Framework: HIPAA

Okta backup and disaster recovery for HIPAA

HIPAA Administrative and Technical Safeguards require documented controls and contingency planning for the identity layer that gates PHI access. Butterfly is the disaster-recovery layer for that identity layer.

Scope

In-scope control families

164.308(a)(1) — Security Management Process
164.308(a)(7) — Contingency Plan
164.312(a)(1) — Access Control

Coverage mapping

How Butterfly maps to HIPAA

164.308(a)(7)(ii)(A) — data backup plan

Scheduled, encrypted, point-in-time Okta backups with retention per plan.

164.308(a)(7)(ii)(B) — disaster recovery plan

Restore preview + dry-run + readiness score; restore is provable, not theoretical.

164.308(a)(7)(ii)(D) — testing and revision procedures

Restore preview is non-mutating; the operation is audit-logged and shows up in the Audit Pack.

Walk it through with Mick Security posture

FAQ

Does Butterfly access PHI?

No. Butterfly handles Okta configuration data only — users, groups, policies, app assignments.

Will you sign a BAA?

Yes. Contact us via butterflysecurity.org/contact to start the BAA conversation.

Where is configuration data stored?

In your designated Cloudflare R2 region. Encrypted at rest. Documented in the Trust Center.

Other frameworks

SOC 2 NIST 800-53 ISO 27001 CIS Controls PCI DSS