Is Notion HIPAA Compliant?

Notion is a productivity app offering a range of organizational tools such as task management, project tracking, and web bookmarking. A large number of organizations, including healthcare organizations, use Notion for tasks such as project management, collaboration, and documentation.

The good news is that Notion can be used in a way that is HIPAA compliant. However, healthcare organizations should note that Notion’s basic plans are not suitable for handling PHI. In order to comply with HIPAA’s technical safeguarding requirements, specific configuration settings must be applied within Notion.

Notion can be configured to support the following security measures:

• Access Control
• Unique User Identification
• Emergency Access Procedure
• Automatic Logoff
• Audit Controls
• Integrity Controls
• Person/Entity Authentication

To make their Notion workspace HIPAA compliant, users must take the steps that effectively enable these security measures.

Will Notion Sign a BAA Agreement?

To comply with HIPAA, third-party vendors must have a Business Associate Agreement (BAA) in place with their partners.

Notion does offer a BAA that governs the protection of all Personal Health Information (PHI) stored in Notion. However, the BAA is only available to customers that are subscribed to Notion’s Enterprise plan and have more than 100 members.

Also note that, in meeting the terms of the BAA agreement and maintaining compliance with HIPAA, certain Notion features are not usable. These restricted features include Notion Calendar and Cron-related features, and the Notion AI Add-on.

Can You Store PHI or Patient Data in Notion?

Notion is designed as a general-purpose organization and collaboration tool. The standard plans are not designed, or able, to meet the stringent data security requirements of HIPAA, particularly around safeguarding PHI.

‍

‎‎PHI and sensitive patient data can be stored in Notion, but only by organizations on an Enterprise plan that is configured specifically to safeguard PHI. Without implementing these required configuration settings, you risk non-compliance with HIPAA and open yourself up to significant litigation and legal risks.

Can PHI/Patient Data Be Leaked from Notion?

Considering Notion’s use as a collaboration tool, where data can be easily shared, collaborated and exported concerns over data leaks are warranted. There are legitimate concerns over unauthorized access, but leaks of PHI and patient data from Notion could arise from multiple failures including misconfigured permissions and data interceptions.

At a minimum, the safe handling and effective safeguarding of PHI in Notion requires a BAA and a HIPAA compliant configuration.

How Can Strac Prevent Data Leaks from Notion?

The Strac Notion DLP app prevents data leaks, by automatically detecting and redacting sensitive data in messages and files from Notion pages, blocks, and comments.

1. The app operates on a list of sensitive data elements, including; SSN, DoB, Drivers Licence, Passport, Credit and Debit card #, API Keys, etc. This list can be configured to further tailor it to the specific needs of your organization.
2. Once the list of sensitive data elements is set, the Notion DLP App detects sensitive messages & files across Notion pages, blocks, databases, and comments.
3. The Notion DLP app then masks (redacts or removes) sensitive Notion messages and files, whilst allowing authorized users to view those messages/files in the Strac UI Vault.

‍

‎The Strac Notion DLP adds an additional layer of security to Notion workspaces. This is a solution that is built around Strac’s extensive experience in securing Endpoint & SaaS apps.

• Immediate Alerts and Continuous Monitoring: Strac provides instant notifications and constant monitoring for any unauthorized activities or data movements.
• Enhanced Detection of Sensitive Data: Leveraging sophisticated machine learning algorithms, Strac precisely identifies sensitive data, ensuring complete protection against data leaks.
• Continuous Sensitive Data Scanning: Strac guarantees the thorough data security and management that’s required for locating and safeguarding your catalog of sensitive data elements.
• Advanced Redaction Capabilities: With superior editing tools, Strac effectively removes sensitive information to mitigate the risk of unintended data exposure.
• Granular Access Controls: Strac offers detailed access management settings, allowing only approved users to access sensitive information, significantly minimizing the chance of data breaches.
• Broad Platform Support: As well as Notion, Strac ensures security across various platforms. Keep sensitive information safe by checking Strac's developer documentation.

‍

Learn more about how Strac can help organizations comply with HIPAA with ‎our guide to HIPAA Compliance and our complete range of DLP integrations.

Schedule a free 30-minute demo to learn more.

‍