Okta Health Insurance Portability and Accountability Act

Last updated: October 2024

Okta cell architecture

Okta created Identity-as-a-Service (IDaaS) and from the start has firmly believed in building a best-in-class enterprise-grade service. Infrastructure investments have been a priority at Okta from the beginning.

Today, Okta continues to invest in one of the most resilient, secure and “Always On” cloud architectures in the world. Overall, the Okta architecture uses a concept we call a “cell” as the largest unit of scale in the service. Each Okta “cell” encapsulates a full multi-tenant cloud service with extremely high availability. For more details on the architecture overall, see these papers:

An Insider Look: How Okta Builds and Runs Scalable Infrastructure

Scaling Okta to 50 Billion Users

HIPAA scoping

The most difficult component of operating in a regulated environment is the definition of the scope boundaries. Organizations want to ensure that only required systems are included in any regulatory audit, as the expansion of scope incurs additional setup, maintenance, and cost. This drives the selection of an Identity vendor that can operate as a Business Associate to the customer.

HIPAA scoping also includes determining if the data being protected by your Information System is classified as Protected Health Information (PHI). PHI can be defined as information that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, …and directly identifies the individual or there is a reasonable basis to believe …can be used to identify the individual.“¹

_{1  Paraphrased from HIPAA section 1171}

Cell for HIPAA

To support the ability of Okta to execute a Business Associate Agreement (BAA) with customers, Okta has developed a solution that requires customers to sign a BAA prior to storing HIPAA related information. Okta’s Regulated IDaaS Cell, which includes the core Okta service, aligns with HIPAA control requirements and  is available for HIPAA customers. There are two main aspects where the HIPAA solution differs from a standard Okta implementation.

Reporting requirements

HIPAA contains specific regulations regarding communication of data breaches, access to Protected Health Information, and financial reporting to the US Department of Health and Human Services. These regulations require Okta, upon request by any user, to provide a report of any time that a user's PHI was viewed by an Okta employee. 

Trickle-down requirements

As a cloud service provider, Okta relies on external vendors to provide critical support for the Okta IDaaS product. More information on these external vendors, or sub-processors, is available at https://www.okta.com/trustandcompliance/#sub-processor-information. In order for Okta to handle PHI, we must also have agreements with our vendors who may be exposed to PHI as a result. These agreements typically come with additional costs or implementation requirements.

At an infrastructure level, within each cell, Okta uses strict internal traffic segmentation via Amazon Security Groups to ensure that data in motion between the different production services that make up our solutions cannot be viewed by unauthorized parties. This provides a high level of protection while maintaining fast network performance. Amazon’s interpretation of the HIPAA regulations requires us to add IPSEC encryption in between services as well. Okta has deployed this technology within our Regulated cells. Okta uses multiple levels of encryption within our product to provide equal protection, however this trickle-down requirement adds additional cost and complexity.

Benefits of Okta’s Regulated cell

Okta makes available a BAA for its customers who purchase Okta services that operate within the Regulated cell. To enter into a BAA with Okta, customers must choose to execute it prior to storing any Protected Health Information (PHI) within Okta’s Regulated cell.

In addition to being able to sign a HIPAA BAA, Okta offers the following features in its product and organizational policies to every customer regardless of cell location:

• Data encryption in transit and at rest
• Restricted physical access to production servers
• Strict logical system access controls

Configurable administrative controls available to the customer to:

• Monitor access
• Reporting and audit trail of account activities on users and content
• Formally defined and tested breach notification policy
• Training of employees on security policies and controls
• Employee access to customer data files are highly restricted
• Mirrored, active-active data center facilities to mitigate disaster situations
• 99.99% uptime SLA
• Annual SOC 2 Type II Reports and 3rd party penetration testing
• ISO 27001, ISO 27017, and ISO 27018 certification

The main benefit to a customer using Okta’s Regulated cells is that it enables a customer to take advantage of Okta’s additional safeguards to help them meet their HIPAA compliance needs. This is a unique capability that Okta offers to customers.

About Okta

Okta is the World’s Identity Company. As the leading independent Identity partner, we free everyone to safely use any technology— anywhere, on any device or app. The most trusted brands trust Okta to enable secure access, authentication, and automation. With flexibility and neutrality at the core of our Okta Workforce Identity and Customer Identity Clouds, business leaders and developers can focus on innovation and accelerate digital transformation, thanks to customizable solutions and more than 7,000 pre-built integrations. We’re building a world where Identity belongs to you. Learn more at  okta.com.