The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that was enacted in 1996 that requires the protection and confidential handling of protected health information (PHI) by covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
This article provides users required product configurations to make their Notion workspace HIPAA compliant.
Note: Notion's Business Associate Agreement (BAA) governs the protection of Personal Health Information (PHI) that is stored in the Notion Service. To be eligible to sign Notion’s BAA, you must subscribe to our Enterprise Plan.
Notion Calendar and any Notion Calendar features are not covered by the BAA and therefore may not be used or deployed in a manner that processes protected health information.
To the extent that any language on this page and language found in the BAA conflict at any time, the BAA shall control.
Notion's Supporting Configurations
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights
Notion’s SAML SSO is built upon the SAML 2.0 standard, connecting your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience. Notion supports official configurations for SAML SSO with: Azure, Google, Gusto, Okta, OneLogin, and Rippling.
• Link additional workspaces: If you have more than one workspace you’d like to configure with SSO, you can do so by reaching out to firstname.lastname@example.org.
Once properly configured, any members signing into your workspace(s) will need to use the verified domain and will need to be authenticated through your identity provider. Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity
Notion has a SCIM API which can be used to provision, manage, and de-provision members and groups. Workspace owners can find the required API key by going to
Emergency Access Procedure
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues:
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Set custom session duration: Notion has a default session duration of 180 days. This means all users automatically get logged out if they have stayed logged in for 180 consecutive days. Workspace owners can customize their session duration from 1 hour to 180 days.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Enterprise workspace owners have access to an Audit Log (under
This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access. The workspace audit log can be exported in CSV format.
Enterprise customers can also utilize our Data Loss Prevention (DLP) partner integrations to discover, classify, and protect sensitive data in Notion.
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Disable public page sharing: This will disable the Share to web option in the Share menu on every page in this workspace.
Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Disable profile changes: This prevents managed users from changing their own profile information to avoid impersonations.
Data Retention & Disposal
Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored
There isn't a way to empty your trash all at once. You can go into the trash to delete pages permanently individually. After you delete the page from the Trash, it will be deleted from Notion’s servers after 30 days.
We keep backups of our database, which allows us to restore a snapshot of your content in the past 30 days if you need it.
Implement technical security measures to guard against unauthorized
Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Notion’s internal networks, at rest in Cloud storage, database tables, and backups.
Note: Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.
HIPAA compliance is available free of charge to customers on an Enterprise Plan with more than 100 members.
Customers must agree to Notion's Business Associate Agreement and utilize Notion in a manner that complies with HIPAA, the BAA, and the HIPAA Product Configuration Guide.
Reach out to our team for more information at email@example.com.
Notion may not be used to communicate with patients, plan members, or their families or employers.
Users may not include PHI in any of the following fields or functionality:
Workspace or organization names
Name of user groups
Support requests and attachments to a support request must not include any PHI.
Notion AI Add-on and any Notion AI features may not be used/deployed in a workspace that has signed a BAA and such features are not subject to Notion’s commitments in the BAA.
Cron and any Cron features are not covered by the BAA and therefore should not be used/deployed in manner that collects or processes protected health information.
Yes, previously enabled apps will remain enabled. Admins should review existing integrations used to ensure they are compliant. Admins can choose to disable the addition of new integrations that are not allowlisted.