Orvoxa supports HIPAA-compliant hosting on Enterprise tier with a signed Business Associate Agreement.
Prerequisites
- Enterprise plan (shared and cloud).
- Signed BAA — download, sign, and upload at Account → Compliance → BAA.
- Regional restriction: US-East or US-West data centers only.
What changes
- All storage is AES-256 encrypted at rest. Per-tenant KMS keys.
- All database traffic forced over TLS 1.3.
- Audit logs retained for 6 years (vs standard 90 days).
- Support access requires named technician + MFA + session recording.
- Backups replicated to a second HIPAA-compliant region.
What you still need to handle
Application-layer PHI handling, access controls for your users, audit-log review cadence. HIPAA is a shared-responsibility model — we secure the infrastructure, you secure the app.