HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to correctly create notations for proper patient care while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Notion is HIPAA compliant or not.
Notion is note-taking and project-management software for personal and/or collaborative work. It is an all-in-one workspace for notes, docs, wikis, and projects. Users can create their dashboards for optimal use. Created by Notion Labs, Inc. in 2016, the app is available for Mac, iOS, Windows, Android, and the Internet. Notion utilizes markdown language for text formatting and includes typical editing features. It is possible to embed various file types into a Notion document. There are several plans available for Notion. For no charge, personal users have access to unlimited pages and can sync across all devices. For a monthly fee, teams can use Notion in a collaborative environment.
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. In this instance, Notion is a business associate of a healthcare organization if a note includes any electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. There is no mention of HIPAA or a BAA on the Notion website. Rather, customers sign a Master Subscription Agreement, which is similar in content but not a BAA.
Notion’s Security & privacy web page affirms that the company uses both SOC (System and Organization Controls) 2 Type 1 and Type 2 reports along with Transport Layer Security (TLS) encryption. But according to Notion’s Twitter, the app lacks end-to-end encryption even though they employ encryption at rest and in transit. Notion utilizes the cloud for storage within a virtual private network (VPN) inaccessible through the Internet.
RELATED: NSA shares guide on utilizing cloud technology securely
This means that employees could see and access PHI. However, Notion’s Twitter maintains:
Notion employees are only able to access your data with your explicit consent via an inbound inquiry, and are legally bound to keeping your data entirely private.
The Security & privacy web page further declares, “No user content is exposed to any third-party service.”
The BAA is a key component of HIPAA compliance and Notion does not appear to sign a BAA. Moreover, Notion lacks end-to-end encryption and while the company is emphatic about not accessing customer data, it is a possibility.
Conclusion: Notion is not HIPAA compliant.