Is Notion HIPAA Compliant? What to Know About BAA, PHI, and Security

HIPAA Compliance for Enterprise Plan Customers

Notion can support HIPAA requirements for Enterprise plan customers when specific controls are enabled and a Business Associate Agreement (BAA) is executed. Without a signed BAA, you should not store or process Protected Health Information (PHI) in Notion.

Think of HIPAA enablement in Notion as a shared responsibility. Notion provides platform safeguards and administrative controls, while you configure access, limit data sharing, and train users to handle PHI correctly. This approach ensures ePHI is only used in approved workspaces, by appropriate roles, and under auditable conditions.

Business Associate Agreement (BAA) Overview

A Business Associate Agreement (BAA) is the contract that allows Notion to act as your business associate for HIPAA purposes. It defines permitted and prohibited uses of PHI, security responsibilities, breach-notification obligations, and how subprocessors are handled.

What the BAA typically covers

• Scope: Which Notion services and environments are in-scope for PHI once HIPAA is enabled.
• Safeguards: Administrative, physical, and technical controls that protect PHI.
• Breach response: Duties to investigate, mitigate, and notify without unreasonable delay.
• Subprocessors: Requirements for downstream vendors that may handle PHI.

What the BAA does not cover

• Unapproved or out-of-scope features you enable on your own.
• Data shared publicly, exported to uncontrolled destinations, or sent to third parties not included in the BAA.
• User behavior that circumvents security controls or violates your internal policies.

Enabling HIPAA Compliance in Notion

Step-by-step activation

1. Confirm the Enterprise plan and execute a BAA with Notion before creating or importing any PHI.
2. Request HIPAA enablement for your workspace and verify which features are in-scope under the BAA.
3. Configure identity and access: enforce SAML Single Sign-On, strong MFA via your IdP, and least-privilege roles for spaces and databases.
4. Set data governance rules: restrict public page sharing, limit guest access, and require private or team-restricted pages for PHI.
5. Establish monitoring: enable audit logging, review access reports, and connect approved Data Loss Prevention (DLP) integrations.
6. Operationalize controls: create SOPs for PHI handling, data retention, export reviews, and offboarding; train users before granting access.

Pre-go-live checks

• Verify that email or push notifications will not expose PHI to unsecured channels.
• Test workflows end to end (creation, search, comments, exports) to confirm PHI stays inside the HIPAA-enabled boundary.
• Document owners, approvers, and incident-response contacts for your Notion workspace.

Product Use Limitations and PHI Restrictions

Even in a HIPAA-enabled workspace, you must minimize exposure and keep PHI in restricted areas. Do not place PHI in page titles, comments that trigger notifications, or file names that could appear outside the secure context.

• Disable or tightly control public sharing and link-based access; PHI must remain private to authorized users.
• Limit guest, external, or contractor access; use expiring access and require SSO for every user.
• Review exports and backups; treat exported files as PHI and store them only in approved, encrypted repositories.
• Avoid embedding third-party content that is not covered by the BAA; prefer native, in-scope features for PHI workflows.

Excluded Features from HIPAA Coverage

Your BAA defines the official scope. Treat any feature not explicitly included as out-of-scope for PHI. Commonly excluded or restricted items include:

• AI-assisted features (for example, content generation) unless expressly included in scope.
• Public page sharing, publish-to-web options, or anonymous access links.
• Third-party embeds, connectors, or integrations not covered by the BAA.
• Email, push, or chat notifications that leave the secure environment and could reveal PHI.
• Beta or experimental features pending security review and formal inclusion.

Security Certifications and Standards

Security attestations and encryption standards underpin Notion’s HIPAA posture but do not replace your obligations. Look for a current SOC2 Certification (Type II attestation) that evaluates controls over time, and confirm data protection measures align to your risk requirements.

• Encryption in transit: TLS 1.2 or higher for client-to-service and service-to-service traffic.
• Encryption at rest: AES-256 Encryption for stored data, including backups where applicable.
• Secure development and operations: change management, vulnerability management, and periodic testing to reduce risk.
• Resilience: backup and recovery practices designed to protect availability and integrity of PHI.

Data Protection and Access Controls

Strong identity, data governance, and monitoring controls help you keep PHI safe and auditable. Combine platform capabilities with your identity provider and security stack to build layered defense.

Identity and authorization

• Require SAML Single Sign-On with enforced MFA and session policies.
• Use role-based access controls and granular permissions; grant access to PHI on a need-to-know basis.
• Automate lifecycle with SCIM or your IdP to provision, modify, and revoke accounts promptly.

Data governance and monitoring

• Enable detailed audit logs for access, sharing, and administrative changes.
• Use Data Loss Prevention (DLP) integrations to detect and block unauthorized PHI sharing or exfiltration.
• Define retention, archival, and deletion schedules for PHI aligned to legal and clinical needs.

Encryption and device safeguards

• Ensure TLS 1.2+ in transit and AES-256 Encryption at rest for in-scope data.
• Apply endpoint security: full-disk encryption, screen-lock, and MDM policies for devices accessing PHI.
• Harden browsers and mobile apps with policies that prevent copy/paste or downloads where inappropriate.

Conclusion

Notion can be used with PHI by Enterprise customers when a BAA is in place and HIPAA controls are enabled. Your security outcomes depend on disciplined configuration—SSO, least-privilege access, restricted sharing—plus monitoring, DLP, and sound operations. Treat anything outside the BAA’s scope as off-limits for PHI.

FAQs.

What is a Business Associate Agreement in Notion?

It is the contract that authorizes Notion to handle PHI on your behalf. The BAA defines which services are in scope, required safeguards, responsibilities for breach notification, and how subprocessors are managed. Without a signed BAA, you should not use Notion to store or process PHI.

How does Notion protect PHI data?

Protection relies on layered controls: TLS 1.2+ for data in transit, AES-256 Encryption at rest, access enforcement via SAML Single Sign-On, and detailed audit logging. You strengthen this with least-privilege permissions, device policies, retention rules, and Data Loss Prevention (DLP) integrations.

Which Notion features are excluded from HIPAA compliance?

Anything not explicitly included in your BAA should be considered out-of-scope. Common exclusions include AI-assisted features, public page sharing, third-party embeds or integrations not covered by the BAA, notifications that leave the secure environment, and beta features pending review.

How can Enterprise customers enable HIPAA compliance in Notion?

First, upgrade to the Enterprise plan and execute a BAA with Notion. Then enable HIPAA for your workspace, enforce SAML SSO and MFA, restrict sharing and guest access, turn on audit logging, connect approved DLP integrations, and train users on PHI handling before adding any PHI to pages or databases.