered services and safeguards.
- Adopt a Data Processing Addendum where other privacy laws apply, ensuring no gaps with the BAA.
- Mandate MFA for all users; require phishing-resistant factors for admins and ePHI apps.
- Implement least-privilege roles, approval workflows, and quarterly access recertifications.
- Segment regulated applications into dedicated groups with stricter conditional access.
- Set short session lifetimes and enforce step-up authentication on sensitive actions.
- Rotate SAML/OIDC signing certificates and review cipher suites regularly.
- Enable comprehensive Audit Controls and forward logs to your SIEM with defined retention.
- Tune Vigilance AI thresholds; block high-risk events for ePHI and privileged roles.
- Create and test break-glass procedures; document recovery steps and ownership.
Summary and next steps
With a signed BAA, disciplined configuration, and continuous monitoring, OneLogin can support your HIPAA program by enforcing MFA, least-privilege access, encryption controls, and comprehensive audit controls—guided by the NIST Cybersecurity Framework. Treat identity as a core security boundary, measure outcomes, and iterate your controls as your environment and threats evolve.
FAQs.
What HIPAA requirements does OneLogin address?
OneLogin helps you implement the HIPAA Security Rule’s technical and administrative safeguards: strong authentication, access control, encryption in transit, continuous monitoring, and detailed audit controls. It centralizes policy enforcement and evidence collection but must be paired with your policies, workforce training, vendor management, and physical safeguards to satisfy the rule holistically.
How does OneLogin support Business Associate Agreements?
When its services are used with ePHI, OneLogin offers to execute a Business Associate Agreement that defines permitted uses, security safeguards, breach notification, subcontractor obligations, and termination terms. You should confirm the covered services, limit PHI in support channels, and retain BAA documentation for audits.
What security features does OneLogin provide for compliance?
Core capabilities include Single Sign-On with policy-based access, Multi-Factor Authentication, least-privilege role management, encryption controls for tokens and transport, conditional access, device and network restrictions, and comprehensive audit controls with SIEM export. These controls support HIPAA and align with the NIST Cybersecurity Framework.
How does Vigilance AI enhance HIPAA security?
Vigilance AI performs risk analysis on sign-ins using signals like geovelocity, device reputation, and anomalous behavior. It can automatically block high-risk attempts or require step-up MFA, generating auditable events that feed your risk management, detection, and incident response processes.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.