Is Linear HIPAA Compliant? BAA, PHI, and Security Explained (2026)

If you work in a regulated healthcare environment, you need clear, up-to-date answers about using Linear with Protected Health Information (PHI). As of March 2026, Linear supports HIPAA compliance for Enterprise customers through a signed Business Associate Agreement (BAA) and a security program that includes encryption at rest, data transmission security, access controls, and audited processes. This guide explains how the BAA works, which encryption standards are in place, where to find compliance resources, how Linear differs from Linear Health, and practical steps to manage PHI responsibly.

Business Associate Agreement for Enterprise Customers

Who needs a BAA and when Linear will sign one

A BAA is required before you store, process, or transmit PHI in Linear. Linear signs BAAs with organizations on the Enterprise plan. Without an executed BAA, you should not place PHI in Linear. After the BAA is signed, your responsibilities continue: you must configure security features appropriately, train users, and minimize PHI wherever possible.

What the BAA typically covers

• Permitted and required uses/disclosures of PHI by Linear as a Business Associate.
• Administrative, physical, and technical safeguards aligned to HIPAA’s Security Rule.
• Breach notification duties and timelines, including incident cooperation and reporting.
• Subprocessor management, confidentiality, and flow-down obligations.
• Return or destruction of PHI upon contract termination and audit/verification rights.

How to prepare before executing a BAA

• Map PHI data flows and decide where PHI is truly necessary in issues, attachments, or comments.
• Define least‑privilege access by team and role; establish approval gates for creating or exporting PHI.
• Enable SSO/SAML, SCIM provisioning, and IP restrictions; lock down app approvals and tokens.
• Set internal guidelines (for example, “no PHI in titles,” PHI only in designated private teams).

Encryption Standards and Data Protection

Encryption at rest

Linear uses AES‑256 encryption at rest to protect stored data, including databases and backups. AES‑256 Encryption is the industry standard for protecting sensitive records and supports HIPAA’s requirement for reasonable and appropriate safeguards.

Data transmission security

Linear enforces HTTPS and encrypts data in transit using modern TLS with forward‑secure ciphers. Today, TLS 1.2 remains widely deployed and accepted in regulated environments; TLS 1.3 is the current benchmark protocol across the industry and may be evaluated during enterprise security reviews to meet internal policies around Data Transmission Security.

Additional protections you can turn on

• Regional data hosting (United States or European Union) selected at workspace creation.
• Audit logs that track important workspace events for governance and investigations.
• Administrative controls: SSO, SAML, SCIM, domain claiming, login and IP restrictions.

Linear Trust Center and Compliance Resources

What you can access

Linear’s Trust Center centralizes security and compliance materials for customers and prospects. Typical resources include the SOC 2 Type II certification report (under NDA), the Data Processing Agreement, the BAA request workflow, security summaries, and subprocessor lists. Enterprise customers can also request pen test summaries and additional documentation as part of due diligence.

How to request documents

• Start in the Trust Center to request access and self‑serve standard documents.
• If you need a BAA or custom terms, coordinate through your account team.
• Keep your NDA ready; many third‑party reports require it.

Distinction Between Linear and Linear Health

Linear

Linear is a product development system (issues, projects, workflows) used by software and operations teams. HIPAA support is available to Enterprise customers with a signed BAA and proper security configuration. Teams should practice data minimization and confine PHI to restricted spaces.

Linear Health

Linear Health is a separate healthcare operations platform built for clinics and health systems. It is designed for PHI by default, signs BAAs with every customer, and advertises SOC 2 Type II certification, AES‑256 encryption at rest, and TLS 1.3 for data in transit. It also highlights HIPAA‑eligible cloud hosting and a 99.9% uptime target.

Which one should you choose?

• Use Linear (Enterprise + BAA) when your primary need is product/operations work management and you occasionally handle PHI in tightly controlled workflows.
• Choose Linear Health for clinical, referral, scheduling, or EHR‑connected workflows where PHI is central to day‑to‑day operations.

HIPAA Compliance Certification and Security Measures

There is no official government HIPAA certification

HIPAA does not offer or recognize an official “certification.” Compliance is demonstrated through documented safeguards, risk management, workforce training, and—where applicable—Business Associate obligations. Third‑party attestations can help, but they do not replace your legal responsibilities under HIPAA.

How SOC 2 Type II fits in

SOC 2 Type II Certification is an independent audit over time that evaluates the design and operating effectiveness of security, availability, confidentiality, processing integrity, and privacy controls. It complements HIPAA by evidencing mature processes and monitoring but is not a substitute for HIPAA compliance.

Security measures that support HIPAA

• AES‑256 Encryption At Rest and strong Data Transmission Security (TLS‑based HTTPS).
• Identity and access controls: SSO, SAML, SCIM, role‑based access, IP restrictions.
• Audit logging, incident response, vulnerability management, and vendor risk reviews.
• Data region selection, retention policies, and secure deletion on termination.

Accessing and Managing PHI with Linear

Configure for least privilege

• Create private teams for PHI work; restrict membership to a need‑to‑know basis.
• Enforce SSO and SAML; automate user lifecycle with SCIM to remove access promptly.
• Use IP restrictions and domain claiming to keep access within your network.
• Limit third‑party app approvals and tokens; review them regularly.

Minimize and compartmentalize PHI

• Adopt “no PHI in titles” and include PHI only in designated secure fields or attachments.
• Encrypt sensitive attachments and store only what you need to fulfill the task.
• Use tags or custom fields to mark PHI‑related issues for targeted audits.

Operations, audits, and lifecycle

• Monitor audit logs for access and administrative changes; review on a set cadence.
• Define retention windows for PHI and document secure deletion procedures.
• Route data subject requests through your designated privacy contact and support channels.

Conclusion

Bottom line: Linear can be used in HIPAA‑regulated environments when you are on the Enterprise plan with a signed BAA and you configure security controls diligently. Its security program includes AES‑256 encryption at rest, modern TLS for data in transit, and SOC 2 Type II attestation. If your core workflows are healthcare‑specific and PHI‑heavy, evaluate Linear Health, which is purpose‑built for clinical operations. In every case, pair the platform’s controls with your own policies, training, and oversight to maintain compliance.

FAQs

Does Linear provide a BAA for HIPAA compliance?

Yes. Linear provides a Business Associate Agreement to Enterprise customers. You must have an executed BAA before placing PHI in Linear, and you’re responsible for configuring features like SSO/SAML, SCIM, IP restrictions, and private teams to meet your organization’s policies.

How does Linear encrypt data to protect PHI?

Linear uses AES‑256 encryption for data at rest and encrypts data in transit over HTTPS using modern TLS. Together, these controls protect stored records and secure network traffic carrying PHI.

What certifications does Linear Health hold for security?

Linear Health advertises HIPAA compliance and SOC 2 Type II certification, along with AES‑256 encryption at rest and TLS 1.3 for data transmission, and a 99.9% uptime target on HIPAA‑eligible cloud infrastructure.

How can customers access security and compliance documents?

Use the Linear Trust Center to request standard documents such as the SOC 2 Type II report, the Data Processing Agreement, and a BAA. Enterprise customers can also obtain additional materials under NDA through their account team. Linear Health provides similar resources via its security page and trust portal.