Back to Assists

Security & Compliance

Make Notion HIPAA Compliant

Configure Notion Enterprise to handle Protected Health Information (PHI) with the required HIPAA settings, access controls, and documented procedures.

Can Notion Be Used in a HIPAA-Compliant Way?

Notion can be part of a HIPAA-compliant environment, but only on the Enterprise plan and only when configured exactly according to Notion’s HIPAA guidance. You must sign their Business Associate Agreement (BAA), enable HIPAA configuration in workspace settings, and enforce strict security controls. Key limitations: you cannot use Notion to communicate with patients, plan members, families, or employers, and you must never store PHI in workspace or teamspace names, file names, user profiles, user groups, or support requests.

Step-by-Step Guide
  1. 1

    Verify Enterprise Plan Subscription

    Confirm your organization is on the Notion Enterprise plan. HIPAA configuration, BAA support, and advanced security controls are only available to Enterprise customers. If you’re on a lower tier, work with Notion sales to upgrade before proceeding.
  2. 2

    Identify a Workspace / Org Owner

    Ensure you have workspace or organization owner permissions. Only owners can enable HIPAA configuration, sign the BAA, and enforce global security settings. If you are not an owner, partner with the appropriate admin or security lead to complete this setup.
  3. 3

    Review Notion’s Official HIPAA Configuration Guide

    Before changing settings, read Notion’s HIPAA documentation end to end and align it with your internal security program. Core requirements typically include:

    • Enabling HIPAA compliance in workspace or organization settings
    • Reviewing and signing the Business Associate Agreement (BAA)
    • Verifying domain ownership via DNS TXT record
    • Enabling SAML SSO with an approved identity provider
    • Configuring SCIM for automated user provisioning and deprovisioning
    • Disabling public sharing, exports, guests, and cross-workspace moves where required
    • Ensuring PHI is never placed in workspace names, teamspace names, file names, user profiles, user groups, or support tickets
    • Excluding Notion Calendar, Notion AI, and other beta services from any PHI workflows

    Start with the official guide: notion.com/help/hipaa
  4. 4

    Prepare and Configure Your Identity Provider

    Confirm you have admin access to a supported identity provider such as Azure AD, Google Workspace, Okta, OneLogin, Rippling, or Gusto. Configure SAML SSO to enforce strong auth policies (MFA, conditional access) and enable SCIM provisioning so user access to Notion is automatically granted and revoked based on role and employment status.
  5. 5

    Document and Govern Your HIPAA Configuration

    Create internal documentation that captures your Notion HIPAA posture: which workspaces are allowed to store PHI, how SSO and SCIM are configured, which features are disabled, and who owns ongoing governance. Include copies of the signed BAA, screenshots of key settings, your PHI usage policy (what can and cannot live in Notion), training records, and audit log review procedures. Keep this documentation current and treat any configuration changes as formal change-managed events.

Tips & Best Practices

  • Review audit logs on a defined cadence (e.g., monthly or quarterly) to detect unauthorized access, unusual sharing behavior, or policy violations around PHI.
  • Keep PHI out of labels and metadata: Never include PHI in page titles, workspace or teamspace names, file names, user profiles, or user groups. Use internal IDs or case numbers instead of patient names.
  • Train and re-train your team: Run recurring security and HIPAA training for anyone who touches PHI in Notion, including what may and may not be stored there and how to report incidents.
  • Maintain a compliance archive: Store your signed BAA, configuration screenshots, audit procedures, and training logs in a secure, backed-up location so you can demonstrate due diligence during audits or vendor reviews.

Need HIPAA Compliance Consulting?

If you need help evaluating Notion for PHI, designing a HIPAA-compliant architecture, or running broader security and compliance reviews, we’re here to help.

Contact Us