HIPAA-aligned. By design.
Orella was built as a healthcare platform from line one. Security and privacy aren't a feature set we added — they're the foundation every part of the product inherits.
Encryption everywhere
Your data is encrypted at rest in our database and in transit between every device, server, and service. Plaintext PHI never sits anywhere.
Strong authentication
Patients, physicians, and administrators each authenticate through systems sized to their role. Passwords are salted and hashed — never stored or logged.
Role-based access
Every request checks identity and permission. Patients see only their own data. Physicians see only patients who initiated contact. Admins access PHI only with written justification.
Automatic session timeouts
Idle sessions log out automatically. Clinical panels have stricter timers than patient apps, in line with HIPAA technical safeguards.
Comprehensive audit logging
Authentication events, PHI access, and clinical actions are recorded with actor, timestamp, and outcome. Logs are retained for the periods HIPAA requires.
US data residency
All PHI is stored and processed in the United States. No cross-border transfer. No offshore processing for clinical reasoning.
Incident response plan
A written Incident Response Plan defines who acts, when, and how — aligned to HIPAA’s Breach Notification Rule. Vendors with PHI access are bound by Business Associate Agreements.
Secure cloud infrastructure
Built on enterprise cloud infrastructure with HIPAA-eligible services, automated backups, and isolated production environments.
Minimal data sharing
We don’t sell your data. We don’t use PHI for marketing. AI clinical reasoning runs on pseudonymized inputs wherever possible.
Your Data, Your Rights
You stay in control of your health information.
HIPAA and state privacy laws give you specific rights. We honor them, and we make exercising them straightforward.
Right to access
View your case history, consult notes, and uploaded documents anytime in the Orella app.
Right to a copy
Request a portable copy of your data in a machine-readable format.
Right to correct
Update your profile, allergies, conditions, medications, and surgical history directly.
Right to delete
Non-clinical data can be deleted on request. Clinical records follow legally required retention periods.
Right to revoke consent
Opt out of SMS by replying STOP. Withdraw account-level consent any time.
Right to file a complaint
Reach our Privacy Officer or HHS Office for Civil Rights directly. No retaliation.
To exercise any of these rights, contact our Privacy Officer at admin@orellahealth.com.
Questions about our security?
Privacy officers, IT teams, and procurement reviewers — we'll share documentation and answer specifics.
Contact our Privacy Officer