HIPAA configuration

HIPAA configuration
ข้อมูลในบทความนี้

Learn about how to make your Notion workspace HIPAA compliant, and how to enable HIPAA compliance 🏥

ข้ามไปยังคำถามที่พบบ่อย

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that was enacted in 1996 that requires the protection and confidential handling of protected health information (PHI) by covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

This article provides users required product configurations to make their Notion workspace HIPAA compliant.

Note: Notion's Business Associate Agreement (BAA) governs the protection of Personal Health Information (PHI) that is stored in the Notion Service. To be eligible to sign Notion’s BAA, you must subscribe to our Enterprise Plan.

Any Beta Services are not covered by the BAA and therefore may not be used or deployed in a manner that processes protected health information.

To the extent that any language on this page and language found in the BAA conflict at any time, the BAA shall control.

Configuring Notion for HIPAA

HIPAA Technical Safeguard Requirements

Notion's Supporting Configurations

Access Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Notion’s SAML SSO is built upon the SAML 2.0 standard, connecting your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience. Notion supports official configurations for SAML SSO with: Azure, Google, Gusto, Okta, OneLogin, and Rippling.


To get started using SAML SSO with Notion, you'll need to complete the following steps:


Verify domain(s): To use advanced security features, you must verify ownership of your email domain. This is an automated process that involves adding a TXT record onto your domain’s DNS to verify your ownership of it.


Enable SAML SSO: This will toggle the feature on and complete the configuration. For more information on completing the SAML SSO configuration, please refer to this article.


Change default login method: Once SAML SSO is enabled for the first time, the default login method will be set to Any method, meaning that users have the option of logging in via SAML or their normal login method. By setting this to Only SAML SSO, this enforces SAML as the login method for your workspace for managed users with verified company emails.

Link additional workspaces: If you have more than one workspace you’d like to configure with SSO, you can do so by reaching out to [email protected].

Once properly configured, any members signing into your workspace(s) will need to use the verified domain and will need to be authenticated through your identity provider. Enterprise workspace owners are able to bypass by using an alternative login method in case there’s an IdP/SAML SSO failure.

Unique User Identification

Assign a unique name and/or number for identifying and tracking user identity.

Notion has a SCIM API which can be used to provision, manage, and de-provision members and groups. Workspace owners can find the required API key by going to SettingsSecurity & identitySCIM Configuration and clicking to view the token.

Please see our SCIM documentation for the latest information on how you can interact with Notion’s SCIM API. Notion supports official SCIM applications with Google, Gusto, Okta, OneLogin, and Rippling.

Emergency Access Procedure

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues. Content search allows you to:

• View who has access to a page
• Modify the permissions of a page
• Discover and re-assign abandoned pages from former employees

You can export a Notion page, database, or entire workspace at any time.

For Notion Mail and Notion Calendar, enable HIPAA compliance with Google Workspace.

Automatic Logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Set custom session duration: For managed users on the Enterprise Plan, Notion has a default session duration of 180 days. However, workspace owners can customize their session duration from 1 hour to 180 days.

Force logout managed users: Force logout for individual users or for all workspace users at once.

Force password reset: Force password reset for individual users or for all workspace users at once.

If you de-provision a user via SCIM, they will be removed from the workspace and their session will be terminated.

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Enterprise workspace owners have access to an Audit Log via Settings. This gives an overview of a large range of events that have occurred in the workspace.

This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access. The workspace audit log can be exported in CSV format.

Enterprise customers can also utilize our Data Loss Prevention (DLP) partner integrations to discover, classify, and protect sensitive data in Notion.

For Notion Mail and Notion Calendar, enable HIPAA compliance with Google Workspace.

Integrity Controls

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.