HIPAA configuration
Learn about how to make your Notion workspace HIPAA compliant, and how to enable HIPAA compliance 🏥
Jump to FAQsThe Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that was enacted in 1996 that requires the protection and confidential handling of protected health information (PHI) by covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
This article provides users required product configurations to make their Notion workspace HIPAA compliant.
Note: Notion's Business Associate Agreement (BAA) governs the protection of Personal Health Information (PHI) that is stored in the Notion Service. To be eligible to sign Notion’s BAA, you must subscribe to our Enterprise Plan.
Notion Calendar, any Notion Calendar features, and any Beta Services are not covered by the BAA and therefore may not be used or deployed in a manner that processes protected health information.
To the extent that any language on this page and language found in the BAA conflict at any time, the BAA shall control.
Notion's Supporting Configurations | |
---|---|
Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. | Notion’s SAML SSO is built upon the SAML 2.0 standard, connecting your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience. Notion supports official configurations for SAML SSO with: Azure, Google, Gusto, Okta, OneLogin, and Rippling.
Link additional workspaces: If you have more than one workspace you’d like to configure with SSO, you can do so by reaching out to team@makenotion.com. Once properly configured, any members signing into your workspace(s) will need to use the verified domain and will need to be authenticated through your identity provider. Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure. |
Unique User Identification Assign a unique name and/or number for identifying and tracking user identity. | Notion has a SCIM API which can be used to provision, manage, and de-provision members and groups. Workspace owners can find the required API key by going to |
Emergency Access Procedure Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. | Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues. Content search allows you to: |
Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | Set custom session duration: For managed users on the Enterprise Plan, Notion has a default session duration of 180 days. However, workspace owners can customize their session duration from 1 hour to 180 days. |
Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Enterprise workspace owners have access to an Audit Log via This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access. The workspace audit log can be exported in CSV format. Enterprise customers can also utilize our Data Loss Prevention (DLP) partner integrations to discover, classify, and protect sensitive data in Notion. |
Integrity Controls Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. | Disable public page sharing: This will disable the Share to web option in the Share menu on every page in this workspace. |
Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | Disable profile changes: This prevents managed users from changing their own profile information to avoid impersonations. |
Data Retention & Disposal Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. | Custom data retention settings allow Enterprise workspace owners to have control over when users’ pages are deleted from Trash, and how long they can be retained for afterwards. We keep backups of our database, which allows us to restore a snapshot of your content in the past 30 days if you need it. |
Transmission Security Implement technical security measures to guard against unauthorized | Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Notion’s internal networks, at rest in Cloud storage, database tables, and backups. |
Note: Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.
To enable HIPAA compliance for your workspace:
Go to
Settings
in your sidebar →Workspace settings
→HIPAA compliance
→Activate
.A window will appear where you can read the full signed BAA before you select
Accept
.Once you’ve accepted, you’ll see confirmation that HIPAA compliance has been enabled. You’ll also receive an email confirming that your workspace has accepted the HIPAA BAA.
If you’d like to turn off HIPAA compliance for your workspace:
Go to
Settings
in your sidebar →Workspace settings
→HIPAA compliance
→Deactivate
.In the window that appears, select
Disable
.Once you’ve accepted, you’ll see confirmation that HIPAA compliance has been disabled. This means you can no longer store Protected Health Information (PHI) in your Notion workspace. You’ll also receive a confirmation email.
FAQs
What is the cost of enabling HIPAA compliance?
What is the cost of enabling HIPAA compliance?
HIPAA compliance is available free of charge to customers on the Enterprise plan.
Customers must agree to Notion's Business Associate Agreement and utilize Notion in a manner that complies with HIPAA, the BAA, and the HIPAA Product Configuration Guide.
What are the product limitations of enabling HIPAA compliance?
What are the product limitations of enabling HIPAA compliance?
Notion may not be used to communicate with patients, plan members, or their families or employers.
Users may not include PHI in any of the following fields or functionality:
Workspace or organization names
Teamspace names
File names
Account/user profile
Name of user groups
Support requests and attachments to a support request must not include any PHI.
Notion Calendar, any Notion Calendar features, and any Beta Services are not covered by the BAA and therefore may not be used or deployed in a manner that processes protected health information.
Will integrations still be available?
Will integrations still be available?
Yes, previously enabled apps will remain enabled. Admins should review existing integrations used to ensure they are compliant. Admins can choose to disable the addition of new integrations that are not allowlisted.