Guide for HIPAA Entities

Onna, through its enterprise-level product plans, is able to offer Covered Entities and Business Associates a way to use Onna Services (the “Services”) in a manner consistent with their compliance obligations. Onna customers that are subject to the Health Insurance Portability and Accountability Act (“HIPAA”) and intend to transmit, upload, or communicate about protected health information (“PHI”) through the Services whether as Covered Entities and Business Associates must have entered into a Business Associate Agreement (“BAA”) with Onna and use the Services in accordance with the Requirements Section of this Guide for HIPAA Entities (“Guide”).

In addition to the Requirements for entering PHI through the Services, this Guide contains important configuration considerations. Please read this entire document and ensure that the limitations conform with your intended use of the Services. You must ensure that your users (as defined by HIPAA) are familiar with these requirements and limitations before provisioning access to them.

We may update or revise this Guide from time to time. For more information about your company’s BAA with Onna or this Guide, please contact your Onna account executive or customer success representative. Capitalized terms not defined in this Guide have the meanings given to them in HIPAA.

Requirements

Prerequisites to BAA Coverage

1. Enterprise-Level Onna Plan: You must purchase an enterprise-level Onna plan. Onna’s enterprise plans offer capabilities for administrators to monitor and remove activity and content from your Onna site.
   

2. Written Notice to Onna of Permitted Site: To ensure your Onna site is properly provisioned and supported, you must notify Onna in advance in writing of the name and URL of each site with which you intend to submit, collect, or use PHI. Onna will provision the sites that have been designated by you as those which will submit, collect, or use PHI, including new sites later created within that organization. Please note that BAA coverage will NOT automatically extend to every site created using the Site Manager feature of Onna.
   You may provide notice by contacting your account executive or customer success representative in writing (email permitted) and listing the sites needing a HIPAA environment. Onna sites will not be covered by your BAA until you have given this notice and received written confirmation from Onna.
   

3. Written Confirmation from Onna of Site Provisioning: Once Onna has confirmed in writing (including by email) that your organization’s sites are approved, the BAA will apply to them.

Required Onna Use Limitations for PHI

By purchasing Onna, you have available the full capabilities of the purchased Services. However, if you or your users transmit, upload, or communicate about PHI through the Services, you must comply with the following limitations:

1. Onna Users. The Services are designed for work management but may not be used to send data to patients, plan members, or their families or employers. Patients, plan members, and their families or employers may not be added as users or guests to any Onna sites, workspaces, sources, or exports.

2. PHI-Prohibited Onna Fields. Users may not include PHI in any field that may be transmitted outside of Onna. Examples include, but are not limited to:

   1. Onna user profiledata

   2. URL domain or Site names

   3. Authorized Connection or Cloud Transfer credential names

   4. Workspaces

   5. Source names

   6. Folder or file names

   7. Any message sent with a shared workspace, source, export, search query, advanced search or file

   8. Saved search query names or search parameters (basic & advanced)

   9. Tags or custom fields

   10. Preservation names

   11. Source hold names

   12. Export names

   13. Matter names

   14. Subject, name, and contents of notifications, or notification templates

   15. User groups names

3. Users may include PHI in the data collected into Onna.

4. Support Requests. When initiating a support request through any means users must not include any PHI in the support request or attach any screenshots or documents that include PHI.

5. External Sharing: External Sharing allows data from Onna to be shared with users from different companies. If you enable External Sharing to share data between two separate organizations, you must ensure that you have the appropriate permissions and security, where necessary, to share PHI with such recipients and that such communications comply with applicable legal requirements.

Configuration and Use Considerations

We hope you will find Onna makes your work life simpler and more productive. This section highlights some Onna features and limitations we would like you to be aware of as you consider how to configure and use Onna consistent with your HIPAA compliance obligations and risk analysis:

1. Session Management. Configure use of single sign-on (“SSO”) to manage access and authorization for Onna users. Please see Onna’s guides to SAML Configuration for more information.

2. Use of Audit Logs and Data Loss Prevention Tools. Onna provides audit logs to support monitoring of access, activity, and data across your site. You are responsible for using those audit logs to implement your own processes for monitoring your users’ use of Onna.

3. Notifying Your Workforce. The Services does not include tools to communicate your HIPAA requirements, including those in this Guide, to your users. It is your responsibility to communicate HIPAA requirements, including those in the Guide to your users.

4. Adding Users. Onna allows you to set custom permissions for users as you add them to your site and/or share any data within Onna. Prior to adding a new user or sharing any data with a new user, confirm that the user has the appropriate permissions. When a user is added to a preservation, workspace, source, export, saved search query, advanced search, file or folder, the user can see all content in the area shared with them, including data that was collected before the user was added. Thus, before adding a new user to your site or sharing any data, confirm access to all content is appropriate. In addition, do not include PHI in any custom invitations to users notifying them of an invitation to join your site or access data in Onna.

5. Onna Connectors. Onna provides connectors to 3rd party platforms (where your data originates) that integrate with the Services. Onna does not have a BAA with these third parties. It is your responsibility to determine whether a BAA between your company and such third parties is necessary and, if so, handle execution of such directly with the third party. You may choose to restrict certain connectors you have determined are not necessary for your site. For more information on source configuration visit the Help Center guide, How to Manage Source Preferences.

6. Data Backup and Emergency Access. You are responsible for implementing backup and recovery procedures for emergency access and archiving of PHI. Services should not be your primary data repository of PHI data since the data is a synchronized data set. Onna cannot serve as your system of record for PHI.

7. Data Retention. You should customize your data retention policies according to your needs and HIPAA obligations. Unless earlier deleted by a member of your site or in accordance with your sync settings, Onna will maintain your data for thirty (30) days after your commercial agreement with Onna expires or is terminated. You are responsible for obtaining a copy of any data you wish to retain within thirty (30) days following the expiration or termination of that agreement.